Booting Windows

Boot loader

The boot loader scans the registry for drivers whose start value (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\driverName) is 0 or 1.

These drivers are loaed into memory in the order that is specified in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder

Loading sub systems

TODO: The value of Required under the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems.

Determine last boot time

The last time can be determined with systeminfo.exe.

C:\> systeminfo | findstr /c:"System Boot Time:"

Because systeminfo.exe is localized, the text System Boot Time needs to be changed on Windows with a non-English installation language.

Safe booting

When Windows is booted in safe mode, a minimum of functionality is provided:

VGA monitor
No network
Microsoft mouse driver
Minimal set of device drivers

TODO

autochk.exe

The value of ScfValue under the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

During boot time, the Service Control Manager (SCM) is started.

Every time the NT kernel initializes, it always turns on the TerminalServer mask in ProductSuite. See the implementation of ExpWatchProductTypeInitialization in minkernel\ntos\ex\exinit.c (ExpSuiteMask is the variable of interest).
Files below %SystemRoot%\servicing\Editions

The creation of the WMI namespaces.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Pressing F8 before the Windows logo is displayed starts Windows in advanced troubleshoot modus.

Determine reason of last shutdown

get-winEvent -filterHashtable @{ LogName = 'System'; Id = 41, 1074, 6006, 6605, 6008; } |
sort-object timeCreated |
format-list Id, LevelDisplayName, TimeCreated, Message

The event 6006 is The Event log service was stopped and indicates a proper system shutdown.