Windows Enterprise Client Boot and Logon Optimization – Part 11, Boot Phase – OS Loader and Kernel Initialization

  • Article

This post continues the series that started here.

Last time, I began a breakdown of each boot phase. In this post, I’ll continue this discussion but move on to OS Loader and Kernel Initialization.

BootPhase-02

The reason I’ll discuss OS Loader and Kernel Initialization together is because the summary XML generated with xperf.exe (see Part 3) summarises the total time of both activities in a single metric.

Regions of Interest in WPA

Windows Performance Analyzer (WPA) provides a new feature starting with the Windows 10 ADK – the Regions of Interest graph available in the System Activity group. By default, this graph displays no data –

image

From WPA’s Trace menu, you can select Trace Properties and load a Regions of Interest definition file –

image

The default location for Regions of Interest definition files is C:\Program Files (x86)\Windows Kits\10\Windows Performance Toolkit\Catalog. By clicking the Add button, you’ll see a number of definitions to choose from. For the purposes of Boot and Logon performance analysis, you should choose FullBoot.Boot.Regions

image

The Regions of Interest graph is now populated with a Gantt chart of the boot phases we’re interested in –

image

I’ll make reference to the Regions of Interest as we proceed to describe each boot phase and its analysis.

Boot Phase OS Loader and Kernel Initialization – Phase Activity

OS Loader

  • Loads the system registry hive into memory
  • Loads but does not initialize BOOT_START drivers
  • Passes control to the kernel.

Kernel Initialization

  • Starts the plug and play manager
  • Initializes BOOT_START drivers loaded during the OS Loader phase
  • Loads and Initializes SYSTEM_START drivers
  • Passes control to the Session Manager

Boot Phase OS Loader and Kernel Initialization – Measurement

The summary XML generated with xperf.exe provides two values for measurement

  • Duration of OS Loader → osLoaderDuration
  • Duration of OS Loader + Duration of Kernel Initialization → PreSMSS

image

Regions of Interest also provides the total duration as Boot-PreSessionInit-Phase:

image

You’ll notice a slight discrepancy in the duration which is due to xperf.exe and Regions of Interest calculating in different ways. These small differences are unimportant in the context of our investigation.

Boot Phase OS Loader and Kernel Initialization – Potential Issues

OS Loader

  • The osLoaderDuration is ideally < 3 Seconds
  • Performance is mostly disk bound (Reading drivers/registry)
  • Additional 3rd party boot start drivers can cause delays (often Antivirus)
  • Non-embedded-signed drivers trigger catalog reload code integrity checks to validate driver signatures

Kernel Initialization

  • Slow starting devices and drivers
  • Non-embedded-signed drivers trigger catalog reload code integrity checks to validate driver signatures
  • Antivirus drivers adding delays and overhead to disk IO

Boot Phase OS Loader and Kernel Initialization – Remediation

The first thing I’d recommend is checking for catalog reload events as discussed in the code integrity post. You can refine the scope of investigation in WPA by first selecting the Boot-PreSessionInit-Phase, zooming to it and then examining the Generic Events table for catalog reload events –

image

If ReloadCatalog events are discovered, use the techniques in the code integrity post to identify the drivers responsible.

The next action you can take is to look for drivers that take a long time to load. As discussed above, the drivers of interest are BOOT_START and SYSTEM_START drivers. The load times (slowest at the top) for these are exposed towards the bottom of the summary XML file below the PnP section -

image

For any drivers causing problems, contact the vendor and look for an update.

In almost all cases, you’ll see that Disk Utilization is near 100% during this phase. The system is trying to load drivers as fast as possible – it makes sense to push the disk as hard as possible. Slower disks will slow this phase down.

Conclusion

Delays in OS Loader and Kernel Initialization are usually attributed to BOOT_START or SYSTEM_START drivers that are behaving badly. This post has provided techniques to help identify those drivers which should be removed or updated to improve performance.

Some improvement may be seen by upgrading the system disk, especially old, slow, 5400 RPM drives.

Next Up

Boot Phase – Session Initialization