CIS 1110A - Computer Operating Systems and Maintenance

Module 13

This lesson discusses chapters 14 and 15. Objectives important to this lesson:

  1. Troubleshooting Windows applications
  2. Best practices
  3. Slow startup or performance
  4. Application errors and crashes
  5. Removing software
  6. Troubleshooting hardware
  7. Windows boot process
  8. Creating bootable media and backups
  9. Using Windows tools on startup issues
  10. Reimaging and reloading Windows
  11. Current assignments


Chapter 14 begins with an overview of the topics it covers. It's first topic is a quick introduction to what takes place when a computer running Windows starts. It presents two parts of any operating system that may be new to you: the shell and the kernel. We have talked about a shell being the interface between the OS and the user. Windows is famous for it GUI shell. (Which sounds kind of disgusting if you read that sentence to anyone.) The kernel is the part of the OS that interfaces directly with hardware. There is also a service/executive layer, that interfaces between the shell and the kernel. In Windows, parts of the kernel are loaded into the working memory of any computer running it, and other parts are left in nonvolatile storage until there is a need to load them. The kernel provides basic access to hardware, calls other portions of itself (as needed) and runs other parts of the operating system, including drivers that have been installed for particular hardware.

Current versions of Windows work with a microkernel that calls other parts of the OS that run in kernel mode. Windows does that to provide a more modular approach, allowing essential parts of the kernel to be updated without having to always update the microkernel itself.

Programs running on Windows systems can run in one of two modes; Kernel mode is a mode with more privileges, and only meant to be used by OS components that are called by the kernel.The kernel itself always runs in this mode. Kernel mode allows privileged access to the hardware of the computer. User mode is how most programs are meant to operate, passing their hardware requests through the kernel mode programs. This is illustrated in the figure below, from Wikipedia.

The text also mentions the Hardware Abstraction Layer (HAL), a major portion of the kernel. The HAL is a layer between the physical hardware of the computer and the rest of the operating system. It was designed to hide differences in hardware and provide a consistent platform on which the kernel is run, meaning that a program should run the same regardless of your equipment brand. That isn't quite how things work out, but you get the idea. The HAL includes hardware-specific code that controls I/O interfaces, interrupt controllers and multiple processors. It is matched with the kernel itself, and must be updated if the kernel is updated.

The author goes into a murky area, giving us some Windows "vocabulary":

  • user profile - data about each user is stored in a folder named for the user's login ID, under %SystemDrive%\Users. The data is organized in a number of subfolders that are collectively call that user's namespace. The rest of this section assumes that C: is your %SystemDrive%. (In Windows systems, SystemDrive is a variable that holds the label of the drive Windows boots from. Putting percent signs before and after the variable name means "use the value of this variable".)
  • NTUSER.dat - a hidden file in the folder named for the user, containing settings for the user, which is copied to the computer's registry each time the user logs in
  • C:\Program Files - in a 32-bit version of Windows, all programs are stored here by default; in a 64-bit version of Windows, 64-bit programs are stored here, and 32-bit programs are stored under C:\Program Files (x86).
    The next two are kind of horrible. Keep smiling.
  • C:\Users\username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup - this folder typically holds shortcuts to programs that are meant to run on startup for the named user
  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup -this folder typically holds shortcuts to programs that are meant to run for any user who starts the computer
The author says that you can also put programs in the two locations above, not just shortcuts. However, that would mean you would have a rough time updating such programs, so shortcuts are preferred.

 Process IDI was going to mention this sooner, but Dr. Andrews brings it up on page 760. Programs do not run until they are loaded into RAM. Once they are loaded and run, they are called processes. When processes request more resources from the system, such as starting a print job, the request and resource allocated is called a thread.

Normally, you can use Task Manager to stop a process and associated threads. When this does not work, check the Details tab in Task Manager and find the Process ID for the process you want to end. (It will not always be the same number.)

Once you know the bad program's process ID, you can call up a command line to use the taskkill command. In this example, I could type this on the command line:

taskkill /PID 3100 /F

This would kill the bluegriffon,exe process which is shown in the graphic to the right. The syntax is the command itself, followed by a space, then a forward slash, and the letters PID, to tell the command that you are about to tell it a process ID. That is followed by another space, the process ID, a final space, and a forward slash followed by a capital F. The last part of the command means to do it forcefully, which is probably necessary if Task Manager couldn't kill the obnoxious piece of code.

On pages 762 through 764, the author lists a lot of tools and sets of tools found in Windows. You should spend a few minutes reading these three pages and Googling any terms or explanations you don't understand. There are some I have never seen before in the list, which may be true for most of you.The author warns us that the A+ exam will require you to know multiple ways to open and use tools from this list.The exercise that follows the list discusses four of the tools that you are likely to use.

The chapter continues with general advice about troubleshooting a user's problems.

  • Talk to the user. Find out what happened, what will not run, when it happened, what changed since the last time it worked, and so on. Don't forget to listen to the user. They may offer something you need to know that you don't know to ask about.
  • The usual advice to back up data is given, which is more comical than helpful in incidents in which the computer will not start.
  • Ask the user to demonstrate the problem. Sometimes the user is mistaken about one of two things: what the program is supposed to do or how to use it. Then there is the third possibility, that there is actually something wrong.
  • Standard Microsoft advice: reboot to see if it works after you do so. This is one of the things people hate about help desk calls: they are always asked to restart the computer.
  • Run Event Viewer and Reliability Monitor. Event Viewer shows events in several different log files.Events are tagged with icons to help you quickly find problems. See what looks like a possible cause or related event. The log files listed as important are the Administrative Events, Application, Security, Setup, System, and Forwarded Events logs. It will not be clear to you which log contains which kind of information until you study Windows more fully. For now, look in all of them.
    Dr. Andrews does not discuss the Reliability Monitor, but it can show you a number of recent events that may be sources of trouble. It displays them on a timeline, which can help diagnose what was not working when the problem started.
  • Control Panel contains several Troubleshooting Applets. Open Control Panel, then select a category from Programs, Hardware and Sound, Network and Internet, or System and Security. Your interview with the user should give you a hint which category to open.
    Control Panel Troubleshooting Categories
  • Device Manager is mentioned, with the suggestion that you may want to uninstall and reinstall a device, which may clear up a software or configuration malfunction. This can also be helpful if your driver is corrupted and needs to be reinstalled or updated.
  • We have discussed malware before. If you see signs of malware, scan for problems using your chosen solution.
  • If you suspect that you have some bad RAM (BSOD while running a large application, reports of bad data), there is a tool to help. Windows Memory Diagnostics, also called mdsched.exe, can be started in Windows by entering its name in the start button search box. It requires that Windows not be running, so you get the two options described in the text, and a third option to cancel the request.
    Memory Diagnostics
    You can also run this tool from the Windows Install media.
  • If you think a hard drive is going or has gone bad, try another old DOS tool. Open a command line, and enter chkdsk, followed by a space, followed by the drive you want to check, followed by another space, followed by a forward slash and a lower case r. If I wanted to check my C: drive, I would enter this:

    chkdsk c: /r

    The /r switch (a switch tells the tool how to do something) tells chkdsk to try to recover data from bad files. Warning: this often takes a long time to run on a "large" drive, and the harvested data may not be of much help.
  • The author presents a number of ways to run Task Manager. You should know them:
    • While running Windows, press Ctrl-Alt-Del, then use the menu that appears. See the note at at the bottom of page 771 on this one, warning you that you must use a work around to send the signal to a virtual machine.
    • Press Ctrl-Shift-Esc to start Task Manager directly.
    • In Windows 8 or 10, press Win-X, and see if Microsoft has removed it from the that menu yet. (Rumble, grumble, razz frazzing...)
    • The author runs through the various tabs in Task Manager. Look at each of them and read her insights to get an idea of what they do.
  • Sometimes you or a user will install a program that does not work and play well with others. When this happens, you may need to open programs one at a time and in different combinations to determine what programs are in conflict. A tool that helps with this is msconfig.exe. It has been around for years, and it has grown new features several times. Run this one while running Windows by calling its name from the Start Button Search box. It allows you to access several files that configure what runs when the system starts Windows, and how you would like to run the next boot. Look over the exercise on pages 780 and 781, for some details about how to use this tool.
  • Is the problem with Windows itself? Dr. Andrews suggests that you:
    • Install all current updates
    • Check for file problems with the System File Checker, which is DOS command sfc /scannow. If you can't run it, try running command line as an administrator. Damaged files will be updated if you have access to the Internet.
    • If you can't run sfc, try DISM commands to repair Windows. However, this only works if you have a local copy of Windows install media. A possible command sequence is shown on page 283.
  • Another thing to try from msconfig.exe is to reboot the computer in Safe Mode. The options for doing so are on the Boot tab. This used to be done by selecting Safe Mode from a hidden menu while the computer was booting up. This method presumes that you can get to msconfig.exe. Okay...
  • The author gives us a couple of pages about System Restore. Sounds great, but it requires you to have saved a Restore Point, an image of your boot drive from when it was running normally.

In the remainder of the chapter, Dr. Andrews gives us several pages about specific problems that occur with some frequency. Consult this section in particular when doing the Thinking Critically questions this week.

Chapter 15 goes into detail about what happens when Windows starts. The introduction from Chapter 14 was not the whole story.

Page 826 begins with some confusion about what power buttons can do. Let's focus on the idea of two boot types:

  • A cold boot, also called a hard boot, begins with the computer completely turned off. There is no power flowing through the motherboard, except a trickle to allow a wake signal to be sent through the network to your NIC. The equipment is "cold".
  • A warm boot, also called a soft boot, begins with the computer already running. The equipment is "warm" from electricity flowing through it. This kind of boot does not end all processes before restarting.

Technically, a reboot can be either of these types. Given that, there are other aspects to booting:

  • Dr. Andrews warns us that the button on the front of a computer case may be configurable to only generate a soft boot, if the computer is running, not to shut off a running computer. This is stupid, don't do it! Holding it down for a few seconds, however, should produce a complete shutdown, which can be done in emergencies. Pressing it once on a computer that is shut down should start it. However,...
  • A large toggle switch on the back of the computer case, as as she illustrates on the same page, is not configurable. It is only an on/off switch. If it is off, the start button on the front won't do anything. If it is on, the computer is running, and you turn it off, that is the most ungraceful way to shut off a computer I can imagine, unless you want to allow the use of firearms.
  • Most people who shut down Windows do it from the Start button, which also offers the choice to do a (warm) reboot. That seems like enough on this topic.

Dr. Andrews changes the topic to the events that actually happen when a computer that runs Windows does a cold boot. The table she offers is not as clear as the flow chart on page 829. The list in the PowerPoint is pretty good.

  1. In BIOS and UEFI systems, it starts with checking non-volatile RAM for information about the system. The information is compared to actual hardware and such on the system.
  2. BIOS/UEFI runs the Power On Self Test (POST) - if there is an error here, expect a beep code to give you a clue.
  3. Startup BIOS looks for a boot drive, looks for a Master Boot Record (MBR) on it, looks for an active partition (with the OS), and loads the master boot program, bootmgr, reads the BCD (Boot Configuration Data) store which tells it where the Windows boot loader is. (Control now passes to the Windows boot loader.)

    In a UEFI system, the UEFI boot manager is loaded, UEFI device drivers are loaded, UEFI learns where its version of bootmgr (bootmgfw.efi)
  4. The Windows Boot Manager reads the BCD  and calls the Window Boot Loader.
  5. The Windows boot loader, winload.exe, loads Windows components. The first is the kernel.
  6. Ntoskrnl.exe (the kernel) is loaded. It builds a registry key in memory from data in the HAL and the actual registry. It starts services and Windows drivers. It then start Session Manager (Smss.exe) in user mode.
  7. Session Manager loads the GUI, and starts a piece needed for networking, the client/server run-time subsystem (csrss.exe).
  8. Smss.exe starts winlogon,exe, which is the login manager.
  9. Winlogon.exe continues:
    It starts services on the system with services.exe, the Service Control Manager.
    It starts a Local Security Authority (lsass.exe), which asks the user for ID and password.
    Userinit.exe is called.
  10. Userinit.exe applies group policy settings, if there are any. This generally concerns the user's rights to resources.
  11. Windows finally starts, showing the desktop to the user.

The text turns to problems that could occur, and actions to avoid them. Some are pretty obvious.

  • make backups - I wonder if the author has a bet on how many times she can say this in her books?
  • create a system image - this could be used to clone your computer as of the time and date it was made if everything goes wrong
  • configure Windows 8 or 10 to use F8, to access the advanced startup menu - this menu can be very helpful in troubleshooting, but it is no longer a default feature; open a command prompt with admin rights, and use the command shown below
    Turn on F8
  • create bootable recovery media - if you just need to recover Windows, this will work better than the saved image; Dr. Andrews discusses the uses of a Repair Disc and a Recovery Drive, and reminds us that we can create these with the Media Creation Tool
Creating a Repair Disc

Creating a Recovery Drive

Creating a System Image

The remainder of the chapter mostly talks about using the tools discussed above. There are some exercises you may wish to do once you finish the labs for this week.


  1. Read the chapters for next week.
  2. Complete the assignments and class discussion made in this module, which are due by 6pm next week.