diff --git a/changes/bug31615 b/changes/bug31615
new file mode 100644
index 0000000000..49b13bea95
--- /dev/null
+++ b/changes/bug31615
@@ -0,0 +1,5 @@
+  o Minor bugfixes (subsystems):
+    - Make the subsystem init order match the subsystem module dependencies.
+      Call windows process security APIs as early as possible. Init log before
+      network and time, so that network and time can use logging.
+      Fixes bug 31615; bugfix on 0.4.0.1-alpha.
diff --git a/src/app/main/subsystem_list.c b/src/app/main/subsystem_list.c
index 95d96f78d2..d525708e7b 100644
--- a/src/app/main/subsystem_list.c
+++ b/src/app/main/subsystem_list.c
@@ -33,33 +33,35 @@
 
 /**
  * Global list of the subsystems in Tor, in the order of their initialization.
+ * Want to know the exact level numbers?
+ * We'll implement a level dump command in #31614.
  **/
 const subsys_fns_t *tor_subsystems[] = {
-  &sys_winprocess, /* -100 */
-  &sys_torerr, /* -100 */
-  &sys_wallclock, /* -99 */
-  &sys_threads, /* -95 */
-  &sys_logging, /* -90 */
-  &sys_time, /* -90 */
-  &sys_network, /* -90 */
-  &sys_compress, /* -70 */
-  &sys_crypto, /* -60 */
-  &sys_tortls, /* -50 */
-  &sys_process, /* -35 */
+  &sys_winprocess,
+  &sys_torerr,
+  &sys_wallclock,
+  &sys_threads,
+  &sys_logging,
+  &sys_time,
+  &sys_network,
+  &sys_compress,
+  &sys_crypto,
+  &sys_tortls,
+  &sys_process,
 
-  &sys_orconn_event, /* -33 */
-  &sys_ocirc_event, /* -32 */
-  &sys_btrack, /* -30 */
+  &sys_orconn_event,
+  &sys_ocirc_event,
+  &sys_btrack,
 
   &sys_evloop, /* -20 */
 
-  &sys_mainloop, /* 5 */
-  &sys_or, /* 20 */
+  &sys_mainloop,
+  &sys_or,
 
-  &sys_relay, /* 50 */
+  &sys_relay,
 
 #ifdef HAVE_MODULE_DIRAUTH
-  &sys_dirauth, /* 70 */
+  &sys_dirauth,
 #endif
 };
 
diff --git a/src/lib/err/torerr_sys.c b/src/lib/err/torerr_sys.c
index 3ab1b3c4e1..34f70f1f0b 100644
--- a/src/lib/err/torerr_sys.c
+++ b/src/lib/err/torerr_sys.c
@@ -33,7 +33,10 @@ subsys_torerr_shutdown(void)
 
 const subsys_fns_t sys_torerr = {
   .name = "err",
-  .level = -100,
+  /* Low-level error handling is a diagnostic feature, we want it to init
+   * right after windows process security, and shutdown last.
+   * (Security never shuts down.) */
+  .level = -99,
   .supported = true,
   .initialize = subsys_torerr_initialize,
   .shutdown = subsys_torerr_shutdown
diff --git a/src/lib/log/log_sys.c b/src/lib/log/log_sys.c
index d1080f2264..826358546a 100644
--- a/src/lib/log/log_sys.c
+++ b/src/lib/log/log_sys.c
@@ -29,6 +29,8 @@ subsys_logging_shutdown(void)
 const subsys_fns_t sys_logging = {
   .name = "log",
   .supported = true,
+  /* Logging depends on threads, approx time, raw logging, and security.
+   * Most other lib modules depend on logging. */
   .level = -90,
   .initialize = subsys_logging_initialize,
   .shutdown = subsys_logging_shutdown,
diff --git a/src/lib/net/network_sys.c b/src/lib/net/network_sys.c
index 9dfdb2b45a..e0a2625d73 100644
--- a/src/lib/net/network_sys.c
+++ b/src/lib/net/network_sys.c
@@ -37,7 +37,9 @@ subsys_network_shutdown(void)
 
 const subsys_fns_t sys_network = {
   .name = "network",
-  .level = -90,
+  /* Network depends on logging, and a lot of other modules depend on network.
+   */
+  .level = -80,
   .supported = true,
   .initialize = subsys_network_initialize,
   .shutdown = subsys_network_shutdown,
diff --git a/src/lib/process/winprocess_sys.c b/src/lib/process/winprocess_sys.c
index 48c0888658..ff9bc1ba04 100644
--- a/src/lib/process/winprocess_sys.c
+++ b/src/lib/process/winprocess_sys.c
@@ -58,6 +58,8 @@ subsys_winprocess_initialize(void)
 
 const subsys_fns_t sys_winprocess = {
   .name = "winprocess",
+  /* HeapEnableTerminationOnCorruption and setdeppolicy() are security
+   * features, we want them to run first. */
   .level = -100,
   .supported = WINPROCESS_SYS_ENABLED,
   .initialize = subsys_winprocess_initialize,
diff --git a/src/lib/thread/compat_threads.c b/src/lib/thread/compat_threads.c
index 35cfeba64c..1c4a5c4e3f 100644
--- a/src/lib/thread/compat_threads.c
+++ b/src/lib/thread/compat_threads.c
@@ -122,6 +122,8 @@ subsys_threads_initialize(void)
 const subsys_fns_t sys_threads = {
   .name = "threads",
   .supported = true,
+  /* Threads is used by logging, which is a diagnostic feature, we want it to
+   * init right after low-level error handling and approx time. */
   .level = -95,
   .initialize = subsys_threads_initialize,
 };
diff --git a/src/lib/time/time_sys.c b/src/lib/time/time_sys.c
index b3feb7b46a..8b9aa2856c 100644
--- a/src/lib/time/time_sys.c
+++ b/src/lib/time/time_sys.c
@@ -20,7 +20,9 @@ subsys_time_initialize(void)
 
 const subsys_fns_t sys_time = {
   .name = "time",
-  .level = -90,
+  /* Monotonic time depends on logging, and a lot of other modules depend on
+   * monotonic time. */
+  .level = -80,
   .supported = true,
   .initialize = subsys_time_initialize,
 };
diff --git a/src/lib/wallclock/approx_time.c b/src/lib/wallclock/approx_time.c
index 7b32804026..77eeddaf56 100644
--- a/src/lib/wallclock/approx_time.c
+++ b/src/lib/wallclock/approx_time.c
@@ -54,6 +54,8 @@ subsys_wallclock_initialize(void)
 const subsys_fns_t sys_wallclock = {
   .name = "wallclock",
   .supported = true,
-  .level = -99,
+  /* Approximate time is a diagnostic feature, we want it to init right after
+   * low-level error handling. */
+  .level = -98,
   .initialize = subsys_wallclock_initialize,
 };