Service, Part V: Control Set & LastKnownGood

August 30th, 2010 by bettermanlu

Open your regsitry, you will find some control set keys under HKLM\SYSTEM. What are these Control Set for?

Under these control set, besides services data store, it also contains the Control key, which stores many kernel-mode and user-mode subsystem configuration settings. These are very important to Windows system.

To make system more robust, Windows maintains several copies of CurrentControlSet, and CurrentControlSet is just a symbolic registry link that points to one of the copies. The control sets have names in the form HKLM\ControlSetnnn , where nnn is a number such as 001 or 002. The Current value under HKLM\System\Select is used to determine which ControlSet that CurrentControlSet points to. In the above Figure, the Current value is 1, so CurrentControlSet points to ControlSet001 . Since CurrentControlSet is a symbolic link, if you modify the CurrentControlSet, the control set that it points to will also be updated, and vice verse.

Windows always keeps a good control set to make sure the windows can boot. LastKnowGood value under HKLM\System\Select is used to record the most recent successful boot’s ControlSet index.

Failed value points to the last control set for which the boot was unsuccessful. To make boot proceeding, windows then switched to boot with the last known good control set.

Service Control Manager (SCM) is in charge of maintaining the control set. After system boots successfully (a successful startup of auto-start services and a successful user logon), if this was the system’s first successful boot, the last known good won’t exist and the system will create a new control set for it. If the last known good tree exists, the system simply updates it with differences between it and CurrentControlSet.

Last known god is helpful in situations in which a change to CurrentControlSet, such as the modification of a system value under HKLM\SYSTEM\Control or the newly added of a service or device driver, causes the subsequent boot to fail. Users can press F8 early in the boot process to bring up a menu that lets them direct the boot to use the last known good control set to boot sucessfully.

Sumamry:

When LastKnownGood applicable

1. New driver installed.

2. Driver/system settings changed.

When LastKnownGood doesn’t work

Please remember that LastKnownGood only records configurations, ie, part of the registry keys. It doesn’t store the system files. So under some conditions, LastKnownGood will not work.

1. Existing driver updated. Its configuration in registry doesn’t change.

2. Latent driver bug becomes active.

3. System files or registry missing or corrupt. Registry keys out of LastKnownGood corrupt.

Ref:

Winodws Internals 5th editon, Chapter 4 Management Mechanism.

Comments are closed.