2

Are there any utilities that can log the windows 7 shutdown process in a 'debug' mode?

Recently several of our Windows 7 workstations started taking over twenty minutes to reboot, and while we've combed the event viewer several times, we cannot find anything that sticks out, other than the event:

"The winlogon notification subscriber <GPClient> is taking long time to handle the notification event (StartShell)"

The solution for that event is to recreate the profile, which fixes the restart issue we have, but does not tell us what is preventing the clean shutdown, so we still have no idea what the cause is. If we can generate as detailed a shutdown debug log as possible, we may be able to isolate the issue more specifically.

heyjon
  • 123
  • 2
  • 9

2 Answers2

5

The Procmon utility from Windows Sysinternals is capable of doing comprehensive logging of all processes during startup, logoff, and shutdown.

For detailed information, read the Windows Sysinternals Administrator's Reference, section 2, chapter 4. There is a subsection titled Logging Boot, Post-Logoff, and Shutdown Activity on confiuguring the boot logging facility, which also logs when no user is logged on and during shutdown and startup.

A word of warning: since it logs everything, it will generate very large trace files. It can be overwhelming to parse through, so be sure to use the filter and highlight options judiciously.

Jonathan J
  • 584
  • 2
  • 5
  • 11
  • 1
    Protip: Use the filter function and filter on events that have an abnormally long duration, i.e., events that take longer than 1 or 2 seconds. Should help you hone in on the long delay. – Ryan Ries Dec 12 '13 at 01:19
1

You can enable the "highly detailed status messages" option in group policy (local or domain). Computer Configuration >> Administrative Templates >> System >> Verbose vs normal status messages. You can also do a registry edit at HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Policies \ System and add a new DWORD verbosestatus with a value of 1.

It's not a huge dump of every single thing that the kernel is handling, however it shows you the individual stages of shutdown on the shutdown screen. You can then perhaps have a better idea of where to go next. I'm not aware of a deep, "kernel level" dump of information concerning Windows shutdown.

Wesley
  • 32,690
  • 9
  • 82
  • 117
  • Thanks Wesley, it's definitely worth a shot. For the first ten minutes it shows the background with just the mouse cursor, then for another ten minutes it shows "logging off", so perhaps we'll see a bit more info on that screen with this enabled, I'll report back when I know more. – heyjon Dec 12 '13 at 01:03