AI Career Courses
Helpdesk Tier 3: Advanced Endpoint Engineering  /  Module 1: Advanced Troubleshooting & Root Cause Analysis  /  Lesson 2

Advanced Windows internals: boot, registry, services & drivers

Understand how Windows actually boots, loads drivers, and starts services so you can reason about failures instead of guessing. Map the registry control sets and service dependency chains that decide whether a machine reaches the desktop.

Loading video…

What you'll be able to do

  • Trace the Windows boot sequence from firmware through Session Manager to the desktop
  • Explain how the registry HKLM\SYSTEM control sets and LastKnownGood are selected
  • Read a driver's Start type and ErrorControl and predict its effect on boot
  • Map service dependency chains and diagnose a failed dependency
  • Use Autoruns and the boot/setup event logs to find what runs at startup
  • Distinguish a kernel-mode driver fault from a user-mode service failure

The boot sequence, end to end

To diagnose a machine that never reaches the desktop, you must know the order things happen. Firmware (UEFI) hands off to the Windows Boot Manager (bootmgr), which reads the BCD store and starts the Windows OS Loader (winload.efi). The loader pulls in the kernel (ntoskrnl.exe), the HAL, and every Boot-start driver. The kernel initialises, then starts Session Manager (smss.exe) — the first user-mode process. Smss sets up the registry, paging files, and environment, runs autochk, then launches the session leading to Winlogon and the desktop.

If a machine hangs on the spinner, the fault is usually before smss (a Boot/System driver). If it reaches the logon screen and then fails, you are in user-mode service territory.

Control sets and LastKnownGood

The live system configuration lives under HKLM\SYSTEM. Windows keeps multiple numbered control sets and records which is which under HKLM\SYSTEM\Select.

HKLM\SYSTEM\Select\Current        -> e.g. 1  (the ControlSet booted now)
HKLM\SYSTEM\Select\LastKnownGood  -> e.g. 1  (last config that reached logon)
HKLM\SYSTEM\Select\Failed         -> e.g. 2

LastKnownGood is updated to the current set only after a successful interactive logon. That is why “Last Known Good Configuration” can recover a machine that a bad driver just broke — it rolls back to the set that last reached the desktop.

Drivers: Start type and ErrorControl

Every driver and service has a Start type and an ErrorControl value under its Services key:

# Inspect a driver's load behaviour
Get-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Services\disk' |
  Select-Object Start, Type, ErrorControl, ImagePath

Start: 0 = Boot, 1 = System, 2 = Auto, 3 = Demand, 4 = Disabled. ErrorControl: 0 = Ignore, 1 = Normal, 2 = Severe, 3 = Critical. A Boot-start driver (0) with Critical error control (3) that fails will bugcheck or force a LastKnownGood rollback. A Demand-start driver (3) that fails usually only breaks the feature that needed it. Reading these two numbers tells you whether a fault is a no-boot or a nuisance.

Services and dependency chains

Services start in dependency order under the Service Control Manager (SCM). If service A lists B in DependOnService and B fails, SCM refuses to start A.

# Dump a service's full config including its dependencies
sc.exe qc Netlogon

# List what depends on a given service
Get-Service -Name LanmanWorkstation -DependentServices

A single failed low-level service can cascade into a dozen downstream failures — always trace upstream to the first thing that broke, not the loudest error.

Auditing what actually runs

Autoruns from Sysinternals enumerates every autostart location: drivers, services, Run keys, scheduled tasks, codecs, and more, with signature verification. Use it to spot an unsigned or unexpected driver loading early. Pair it with the boot performance and setup logs:

Get-WinEvent -LogName 'Microsoft-Windows-Diagnostics-Performance/Operational' |
  Where-Object Id -in 100,101,102,103 |
  Select-Object TimeCreated, Id, Message -First 20

Your task

On a test VM, read HKLM\SYSTEM\Select and record which control set is Current and which is LastKnownGood. Pick three drivers and use Get-ItemProperty to list their Start and ErrorControl values; for each, predict in writing what would happen on boot if it failed to load. Run Autoruns, export the list, and identify any unsigned autostart entry. Finally, pick a multi-dependency service (e.g. Netlogon), map its dependency chain with sc.exe qc and Get-Service -DependentServices, and draw the chain.

Check your understanding

6 questions — answer to see instant feedback.

Q1. A driver has Start type 0 (Boot) and ErrorControl 3 (Critical). What happens if it fails to load?
ErrorControl 3 (Critical) forces a bugcheck or LastKnownGood rollback if a load fails; Start 0 means the driver is needed before the kernel finishes initialising, so the system cannot just continue.
Q2. Where does Windows record the control set it actually booted from?
HKLM\SYSTEM\Select holds Current, Default, Failed, and LastKnownGood values that point to the numbered ControlSet the system booted, so you can confirm which configuration is live.
Q3. Service A depends on Service B, which failed to start. Which tool most directly shows you that dependency chain?
sc.exe qc dumps a service's configuration including DependOnService; the Service Control Manager refuses to start a service whose listed dependencies have not started.
Q4. Which Sysinternals tool gives the most complete view of everything configured to run at boot and logon, including drivers, services, and scheduled tasks?
Autoruns enumerates every autostart location — drivers, services, Run keys, scheduled tasks, codecs, more — and can verify signatures, making it the canonical startup-audit tool.
Q5. In one sentence, what does Session Manager (smss.exe) do early in boot?
Answer:Smss.exe is the first user-mode process the kernel starts; it initialises the registry, creates paging files and environment, runs autochk, and launches the session that brings up Winlogon and the user environment.
Knowing smss is the bridge from kernel initialisation to user-mode sessions tells you where to look when a machine reaches the spinner but never the logon screen.
Q6. Why does reading a driver's Start type help you predict boot impact?
Answer:Start type defines when the driver loads (0 Boot, 1 System, 2 Auto, 3 Demand, 4 Disabled); a fault in a Boot or System driver can prevent the machine from ever reaching the desktop, whereas a Demand-start driver fault usually only affects the feature that triggers it.
The earlier in boot a driver loads, the more catastrophic its failure, so Start type tells you whether a driver fault is a no-boot or a feature-level problem.
Ask the AI tutor about this lessonStuck or curious? Ask a question and get a grounded answer.

The tutor answers from this lesson's material and can make mistakes — verify anything important.

Resources