This session we will talk about the service load order.
As we know, services can be divided into two types: driver service and windows service.
For driver service, its start type can be SERVICE_BOOT_START, SERVICE_SYSTEM_START, SERVICE_AUTO_START,SERVICE_DEMAND_START, SERVICE_DISABLED.
For windows service, its start type can only be SERVICE_AUTO_START,SERVICE_DEMAND_START, SERVICE_DISABLED.
Besides start type, service load order is also determined by its group index in the whole system's groups, the postion that it stays within its group, the services/groups that it depends on.
So let's first take a look at how start type affects the load order.
1. During system boot, NTLoader will start all the drivers with
SERVICE_BOOT_START
type.
2. Then during kenel initializaiton, all SERVICE_SYSTEM_START
drivers will be started.
3. After Service Control Manager (SCM.exe) process is started, it will start all the SERVICE_AUTO_START drivers and windows services.
If some SERVICE_AUTO_START drivers or services depend on some other drivers or services, even these be depended drivers/services are SERVICE_DEMAND_START
, they will be also be started automatically. This will be explained in more detail later on in this article.
Then, let's see how Group/Tag
affect the service load order.
ServiceGroupOrder
Services can be grouped into different groups. The group order list is stored under HKEY_LOCAL_MACHINE/System/CurrentControlSet/Control/ServiceGroupOrder
The ServiceGroupOrder contains a list of group names in the order that
they
will be loaded.
For example,
System Reserved
Boot Bus Extender
System Bus Extender
SCSI miniport
Port
Primary Disk
SCSI Class
SCSI CDROM Class
...
According to the ServiceGroupOrder
, device drivers in the group "SCSI
class" load after all device drivers in the group "Primary disk" and
before
device drivers in the group "SCSI CDROM class" load. The higher a device
driver's group is in the list, the sooner it loads.
As we mentioned in the above how start type detemines the load order,
a
device
driver with a start value of SERVICE_BOOT_START
loads before any
device driver with a
start
value of SERVICE_SYSTEM_START.
To accord this rule,
the
ServiceGroupOrder
list is scanned twice. First, all device drivers with a start value of SERVICE_BOOT_START
load; then, all device drivers with a start value of SERVICE_SYSTEM_START
load. Thus, a
device
driver with a start value of SERVICE_BOOT_START
loads before any device driver with a
start
value of SERVICE_SYSTEM_START
, no matter what its position on the ServiceGroupOrder list.
GroupOrderList and Tag Values
For the group of service that contains more than one service, how to define its services' load order? Registry key GroupOrderList
is used for this purpose.
HKEY_LOCAL_MACHINE/System/CurrentControlSet/Control/GroupOrderList
Here is a partial output of the GroupOrderList:
Double click one of the
group name, you will get a dialog for edit the value. For example, the
ndis's GroupOrderList is as blow.
The
first
four bytes
is the number of Tag values. Then
followed by the Tag-sequence of them (four bytes for each “Tag
”). The key uses the
little endian notation. So in the above example, Ndis has defined 0x0000000d (13) tags, which are 0x00000001, 0x00000002, etc.
But please note
that the tag value is not necessarily in numerical
order, that is to say, you can put 0x0000000D ahead of 0x00000001.
Device drivers in a group are first loaded according to their
Tag
value as defined by the GroupOrderList.
There are some special scenario that we should consider.
1. If two drivers have the same tag value in the sam group, their load order is not guaranteed. If you want one be loaded after another, you can assign them different tag values .
2. If the device driver does not
have
a Tag value or if the Tag value is not in the GroupOrderList, then these
device drivers load after the device drivers with valid Tag values load.
For these device drivers with bad tags or without tags, the order of loading is not guaranteed, but they will be loaded before the next group
loads.
3. When a group is not in the GroupOrderList, the order in which device drivers load within the group cannot be guaranteed.
Finally please note that
due to "Tag
" registry key doesn't apply to windows service, so GroupOrderList
usually is used to control driver service load order.
Services dependencies.
DependOnGroup
is used to specify the dependency between groups. The driver or service won't load unless a driver or service from the
specified group loads. If a dependency exist, the group on which the service is dependent must have alerady initialized, and at least one service of that group must have successfully started. If the service depends on a group that starts later than the service's group in the group startup sequence, and the service is started by SCM (the start type should not
be SERVICE_BOOT_START
and SERVICE_SYSTEM_START
), the SCM notes a "circular dependency" error for that service.
DependOnService
is used to specify the dependency between services. The service won't load until after the its depeneded services are all loaded. If a service depends on other services that belong to groups that come later in the ServiceGroupOrder/List, the SCM also generates "circular dependency" error and doesn't start the service.
If the service depends on any services from the same group(or they both ungrouped) that haven't yet started, the service is skipped, but will be started later when its depending service is started, even the depending service's start type is SERVICE_DEMAND_START
, it will
still be started by SCM.
Finally, let's put the above together into a whole picture.
Load Order Tool from SysInternals
SysInternals have a tool named LoadOrd.exe which lists the load order for the running drivers and services. Here is a screenshot of it. You can get it from http://technet.microsoft.com/en-us/sysinternals/bb897416.aspx
.
Ref:
http://support.microsoft.com/kb/115486
Windows Internals 5th Edition, Chapter 4, Management Mechanisms.