Slow Shutdown Troubleshooting

[Dave-H]

I hope I can get some advice here as to where to proceed.

My XP SP3 system, after running pretty flawlessly for 18 months after being upgraded from 2000 SP4, has suddenly developed the dreaded slow shutdown problem. It's hanging on "saving your settings" for ages before shutting down, and writing event 1517 into the Application event log on every shutdown or logoff.

I've had this problem before when I was running Windows 2000, and as all the web searches on this problem recommend, I installed the User Profile Hive Cleanup service. This solved it, although I've never considered it to be a cure, more a workaround, which does nothing to remove the original cause of the problem!

Anyway, this time it doesn't actually help!

I updated the version of UPHClean that I already had, and activated it again (it had never been used on XP).

All that resulted was that this caused shutdown to hang completely and permanently every time, either on "saving your settings" or on "Windows is shutting down". I'd then have to do a cold reboot.

UPHClean wrote nothing into the event log.

I then found that UPHClean could be put into a mode where it only logged the errors in releasing the registry keys, but without forcing them to be released. This allowed the shutdown to complete, and I was amazed to find that on every shutdown UPHClean was logging multiple events into the Application event log, sometimes as many as 24 events in quick succession!

Each event contains a huge number of entries, in fact a couple of reboots cleared my log completely even though it's set to 2 MB maximum size!

This is just one of them -

Event Type: Information

Event Source: UPHClean

Event Category: None

Event ID: 1501

Date: 26/07/11

Time: 14:00:05

User: AshfieldCourt\Dave

Computer: AshfieldCourt

Description:

The following handles opened in user profile hive AshfieldCourt\Dave (S-1-5-21-1343024091-1757981266-1417001333-500) are preventing the profile from unloading:

System (4)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x58)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x60)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x74)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x98)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0xd0)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0xfc)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x118)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x12c)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x144)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x158)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x174)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x184)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x1b4)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x1cc)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x1d4)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x1e0)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x1fc)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x224)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x22c)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x240)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x258)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x260)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x274)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x290)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x2a0)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x2b4)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x2d0)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x2e0)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x2f8)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x308)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x320)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x334)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x34c)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x3d0)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x3e8)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x3ec)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x420)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x434)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x448)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x44c)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x540)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x5f8)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x604)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x614)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x620)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x640)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x64c)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x67c)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x738)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x764)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x77c)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x798)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x7c4)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x7e0)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x7e8)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x7f8)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x810)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x81c)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x824)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x834)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x84c)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x85c)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x860)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x888)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x898)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x8a4)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x8a8)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x8cc)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x8d8)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x8f4)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x8f8)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x928)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x934)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x944)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x950)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (0x96c)

There are another 23 of these events, each one the same except that the hex numbers after each line are different.

I've never seen anything like this before, and I have no idea what's caused it.

The first entry of error 1517 was on July 17th, and I checked back and couldn't see that I changed anything on the system that day which would have triggered this.

I been trying to diagnose this, but I can't now get any further.

If I use msconfig to start the system with minimal services and items, the slow shutdown still happens.

If I use Task Manager in this setup to close explorer.exe however, the shutdown is normal, so it looks as if explorer is the culprit.

However on a normal startup with everything loaded, killing explorer.exe doesn't stop the slow shutdown from happening!

I don't have any system restore points that go back before the 17th, so couldn't try that, but I did have an old registry backup from before then, but restoring that made no difference. Does that prove that the problem isn't in the registry?

There are four profiles on my machine in "Documents and Settings".

They are "All Users", "Dave"(the one I always use and the only user profile), "LocalService", and "NetworkService".

The last two I assume are part of the Windows setup.

I tried making a new profile, which I was told had to be the Administrator, although I am already the Administrator, just re-named to "Dave". I made a dummy temporary profile to test, and that shutdown OK, so it looks as if it must be something in my profile that's causing the problem. The system then wouldn't let me delete the test profile I'd made, so I had to restore a registry backup to get rid of it, and delete all the unwanted folders it had made!

So, the problem does seem to be in my "Dave" profile, but how can I find out what exactly is causing explorer to suddenly lock all those registry keys open at logoff?

I have Process Explorer, and Regmon and Bootvis, but they only seem to lock startup sequences, not shutdown.

Is there anything I can use to monitor the shutdown that would tell me why explorer is suddenly behaving like this?

I have of course scanned for viruses and malware, and the system seems to be clean.

I should also mention that the system seems to be functioning normally in every other respect except for the slow shutdown.

Sorry this is so long -winded, but I felt I needed to detail everything that I'd already done to troubleshoot this.

As I said, I'm now at a loss, and would appreciate any advice.

Surely we're not looking at completely reinstalling Windows to cure this?!

That would be my very last resort, as it would take me ages to get the system back to how it was.

Thanks, Dave.

Edited July 28, 2011 by Dave-H

[MagicAndre1981]

Do you have a vista/7 installation? if yes, install xbootmgr there and copy the files to the XP system and run there the shutdown trace command:

http://www.msfn.org/board/index.php?showtopic=140247

and upload the shutdown_BASE+CSWITCH+DRIVERS+POWER_1.etl (the processing of the ETL with xperf (Summary.XML) and the viewer don't work on XP)

[dencorso]

Do you have a backup from before the issue manifested, Dave?

My advice would be fall back and forget...

[allen2]

Try using autoruns (to see what is automatically started) in the dave profile.

Also plain task manager might help to see what's wrong in your profile when shutting down: launch it, order the processes by user and, after closing all applications (those you're usually launching) and before shutting down your computer, check the processes launched by your account in task manager. Try killing one (from the most suspicious) and the launch the shutdown. If the shutdown is fast then you get the culprit, if not reboot and do the same thing with another process.

As a side note, what antivirus do you use as i've seen this behavior with some antivirus (like MacAffee and its "scan floppy before shutdown" option that will hang forever searching for a floppy disk on recent computer).

[Joseph_sw]

is there any un-usual file/folder/registry permission settings?

i use AccessEnum to lists any weirds permissions.

[Dave-H]

Thanks guys!

To respond to you all in order -

@MagicAndre1981

I have access to a friend's laptop with Windows 7 Home Premium on it, so I will try what you suggest and report back.

@dencorso

Hi Den!

Unfortunately although I now back up my system regularly, I didn't become aware of this problem until after I'd done my last backup, and I only keep one, so I'm afraid that isn't an option this time. Believe me, I would have done it by now if it was!

@allen2

Thanks, I do have autoruns installed and will check things on there.

I have tried closing things down one by one to try and track down the culprit, but with no luck.

As I said in my OP I've done a diagnostic startup using msconfig, and that didn't clear the problem.

In that mode I've got down to just the following still running in Task Manager -

LSASS.EXE

SERVICES.EXE

WINLOGON.EXE

CSRSS.EXE

SMSS.EXE

2 x SVCHOST.EXE (This I assume is the Remote Procedure Call and DCOM Server Process Launcher services, which are the two services which seem to have to be running.)

Also Task Manager itself of course, and Explorer.

As I said, if I kill Explorer in this mode, the shutdown is then normal, which I am assuming means that it is the culprit.

Shutting down Explorer when the system is running normally with everything loaded does not cure the slow shutdown though, which I don't understand!

I use Trend Internet Security, which has been working fine for ages, although an automatic update could have caused the problem of course. However the problem is still there even with all its processes shut down, so I don't think it's got anything to do with it.

@Joseph_sw

I did check the permissions on the HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders registry key, and everything seemed to be what I would expect.

BTW I should have mentioned in my OP that the system shuts down fine from Safe Mode, but I expect you all assumed that anyway!

Thanks, Dave.

[allen2]

None of the process you listed should be launched with your dave account.

[Dave-H]

@ allen2

Surely they are Windows core processes that should always be running?

They are running under SYSTEM user name, not "Dave".

Is that not correct?

@MagicAndre1981

I managed to install the Performance Tools, but when I run XBOOTMGR I just get a message that it's not a valid Win32 application.

I think that the trouble is that the Windows 7 laptop that I used to install it on and copy the files from is a 64 bit Windows 7 system.

I tried to install the 32 bit version, but it wouldn't let me, so I had to install the 64 bit version.

Is this why it won't work on my XP system, which is 32 bit?

If that is the problem, the only thing I can think of trying is to extract the files from the 32 bit installer using UniExtract (or hope that they're all sitting in the temp folder if I don't complete the install) and then just copy them over to the folder on my system.

It does actually install on XP anyway, but only with a very limited set of options, basically just the WPF Performance Suite. None of the other options that are there on the Windows 7 installation appear.

[allen2]

Try using autoruns (to see what is automatically started) in the dave profile.

Also plain task manager might help to see what's wrong in your profile when shutting down: launch it, order the processes by user and, after closing all applications (those you're usually launching) and before shutting down your computer, check the processes launched by your account in task manager. Try killing one (from the most suspicious) and the launch the shutdown. If the shutdown is fast then you get the culprit, if not reboot and do the same thing with another process.

As a side note, what antivirus do you use as i've seen this behavior with some antivirus (like MacAffee and its "scan floppy before shutdown" option that will hang forever searching for a floppy disk on recent computer).

[Dave-H]

check the processes launched by your account in task manager

I have actually already done all that, and I think I've narrowed it down to Explorer being the process that's causing the problem.

As I said, I've run the computer with a bare minimum of processes running, and the shutdown still isn't normal.

It only becomes fast again if I kill explorer.exe before I shut down.

I don't think there's any doubt that Explorer is causing the problem, the only question is why would it suddenly start behaving that way?!

[Tripredacus]

I have actually already done all that, and I think I've narrowed it down to Explorer being the process that's causing the problem.

As I said, I've run the computer with a bare minimum of processes running, and the shutdown still isn't normal.

It only becomes fast again if I kill explorer.exe before I shut down.

I don't think there's any doubt that Explorer is causing the problem, the only question is why would it suddenly start behaving that way?!

Explorer is not likely causing a problem. After shutdown is called, Windows will begin ending processes. There is a timer for how long after the end is sent and Explorer will force close the process. There is a registry setting that determines this. Explorer won't close until all of the processes it has under its "umbrella" has been closed.

If you open up Procexp (at any time, not during shutdown) you can see the parent and child processes to get a clear idea of what I mean.

[MagicAndre1981]

@MagicAndre1981

I managed to install the Performance Tools, but when I run XBOOTMGR I just get a message that it's not a valid Win32 application.

I think that the trouble is that the Windows 7 laptop that I used to install it on and copy the files from is a 64 bit Windows 7 system.

I tried to install the 32 bit version, but it wouldn't let me, so I had to install the 64 bit version.

you can try to use Universal Extractor to extract the MSI file on the XP system to get the tool working. Use here the x86 MSI.

[cluberti]

You can also get the files you need from the xperf123 package.

[MagicAndre1981]

is it allowed to redistribute the files outside the SDK/WPT setup?

[Dave-H]

Thanks guys!

Glad to have it confirmed that extracting the files from the 32 bit installer and replacing the ones in the folder with them would work.

Thanks MagicAndre1981.

I did just that, and it did work!

So, I've got the trace.

As I expected from what I'd read, I can't view it myself, as xperfview.exe does not work (it doesn't generate any error messages, it just doesn't do anything!) so I hope someone else can look at it for me.

Unfortunately, I can't attach it here, as it's too big!

Even zipped up it's 8.5MB.

I've uploaded it to a website I maintain.

It should be there if you right click and save here.

If someone could analyse it for me I'd be very grateful.

Thanks, Dave.