CIS 1110A - Computer Operating Systems and Maintenance
This lesson discusses chapters 14 and 15. Objectives
important to this lesson:
Troubleshooting Windows applications
Slow startup or performance
Application errors and crashes
Windows boot process
Creating bootable media and backups
Using Windows tools on startup issues
Reimaging and reloading Windows
Chapter 14 begins with an overview of the topics it
covers. It's first topic is a quick introduction to what takes
place when a computer running Windows starts. It presents two
parts of any operating system that may be new to you: the shell
and the kernel. We have talked about
a shell being the interface
between the OS and the user. Windows is famous for it GUI shell.
(Which sounds kind of disgusting if you read that sentence to
anyone.) The kernel is the part of the OS that
interfaces directly with hardware. There is also
a service/executive layer, that interfaces
between the shell and the kernel. In Windows, parts of the kernel
are loaded into the working memory of any computer running it, and
other parts are left in nonvolatile storage until there is a need
to load them. The kernel provides basic access to hardware, calls
other portions of itself (as needed) and runs other parts of the
operating system, including drivers that have been installed for
Current versions of Windows work with a microkernel
that calls other parts of the OS that run in kernel mode.
Windows does that to provide a more modular approach, allowing
essential parts of the kernel to be updated without having to
always update the microkernel itself.
Programs running on Windows systems can run in one of two modes;
Kernel mode is a mode with more privileges, and
only meant to be used by OS components that are called by
the kernel.The kernel itself always runs in this mode. Kernel mode
allows privileged access to the hardware of the computer.
User mode is how most programs are meant to operate,
passing their hardware requests through the kernel mode programs.
This is illustrated in the figure below, from Wikipedia.
The text also mentions the Hardware Abstraction Layer
(HAL), a major portion of the kernel. The HAL is
a layer between the physical hardware of the computer and the rest
of the operating system. It was designed to hide differences in
hardware and provide a consistent platform on which the kernel is
run, meaning that a program should run the same regardless of your
equipment brand. That isn't quite how things work out, but you get
the idea. The HAL includes hardware-specific code that controls
I/O interfaces, interrupt controllers and multiple processors. It
is matched with the kernel itself, and must be updated if the
kernel is updated.
The author goes into a murky area, giving us some Windows
user profile - data about each user is stored
in a folder named for the user's login ID,
under %SystemDrive%\Users. The data
is organized in a number of subfolders that are collectively
call that user's namespace. The rest of this
section assumes that C: is your %SystemDrive%. (In
Windows systems, SystemDrive is a variable that holds the label
of the drive Windows boots from. Putting percent signs before
and after the variable name means "use the value of this
NTUSER.dat - a hidden file in the folder
named for the user, containing settings for the user, which is
copied to the computer's registry each time the user logs in
C:\Program Files - in a 32-bit
version of Windows, all programs are stored here by
default; in a 64-bit version of Windows, 64-bit
programs are stored here, and 32-bit
programs are stored under C:\Program Files
The next two are kind of horrible. Keep smiling.
Menu\Programs\Startup - this folder typically holds
shortcuts to programs that are meant to run on startup for the named
Menu\Programs\Startup -this folder typically holds
shortcuts to programs that are meant to run for any
user who starts the computer
The author says that you can also put programs in
the two locations above, not just shortcuts.
However, that would mean you would have a rough time updating such
programs, so shortcuts are preferred.
I was going to mention this sooner,
but Dr. Andrews brings it up on page 760. Programs do not run
until they are loaded into RAM. Once they are loaded and run, they
are called processes. When processes request
more resources from the system, such as starting a print job, the
request and resource allocated is called a thread.
Normally, you can use Task Manager to stop a
process and associated threads. When this does not work, check the
Details tab in Task Manager and find the Process
ID for the process you want to end. (It will not always
be the same number.)
Once you know the bad program's process ID, you can call up a
command line to use the taskkill command. In this
example, I could type this on the command line:
taskkill /PID 3100 /F
This would kill the bluegriffon,exe process which is shown in the
graphic to the right. The syntax is the command itself,
followed by a space, then a forward
slash, and the letters PID, to tell
the command that you are about to tell it a process ID. That is
followed by another space, the process
ID, a final space, and a forward
slash followed by a capital F. The
last part of the command means to do it forcefully,
which is probably necessary if Task Manager couldn't kill the
obnoxious piece of code.
On pages 762 through 764, the author lists a lot of tools
and sets of tools found in Windows. You should spend a few minutes
reading these three pages and Googling any terms or explanations
you don't understand. There are some I have never seen before in
the list, which may be true for most of you.The author warns us
that the A+ exam will require you to know multiple ways to open
and use tools from this list.The exercise that follows the list
discusses four of the tools that you are likely to use.
The chapter continues with general advice about troubleshooting a
Talk to the user. Find out what happened,
what will not run, when it happened, what changed since the last
time it worked, and so on. Don't forget to listen to
the user. They may offer something you need to know that you
don't know to ask about.
The usual advice to back up data is given,
which is more comical than helpful in incidents in which the
computer will not start.
Ask the user to demonstrate the problem.
Sometimes the user is mistaken about one of two things: what the
program is supposed to do or how to use it. Then there is the
third possibility, that there is actually something wrong.
Standard Microsoft advice: reboot to see if
it works after you do so. This is one of the things people hate
about help desk calls: they are always asked to restart the
Run Event Viewer and Reliability
Monitor. Event Viewer shows events
in several different log files.Events are tagged with icons
to help you quickly find problems. See what looks
like a possible cause or related event. The log files
listed as important are the Administrative Events,
Application, Security, Setup,
System, and Forwarded Events
logs. It will not be clear to you which log contains which kind
of information until you study Windows more fully. For now, look
in all of them.
Dr. Andrews does not discuss the Reliability Monitor,
but it can show you a number of recent events that may be
sources of trouble. It displays them on a timeline, which can
help diagnose what was not working when the problem started.
Control Panel contains several Troubleshooting
Applets. Open Control Panel, then
select a category from Programs,
Hardware and Sound, Network and
Internet, or System and Security.
Your interview with the user should give you a hint which
category to open.
Device Manager is mentioned, with the
suggestion that you may want to uninstall and reinstall a
device, which may clear up a software or configuration
malfunction. This can also be helpful if your driver is
corrupted and needs to be reinstalled or updated.
We have discussed malware before. If you
see signs of malware, scan for problems using your chosen
If you suspect that you have some bad RAM
(BSOD while running a large application, reports of bad data),
there is a tool to help. Windows Memory Diagnostics,
also called mdsched.exe, can be started in
Windows by entering its name in the start button search box. It
requires that Windows not be running, so you
get the two options described in the text, and a third option to
cancel the request.
You can also run this tool from the Windows Install media.
If you think a hard drive is going or has gone bad, try
another old DOS tool. Open a command line, and enter chkdsk,
followed by a space, followed by the drive
you want to check, followed by another space,
followed by a forward slash and a lower
case r. If I wanted to check my C: drive, I would
chkdsk c: /r
The /r switch (a switch tells the tool how
to do something) tells chkdsk to try to recover data
from bad files. Warning: this often takes a long time to run on
a "large" drive, and the harvested data may not be of much help.
The author presents a number of ways to run Task
Manager. You should know them:
While running Windows, press Ctrl-Alt-Del,
then use the menu that appears. See the note at at the bottom
of page 771 on this one, warning you that you must use a work
around to send the signal to a virtual machine.
Press Ctrl-Shift-Esc to start Task Manager
In Windows 8 or 10, press Win-X, and see
if Microsoft has removed it from the that menu yet. (Rumble,
grumble, razz frazzing...)
The author runs through the various tabs in Task Manager.
Look at each of them and read her insights to get an idea of
what they do.
Sometimes you or a user will install a program that does not
work and play well with others. When this happens, you may need
to open programs one at a time and in different combinations to
determine what programs are in conflict. A tool that helps with
this is msconfig.exe. It has been around for
years, and it has grown new features several times. Run this one
while running Windows by calling its name from the Start Button
Search box. It allows you to access several files that configure
what runs when the system starts Windows, and how you would like
to run the next boot. Look over the exercise on pages 780 and
781, for some details about how to use this tool.
Is the problem with Windows itself? Dr. Andrews suggests that
Install all current updates
Check for file problems with the System File Checker, which
is DOS command sfc /scannow. If you can't
run it, try running command line as an administrator. Damaged
files will be updated if you have access to the Internet.
If you can't run sfc, try DISM commands to
repair Windows. However, this only works if you have a local
copy of Windows install media. A possible command
sequence is shown on page 283.
Another thing to try from msconfig.exe is to reboot the
computer in Safe Mode. The options for doing
so are on the Boot tab. This used to be done
by selecting Safe Mode from a hidden menu while the computer was
booting up. This method presumes that you can get to
The author gives us a couple of pages about System
Restore. Sounds great, but it requires you to have
saved a Restore Point, an image of your boot
drive from when it was running normally.
In the remainder of the chapter, Dr. Andrews gives us several
pages about specific problems that occur with some frequency.
Consult this section in particular when doing the Thinking
Critically questions this week.
Chapter 15 goes into detail about
what happens when Windows starts. The introduction from Chapter 14
was not the whole story.
Page 826 begins with some confusion about what power buttons can
do. Let's focus on the idea of two boot types:
A cold boot, also called a hard boot,
begins with the computer completely turned off. There is no
power flowing through the motherboard, except a trickle to allow
a wake signal to be sent through the network to your NIC. The
equipment is "cold".
A warm boot, also called a soft boot,
begins with the computer already running. The equipment is
"warm" from electricity flowing through it. This kind of boot
does not end all processes before restarting.
Technically, a reboot can be either of these types. Given that,
there are other aspects to booting:
Dr. Andrews warns us that the button on the front of a
computer case may be configurable to only generate
a soft boot, if the computer is running, not to shut
off a running computer. This is stupid, don't do it!
Holding it down for a few seconds, however, should
produce a complete shutdown, which can be done
in emergencies. Pressing it once on a computer that is shut down
should start it. However,...
A large toggle switch on the back of the
computer case, as as she illustrates on the same page, is not
configurable. It is only an on/off switch. If it is
off, the start button on the front won't do anything. If it is
on, the computer is running, and you turn it off, that is the
most ungraceful way to shut off a computer I can imagine, unless
you want to allow the use of firearms.
Most people who shut down Windows do it from the Start
button, which also offers the choice to do a (warm)
reboot. That seems like enough on this topic.
Dr. Andrews changes the topic to the events that actually happen
when a computer that runs Windows does a cold boot. The table she
offers is not as clear as the flow chart on page 829. The list in
the PowerPoint is pretty good.
In BIOS and UEFI systems, it starts with
checking non-volatile RAM for information about the system. The
information is compared to actual hardware and such on the
BIOS/UEFI runs the Power
On Self Test (POST) - if there is an error here,
expect a beep code to give you a clue.
Startup BIOS looks for a boot
drive, looks for a Master Boot Record
(MBR) on it, looks for an active
partition (with the OS), and loads the master
boot program, bootmgr, reads the BCD
(Boot Configuration Data) store
which tells it where the Windows boot loader
is. (Control now passes to the Windows boot loader.)
In a UEFI system, the UEFI boot manager is
loaded, UEFI device drivers are loaded, UEFI learns where its
version of bootmgr (bootmgfw.efi)
The Windows Boot Manager reads the
BCD and calls the Window Boot
The Windows boot loader, winload.exe,
loads Windows components. The first is the kernel.
Ntoskrnl.exe (the kernel)
is loaded. It builds a registry key in memory from data in the
HAL and the actual registry. It starts services and Windows
drivers. It then start Session Manager (Smss.exe)
in user mode.
Session Manager loads the
GUI, and starts a piece needed for networking,
the client/server run-time subsystem (csrss.exe).
Smss.exe starts winlogon,exe,
which is the login manager.
It starts services on the system with services.exe,
the Service Control Manager.
It starts a Local Security Authority (lsass.exe),
which asks the user for ID and password. Userinit.exe is called.
Userinit.exe applies group
policy settings, if there are any. This generally
concerns the user's rights to resources.
Windows finally starts,
showing the desktop to the user.
The text turns to problems that could occur, and actions to avoid
them. Some are pretty obvious.
make backups - I wonder if the author has a
bet on how many times she can say this in her books?
create a system image - this could be used to
clone your computer as of the time and date it was made if
everything goes wrong
configure Windows 8 or 10 to use F8, to access the
advanced startup menu - this menu can be very helpful
in troubleshooting, but it is no longer a default feature; open
a command prompt with admin rights, and use the command shown
create bootable recovery media - if you just
need to recover Windows, this will work better than the saved
image; Dr. Andrews discusses the uses of a Repair Disc and a
Recovery Drive, and reminds us that we can create these with the
Media Creation Tool
Creating a Repair Disc
Creating a Recovery Drive
Creating a System Image
The remainder of the chapter mostly talks about using the tools
discussed above. There are some exercises you may wish to do once
you finish the labs for this week.
Read the chapters for next week.
Complete the assignments and class discussion made in
this module, which are due by 6pm next week.