Slow Shutdown Troubleshooting

[MagicAndre1981]

Hi Dave,

I got the trace and I can see that the winlogon.exe causes a high CPU usage for a long time. I see that the function HvpFindFreeCellInThisViewWindow is the cause. Before that starts, a symantec driver (Norton Unerase Protection) is loaded. Stop the tool and try again. Also check if it happens if you disable your Trend Micro (maybe a virus update definition from July 17th causes the issue). If this doesn't work stop the Windows Search service and check if it solves it. Maybe the index is corrupt, so try to reindex.

Also what is this Rapport Management Service?

André

Edited July 29, 2011 by MagicAndre1981

[Dave-H]

Thanks, very interesting.

I disabled the Norton Unerase Protection service, which didn't seem to change the shutdown problem, but I've run another trace without it enabled.

It should be here.

Has this changed things much, if at all?

Rapport is an on-line banking login security program, from a company called Trusteer.

It's been on my system for some time, and never caused any problems as far as I know.

It is another program that auto updates itself though.

Edited July 29, 2011 by Dave-H

[MagicAndre1981]

it doesn't changed anything. stop the search service and the other tools and look if it is fixed.

[MagicAndre1981]

1 thing. the thread which causes the high cpu usage is __report_gsfailure. This looks like NX Bit, buffer overflow issues.

try to eliminate all 3rd party applications.

Edited July 31, 2011 by MagicAndre1981

[Dave-H]

OK, there's another trace here.

This is with Norton Unerase Protection disabled, Trend Internet Security disabled, and the Windows Search Service and Indexing Service disabled.

The file seems to be a lot smaller!

The shutdown is still slow.

Thanks for sticking with this, I wish I could look at these traces myself!

Cheers, Dave.

[MagicAndre1981]

it is still the same __report_gsfailure issue. stop all 3rd party software and try again.

[Dave-H]

OK, all third party processes killed in Task Manager.

Another trace here.

Even killed Explorer before running the trace.

Shutdown still slow...........

[MagicAndre1981]

try to generate a Memory dump of the entire system when it hangs at shutdown:

compress it with 7zip (7z file with ULTRA compression). Maybe we can see what causes this __report_gsfailure issue.

[Dave-H]

OK, the complete memory dump is here.

I generated it as soon as the system was told to shutdown, as I didn't think it would work if I left it any later.

It's pretty big, even zipped up!

I hope it gives someone a clue as to what's happening here.

Thanks, Dave.

[MagicAndre1981]

I can't see anything from it Was it taken at the point you see the hang?

Wait what cluberti writes. In the meantime use msconfig (clean boot) to stop loading all 3rd party tools (killing the processes still leaves the loaded drivers on the system) and see if this helps because you use really old drivers:

BANTExt.sys Thu May 28 04:43:29 1998

sorry that I can't help more :'(

[Dave-H]

I can't see anything from it Was it taken at the point you see the hang?

Wait what cluberti writes. In the meantime use msconfig (clean boot) to stop loading all 3rd party tools (killing the processes still leaves the loaded drivers on the system) and see if this helps because you use really old drivers:

BANTExt.sys Thu May 28 04:43:29 1998

sorry that I can't help more :'(

Thanks Andre, I really appreciate everything you've done so far!

There is another memory dump here.

This one was taken after using msconfig to run the system with a minimum of programs and services running.

The dump was initiated later than the first one too, while the sysem was hung on "saving your settings".

I hope it may be more useful.

Off to bed now (1.30 am here in England!)

Thanks everyone who has helped with this so far.

I've never had a problem with my system yet that hasn't been solved with the help of MSFN, and I'm sure that this won't be the first to not be solved!

Thanks guys and good night!

Cheers, Dave.

[MagicAndre1981]

STACK_TEXT:

a6dee9a8 b9b887fb 000000e2 00000000 00000000 nt!KeBugCheckEx+0x1b

a6dee9c4 b9b88033 00867600 018692c6 00000000 i8042prt!I8xProcessCrashDump+0x237

a6deea0c 804db90f 8a70f638 8a867548 03010009 i8042prt!I8042KeyboardInterruptService+0x21c

a6deea0c 80598d5a 8a70f638 8a867548 03010009 nt!KiInterruptDispatch+0x45

a6deead4 80598cdf e3328b60 0000000d 00000040 nt!HvpScanForFreeCellInViewWindow+0x57

a6deeb00 80598c9e e3328b60 00000004 00000040 nt!HvpFindFreeCellInThisViewWindow+0xf2

a6deeb28 805986d0 e3328b60 00000007 00000040 nt!HvpFindFreeCell+0x98

a6deeb50 80598818 e3328b60 00000040 00000000 nt!HvpDoAllocateCell+0x40

a6deeb78 80598adc 00000034 00856d30 e3a55d34 nt!HvReallocateCell+0xb2

a6deeb98 805becf5 e3328b60 00856d68 0000000d nt!CmpAddValueToList+0x59

a6deebe4 805bed6d e2c8f008 00815bd0 00856a98 nt!CmpCopyKeyPartial+0x1a8

a6deec24 805be855 e1135000 00000400 00000006 nt!CmpCopySyncTree2+0x25a

a6deec54 8065e3bd e2c8f008 00000020 e3328b60 nt!CmpCopySyncTree+0x4f

a6deec88 80656f0d 00000020 80000798 00000003 nt!CmSaveKey+0xde

a6deecb0 804dd99f e2934370 80000798 a6deed54 nt!NtSaveKey+0xcf

a6deecb0 804e42df e2934370 80000798 a6deed54 nt!KiFastCallEntry+0xfc

a6deed30 80656ec2 800006e4 80000798 a6deed64 nt!ZwSaveKey+0x11

a6deed54 804dd99f 00000090 00000780 0006f8ac nt!NtSaveKey+0x84

a6deed54 7c90e514 00000090 00000780 0006f8ac nt!KiFastCallEntry+0xfc

0006f858 7c90db5a 77e3c728 00000090 00000780 ntdll!KiFastSystemCallRet

0006f85c 77e3c728 00000090 00000780 0115e1d0 ntdll!ZwSaveKey+0xc

0006f8ac 77e35f0c 00000090 00000780 00082950 ADVAPI32!LocalBaseRegSaveKey+0x169

0006f8ec 76a1aac8 00000090 0114d008 00000000 ADVAPI32!RegSaveKeyW+0x88

0006fb3c 76a1b5f8 01153240 0115e1d0 00000000 USERENV!CUserProfile::HandleRegKeyLeak+0x1e1

0006fbd4 76a1d9f4 00000000 000002d4 00000001 USERENV!CUserProfile::UnloadUserProfileP+0x47b

0006fc4c 0102e5e0 000002d4 00000780 00000000 USERENV!UnloadUserProfile+0xcd

0006fc80 0102005d 0007a5e0 00000002 000790d8 winlogon!SaveUserProfile+0xb1

0006fcd4 01038bc2 000790d8 0000000b 000790d8 winlogon!Logoff+0x2dc

0006fcfc 01031c7e 000790d8 7c80b741 00000000 winlogon!MainLoop+0x48a

0006ff50 0103e75e 01000000 00000000 00072364 winlogon!WinMain+0x60b

0006fff4 00000000 7ffd8000 000000c8 0000017d winlogon!WinMainCRTStartup+0x174

the Windows hangs while saving registry keys. Now I don't have the knowledge to see which key.

But you can run a new xbootmgr trace and add +REGISTRY after POWER to trace registry access. But I don't know if this works for XP

[Dave-H]

Hi Andre!

I've uploaded another trace here.

This one has the REGISTRY parameter added.

It seemed to work OK.

It was taken on a normal shutdown, with everything running that's normally running on boot.

I can do another one from a minimal startup if that will make things clearer.

Thanks for sticking with this!

Cheers, Dave.

[Geej]

Base on winlogon image in #19 by MagicAndre1981, you can get a list of dlls opened by msgina.dll using ListDLLs v3.1

Then generate a list of dlls to investiage. Basically, dlls that are non-MS is highly suspicious.

@echo off
Listdlls -d msgina.dll>Mylist.txt
Listdlls winlogon.exe>>Mylist.txt
Listdlls explorer.exe>>Mylist.txt
Start "view now" Mylist.txt

Also look into services.msc to disable 3rd party applications. (Launch by Start -> Run -> services.msc)

That all I can think right now....

[MagicAndre1981]

This one has the REGISTRY parameter added.

It seemed to work OK.

It was taken on a normal shutdown, with everything running that's normally running on boot.

I can do another one from a minimal startup if that will make things clearer.

Thanks for sticking with this!

Cheers, Dave.

the trace shows that one of the latest SetValue calls is this:

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1343024091-1757981266-1417001333-500

My last idea is to create a new user profile and if it works there, run the Windows Easy Transfer program to migrate the user data and settings to the new account.