Windows Enterprise Client Boot and Logon Optimization – Part 11, Boot Phase – OS Loader and Kernel Initialization


This post continues the series that started here.

Last time, I began a breakdown of each boot phase. In this post, I’ll continue this discussion but move on to OS Loader and Kernel Initialization.

BootPhase-02

The reason I’ll discuss OS Loader and Kernel Initialization together is because the summary XML generated with xperf.exe (see Part 3) summarises the total time of both activities in a single metric.

Regions of Interest in WPA

Windows Performance Analyzer (WPA) provides a new feature starting with the Windows 10 ADK – the Regions of Interest graph available in the System Activity group. By default, this graph displays no data –

image

From WPA’s Trace menu, you can select Trace Properties and load a Regions of Interest definition file –

image

The default location for Regions of Interest definition files is C:\Program Files (x86)\Windows Kits\10\Windows Performance Toolkit\Catalog. By clicking the Add button, you’ll see a number of definitions to choose from. For the purposes of Boot and Logon performance analysis, you should choose FullBoot.Boot.Regions

image

The Regions of Interest graph is now populated with a Gantt chart of the boot phases we’re interested in –

image

I’ll make reference to the Regions of Interest as we proceed to describe each boot phase and its analysis.

Boot Phase OS Loader and Kernel Initialization – Phase Activity

OS Loader

  • Loads the system registry hive into memory
  • Loads but does not initialize BOOT_START drivers
  • Passes control to the kernel.

Kernel Initialization

  • Starts the plug and play manager
  • Initializes BOOT_START drivers loaded during the OS Loader phase
  • Loads and Initializes SYSTEM_START drivers
  • Passes control to the Session Manager

Boot Phase OS Loader and Kernel Initialization – Measurement

The summary XML generated with xperf.exe provides two values for measurement

  • Duration of OS Loader → osLoaderDuration
  • Duration of OS Loader + Duration of Kernel Initialization → PreSMSS

image

Regions of Interest also provides the total duration as Boot-PreSessionInit-Phase:

image

You’ll notice a slight discrepancy in the duration which is due to xperf.exe and Regions of Interest calculating in different ways. These small differences are unimportant in the context of our investigation.

Boot Phase OS Loader and Kernel Initialization – Potential Issues

OS Loader

  • The osLoaderDuration is ideally < 3 Seconds
  • Performance is mostly disk bound (Reading drivers/registry)
  • Additional 3rd party boot start drivers can cause delays (often Antivirus)
  • Non-embedded-signed drivers trigger catalog reload code integrity checks to validate driver signatures

Kernel Initialization

  • Slow starting devices and drivers
  • Non-embedded-signed drivers trigger catalog reload code integrity checks to validate driver signatures
  • Antivirus drivers adding delays and overhead to disk IO

Boot Phase OS Loader and Kernel Initialization – Remediation

The first thing I’d recommend is checking for catalog reload events as discussed in the code integrity post. You can refine the scope of investigation in WPA by first selecting the Boot-PreSessionInit-Phase, zooming to it and then examining the Generic Events table for catalog reload events –

image

If ReloadCatalog events are discovered, use the techniques in the code integrity post to identify the drivers responsible.

The next action you can take is to look for drivers that take a long time to load. As discussed above, the drivers of interest are BOOT_START and SYSTEM_START drivers. The load times (slowest at the top) for these are exposed towards the bottom of the summary XML file below the PnP section -

image

For any drivers causing problems, contact the vendor and look for an update.

In almost all cases, you’ll see that Disk Utilization is near 100% during this phase. The system is trying to load drivers as fast as possible – it makes sense to push the disk as hard as possible. Slower disks will slow this phase down.

Conclusion

Delays in OS Loader and Kernel Initialization are usually attributed to BOOT_START or SYSTEM_START drivers that are behaving badly. This post has provided techniques to help identify those drivers which should be removed or updated to improve performance.

Some improvement may be seen by upgrading the system disk, especially old, slow, 5400 RPM drives.

Next Up

Boot Phase – Session Initialization

Comments (5)

  1. Leon V says:

    Great work Mark! These tools are my goto for slow boot and logon issues. It’s great to learn some new things as well, like the driver catalog reload. Eagerly anticipating your following posts.

  2. Mark Renoden says:

    Hi Leon

    I’m glad you’re enjoying the series. I’ll try to keep the same pace of a post each week day.

    Cheers

    Mark

  3. anonymouscommenter says:

    My peer Mark Renoden, Roger Southgate and Scott Duffey, whom I had the pleasure of meeting in Sydney

  4. anonymouscommenter says:

    This post concludes the series that started here . Over the past few weeks I’ve presented a “lite” version

  5. lil says:

    http://www.oakley–sunglasses.com.au/ Liying
    http://www.omegarelojes.es/ what
    http://www.nikefree5.net/ she http://www.supra-shoes.org/ can
    http://www.converse-shoes.net/ succeed miles?
    http://www.hollister.us.org/ In
    http://www.christianlouboutinshoes.ar.com/ addition
    http://www.tommy-hilfiger-canada.ca/ to
    http://www.jordan-shoes.com.co/ face
    http://www.nikemercurial.in.net/ child
    http://www.softball-bats.us/ over
    http://www.cheap-baseballbats.net/ nice,
    http://www.new-balance-schuhe.de/ but then
    http://www.nike-roshe-run.de/ there
    http://www.newbalance-shoes.org/ is http://www.yoga-pants.ca/ nothing
    http://www.jordanretro.org/ conceited capital it?
    http://www.uggsoutlet.com.co/ "Tapping!"
    http://www.louisvuitton.jp.net/ Knock
    http://www.mmoncler-outlet.com/ on
    http://www.newoutletonlinemall.com/ the
    http://www.burberryoutletonlinesale.in.net/ door
    http://www.poloralphlaurenoutlet.net.co/ rang again.
    http://www.reebok.com.de/ The hungry
    http://www.toryburchoutletsale.in.net/ man
    http://www.converse.com.de/ with http://www.ugg-boots.us.org/ a little harder
    http://www.ralphlaurenonlineshop.de/ this
    http://www.designerhandbagsoutlet.com.co/ time
    http://www.longchamp.com.de/
    http://www.louboutin.jp.net/ probably on
    http://www.michael-kors-taschen.com.de/ the
    http://www.rayban.org.es/ door with
    http://www.uptocoachoutlet.com/ his fist
    http://www.nikefree-run.net/ to pound
    http://www.michael–kors.us.com/ in."Which
    http://www.timberlandshoes.com.co/ turtle grandson?"
    http://www.tommy-hilfiger.com.de/ Liying in
    http://www.cheapshoes.com.co/ the
    http://www.montblanc–pens.in.net/ kiln outlet."On
    http://www.adidas-superstar.de/ the door
    http://www.p90xworkout.in.net/ open
    http://www.burberryoutletonline.gb.net/ ."
    http://www.nike-air-max.us/ He http://www.pradahandbags.com.co/ teeth
    http://www.bcbg-max-azria.ca/ child
    http://www.michael-kors.com.co/ must knock
    http://www.christian–louboutin.in.net/ down
    http://www.ralph-lauren.org.uk/ the
    http://www.tommy-hilfiger.co.nl/ next."You know
    http://www.hollistercanada.ca/ back http://www.oakley.org.es/ Mile",
    http://www.cheap-jordans.net/ "door
    http://www.northface.us.org/ open http://www.maccosmetics.net.co/ !"
    http://www.ugg-boots-australia.com.au/ "I
    http://www.michaelkorsoutlets-online.us.com/ have
    http://www.nike-shoes-canada.ca/ a
    http://www.toms-shoes-outlet.org/ headache! Kang
    http://www.pradaoutlet.com.co/ could
    http://www.nikerosherun.us/ not
    http://www.zxcoachoutlet.com/ make!""Well
    http://www.nikestore.us/ you open the
    http://www.burberryonlineshop.de/ door
    http://www.michaelkors.co.nl/ mile

Skip to main content