NTLDR


NTLDR is the boot loader for all releases of Windows NT from 1993 with the release of Windows NT 3.1 up until Windows XP and Windows Server 2003. From Windows Vista onwards it is replaced by Windows Boot Manager.
NTLDR is typically run from the primary storage device, but it can also run from portable storage devices such as a CD-ROM, USB flash drive, or floppy disk. NTLDR can also load a non NT-based operating system given the appropriate boot sector in a file.
NTLDR requires, at a minimum, the following two files to be on the system volume:
  • , the main boot loader itself
  • , required for booting an NT-based OS, detects basic hardware information needed for successful boot
An additional important file is, which contains boot configuration. On non-English versions of NTLDR, it may also load bootfont.bin; this is not the case for BOOTMGR.
NTLDR is launched by the volume boot record of system partition, which is typically written to the disk by the Windows or command.

History

Windows NT was originally designed for ARC -compatible platforms, relying on its boot manager support and providing only osloader.exe, a loading program accepting ordinary command-line arguments specifying Windows directory partition, location or boot parameters, which is launched by an ARC-compatible boot manager when a user chooses to start a specific Windows NT operating system. However, because IBM PC compatible machines lacked any kind of ARC support, an additional layer was added specifically for that platform: a custom boot manager code presenting a text-based menu allowing the user to choose from one or more operating systems and its options configured in a configuration file, prepended by a special StartUp module which is responsible for some preparations such as switching the CPU to protected mode.
When a user chooses an operating system from the boot menu, the following command-line arguments are then passed to the part of the osloader.exe common to all processor architectures:
Versions of NTLDR aside from the x86 IA-32 architecture were also used; an IA-64 version of NTLDR was used in all versions of Windows XP 64-Bit Edition while an x86-64 version of NTLDR was used in Windows XP Professional x64 Edition.
In Windows releases starting from Windows Vista and Windows Server 2008, NTLDR was split off into two parts: Windows Boot Manager for the boot manager and winload.exe for the system loader. The boot manager part has been completely rewritten; it no longer uses as a configuration file, although the bootcfg utility for modifying is still present in the case of multi-boot configurations with Windows versions up to Windows XP and Windows Server 2003.

Command-line interface

The bootsect.exe utility program in the Windows PE tools has options and /nt60 ) to store a NTLDR or Vista boot record in the first sector of a specified partition. The command can be used for FAT and NTFS based file systems. It replaces the FixFAT and FixNTFS tools.

Example

The following example applies the NTLDR compatible master boot code to the D: volume:

C:\>bootsect /nt52 D:

Startup process

When a PC is powered on its BIOS follows the configured boot order to find a bootable device. This can be a harddisk, floppy, CD/DVD, network connection, USB-device, etc. depending on the BIOS. In the case of a floppy the BIOS interprets its boot sector as code, for NTLDR this could be a NTLDR boot sector looking for the ntldr file on the floppy. For a harddisk the code in the Master Boot Record determines the active partition. The code in the boot sector of the active partition could then be again a NTLDR boot sector looking for ntldr in the root directory of this active partition. In a more convoluted scenario the active partition can contain a Vista boot sector for the newer Vista boot manager with an entry pointing to another partition with a NTLDR boot sector.
When booting, the loader portion of NTLDR does the following in order:
  1. Accesses the file system on the boot drive.
  2. If Windows was put in the hibernation state, the contents of hiberfil.sys are loaded into memory and the system resumes where it left off.
  3. Otherwise, reads and prompts the user with the boot menu accordingly.
  4. If a non NT-based OS is selected, NTLDR loads the associated file listed in and gives it control.
  5. If an NT-based OS is selected, NTLDR runs ntdetect.com, which gathers information about the computer's hardware.
  6. Starts ntoskrnl.exe, passing to it the information returned by ntdetect.com.

    boot.ini

NTLDR's first action is to read the file. It allows the user to choose which operating system to boot from at the menu. For NT and NT-based operating systems, it also allows the user to pass preconfigured options to the kernel. The menu options are stored in, which itself is located in the root of the same disk as NTLDR. Though NTLDR can boot DOS and non-NT versions of Windows, cannot configure their boot options.
For NT-based OSs, the location of the operating system is written as an ARC path. bootsect.dos is the boot sector loaded by NTLDR to load DOS, or if there is no file specified when loading a non NT-based OS.
is protected from user configuration by having the following file attributes: system, hidden, read-only. To manually edit it, the user would first have to remove these attributes.
A more secure fashion to edit the file is to use the bootcfg command from a console. bootcfg will also relock the file. Additionally, the file can be edited within Windows using a text editor if the folder view option "Show hidden files and folders" is selected, the folder view option "Hide protected operating system files" is unchecked, and the "Read-only" option is unchecked under the file's properties. Extreme caution should be taken when modifying, as erroneous information can result in an OS that fails to boot.

Example

An example of a file, extracted from a working Windows XP Professional installation:

timeout=30
default=multidiskrdiskpartition\WINDOWS
multidiskrdiskpartition\WINDOWS="Microsoft Windows XP Professional" /fastdetect

Note: If the boot loader timeout option in is set to 0, the NTLDR boot menu does not appear. This happens especially on multi-booted systems; the boot menu also does not appear when only one operating system is installed, like the example above, even if the timeout option is set into any other value other than 0.

NT kernel switches

Note: Unless otherwise stated, the following kernel switches apply to both Windows XP and Windows Server 2003 as well as prior versions of Windows NT.
  • ' Option used only on 32-bit x86-based systems that allocates 3 GB for the user-mode address space and 1 GB for the system-mode address space. It is intended for programs that can take advantage of the additional memory address space, such as certain Windows Server 2003 and Microsoft Exchange Server 2003 configurations. Activating this option however may break VMR-9 video; it may also cause audio problems with certain Sound Blaster X-Fi sound cards due to the way that Creative's drivers handle memory over 2 GB.
  • ' Starts Windows in "VGA mode", where a VGA-compatible display driver is used with a 16-color, resolution. This can be used to recover from configuration problems with certain display drivers; the switch can be used in conjunction with the switch to help diagnose display driver failures on startup.
  • ' Specifies the baud rate for the debug port used by the kernel debugger, overriding the default value. Enabling this option under automatically enables kernel debugging with the switch.
  • ' Writes a log of the boot process to the file for diagnostic purposes. It is set by default for certain Safe Mode options.
  • ' Displays a custom 16-color bitmap instead of the default graphical boot screen on startup. This file is located in and is named. It is used in conjunction with the switch; the custom bitmap will not display properly without it.
  • ' Makes the system halt at a breakpoint within the hardware abstraction layer. Causes a stop error if a debugger is not used.
  • ' Decreases the amount of memory that Windows can use.
  • ' Used when debugging through the IEEE 1394 port IEEE 1394 ports for use with debugging.
  • ' Disables Data Execution Prevention support.
  • ' Disables serial and bus mouse detection in. Otherwise serial and bus mouse detections are performed if is excluded. Set by default on Windows 2000 onwards.
  • ' Sets a different HAL to use.
  • ' Makes the HAL set hardware interrupts to only the highest numbered processor on multiprocessor systems.
  • ' Sets a different kernel image to use.
  • ' Sets the maximum amount of memory that Windows can use. does not account for memory leaks; is recommended for those use cases instead.
  • ' Option used for Windows PE. Changes the key in the Windows Registry to be non-persistent so that any changes made to the key are not saved when the system shuts down.
  • ' Disables debugging at the kernel level.
  • ' Sets Data Execution Prevention settings, applies to 32-bit and 64-bit CPUs with the NX bit.
  • * ' Enables DEP for core system images and those specified in the DEP configuration dialog.
  • * ' Enables DEP for all images except those specified in the DEP configuration dialog.
  • * ' Enables DEP on all images.
  • * ' Disables DEP.
  • ' Disables the graphical boot screen on startup, only displaying device driver names as they are loaded, similar to. It can be used in conjunction with to diagnose device driver failures on startup. It is set by default for certain Safe Mode options.
  • ' Disables Physical Address Extension support.
  • ' Disables serial mouse detection in. Replaced with on Windows 2000 onwards.
  • ' Specifies the number of processors used in a multiprocessor system. Can be used to troubleshoot performance issues and defective CPUs.
  • ' Makes Windows use only one processor in a multiprocessor system, similar to using.
  • ' Enables Physical Address Extension support.
  • ' Locks IRQ settings used by PCI devices to the ones set by the computer's BIOS.
  • ' Specifies a path to the System Disk Image file.
  • ' Enables Emergency Management Services. Only available in Windows XP onwards.
  • ' Sets Safe Mode settings.
  • * Safe Mode Default: Uses a minimal set of device drivers and services to start Windows.
  • * Safe Mode with Networking Default mode together with the drivers necessary to load networking.
  • * Safe Mode with Command Prompt Default mode, except that Cmd.exe starts instead of Windows Explorer.
  • * Windows in Directory Services Restore Mode Performs a directory service repair.
  • ' Option used for Windows XP Embedded. Allows booting a RAM image from a System Disk Image file.
  • ' Displays device driver names on startup. Also changes the graphical boot screen to the one seen when is run on startup in Windows 2000 onwards, showing operating system information in a similar manner to Windows NT 4.0. Can be used in conjunction with the switch to help diagnose display driver failures on startup. It is set by default for certain Safe Mode options.
  • ' Sets the system timer resolution for the HAL.
  • ' Specifies that Windows uses the Power Management Timer timer settings instead of the Time Stamp Counter timer settings if the processor supports the PM_TIMER settings. By default, Windows Server 2003 Service Pack 2 uses the PM timer for all multiprocessor APIC or ACPI HALs. must be enabled for Windows Server 2003 Service Pack 1 and below.
  • ' Option used only on 32-bit x86-based systems that allows applications to be given a larger address space specified by the user, similar to the switch. The aforementioned switch is mandatory when using the switch.
  • ' Allows booting of non-NT versions of Windows using.
  • ' Allows booting of DOS or non-NT versions of Windows using.
  • Overrides the year set by the computer's clock settings. Was used for testing Y2K compliance.