Slow Shutdown Troubleshooting

[Dave-H]

the trace shows that one of the latest SetValue calls is this:

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1343024091-1757981266-1417001333-500

My last idea is to create a new user profile and if it works there, run the Windows Easy Transfer program to migrate the user data and settings to the new account.

Well I'd already tried making another profile, which I then deleted, but I did it again and made a profile called "Admin".

As before, that does not have the slow shutdown problem, although it does have all the "All Users" drivers loaded and processes running of course.

I will keep it this time as it will aid troubleshooting to have a good profile to compare with the faulty one.

One of the things not apparently running in "Admin" is Windows Search, so I tried resetting that and re-indexing as you suggested earlier. Unfortunately no difference.

Base on winlogon image in #19 by MagicAndre1981, you can get a list of dlls opened by msgina.dll using ListDLLs v3.1

Then generate a list of dlls to investiage. Basically, dlls that are non-MS is highly suspicious.

@echo off
Listdlls -d msgina.dll>Mylist.txt
Listdlls winlogon.exe>>Mylist.txt
Listdlls explorer.exe>>Mylist.txt
Start "view now" Mylist.txt

Also look into services.msc to disable 3rd party applications. (Launch by Start -> Run -> services.msc)

That all I can think right now....

Thanks Geej!

I ran the ListDLLs utility using the parameters you suggested, both using my normal "Dave" profile, and the new "Admin" profile mentioned above.

The Dave one is here -

DLLlistDave.txt

and the Admin one is here -

DLLlistAdmin.txt

I'm not sure exactly what they show, but I was surprised how similar they are.

Anything catch your eye as being out of the ordinary?

[MagicAndre1981]

can you try to migrate the user setting/data to the new account?

[Dave-H]

can you try to migrate the user setting/data to the new account?

Well, because I've decided to probably keep the "Admin" profile permanently for future troubleshooting purposes, I made a new temporary profile called "Temp".

It shut down fine too.

I then copied my "Dave" profile over to it, and it no longer shuts down properly!

After a long and laborious process of substituting profile folders from the "Admin" folder to the "Test" folder, it turns out that the file substitution which clears the problem is simply "NTUSER.DAT"!

If i put the file from the "Admin" folder into the "Test" folder, "Test" then shuts down fine.

With its normal file, it doesn't.

Now my understanding is that this file is the registry data for that user, which makes me wonder why using Registry Workshop to restore a copy of the registry from before the problem appeared didn't make the problem go away.

I can only assume that this file isn't backed up by Registry Workshop, which isn't good news!

Anyway, it now does look like the problem is in the registry after all, but how on earth do I find out where it is?!

I was surprised at the huge difference in the size of the NTUSER.DAT files.

The one from the "clean" profile "Admin" is 1.25 MB. The one from the faulty profile is 14.5 MB!

Presumably it's not this causing the problem?

I thought that registry size was not an issue with XP.

[cluberti]

is it allowed to redistribute the files outside the SDK/WPT setup?

Actually, the WPT and it's contents are apparently redist friendly after reading the EULA. Odd, but it seems, true.

[dencorso]

You can use Nuno Brito's handy RawReg to peruse unmounted registry hives, like NTUSER.DATs from other profiles than the one currently logged on. RawReg also should let you modify them, but that doesn't always work, in the current version, so If you need to do that, use Erwan.L's offlinereg instead, althought it's less user friendly.

[Geej]

I'm not sure exactly what they show, but I was surprised how similar they are.

Anything catch your eye as being out of the ordinary?

I have re-sort the list in Excel so that you might a better view between the file difference for the 2 users account (Dave & Admin).

CompareDLL.zip

In the Excel sheet, look at the Compare tab.

For example, (Dave in D:\WIN-NT\Explorer.EXE process) the following files are what Dave account have and Admin account don't have.

dot3dlg.dll
MCPS.DLL
MSISIP.DLL
OneX.DLL
pwrshsip.dll
WINSTA.dll
wmpband.dll
wshext.dll
xapauthenticodesip.dll   (related to silverlight)

To help you find these files at large in your system, I suggest install Everything Search Tool.

Just copy & paste the file name in it's GUI. Very fast search. Instant.

(Everything Search tool is for NTFS drive only, useful only for User with admin-right.)

Other thoughts:

One of the possible cause: ClearPageFileAtShutdown

Understand a bit about shutdown

Meanwhile, here are some info if you wish to apply some tweak to speedup shutdown.

Perhaps try to reduce your NTUSER.dat file size by using CCleaner to scan your registry for rubbish/junk entries. (Observe Pre /post file size if you want to clean them, made a backup registry first.)

Have a batch file to monitor the filesize of NTUSER.dat over a period of time everytime you logon and logout.Record to a text file as log file. If file size exceed certain size, say 20%, then you know some special / unusual activity has taken place. So that you can be alert to investigate. (Just an idea...not really sure if it is practical)

[MagicAndre1981]

After a long and laborious process of substituting profile folders from the "Admin" folder to the "Test" folder, it turns out that the file substitution which clears the problem is simply "NTUSER.DAT"!

The one from the "clean" profile "Admin" is 1.25 MB. The one from the faulty profile is 14.5 MB!

Presumably it's not this causing the problem?

I thought that registry size was not an issue with XP.

my ntuser.dat is 16MB under Windows 7 and I have no issue. The size is not important. Maybe on registry hive is damaged. Logon to an admin account that works, run regedit.exe and export the user hive from your old "broken" account into a .reg file, delete all unneded entries and import it into the new account.

Actually, the WPT and it's contents are apparently redist friendly after reading the EULA. Odd, but it seems, true.

ok, interesting.

[Dave-H]

@ Geej

Thanks very much for going to all that trouble!

I'd got most of those entries that were in "Dave" but not in "Admin" by much more laborious methods than using Excel!

I had identified -

MCPS.DLL

MSISIP.DLL

pwrshsip.dll

wmpband.dll

wshext.dll

xapauthenticodesip.dll

I had missed -

dot3dlg.dll

OneX.DLL

WINSTA.dll

There's also TMAS_OEHook.dll, which was on my list but not yours.

That's part of Trend Internet Security.

xapauthenticodesip.dll is part of Silverlight, as you say.

pwrshsip.dll is part of Windows Powershell.

I'm looking at other options at the moment, based on it probably being a problem with something that's being referenced in the user registry.

@MagicAndre1981

I've been going through the HKEY_CURRENT_USER section in the registry, removing things to see if I can identify what key or keys is generating the problem.

I've deleted huge chunks, most of the SOFTWARE section for instance, and it makes no difference so far.

I now have a NTUSER.DAT file which is only 6.29 MB in size, and the problem is still there, so you are quite right about it not being a registry size issue.

I will keep at it and hope that eventually I'll get a normal shutdown and I can then identify which section of the user registry i need to investigate.

[Dave-H]

Not good news.

It appears that I was fooling myself when I assumed that the cause of the problem was just in my user profile.

After a lot of experimenting with different profiles, I discovered that the problem is in fact happening on every shutdown or logoff, regardless of which profile is loaded!

I was being fooled by the fact that using the "Admin" profile, for instance, the logoff/shutdown does not hang on "saving your settings" like it does on my normal "Dave" profile.

It is still writing event 1517 messages into the Application Event Log though, so it is still happening.

I suspect that it isn't noticeably hanging as the "Admin" profile is so much smaller than the "Dave" profile.

So, now what?

The cause could be absolutely anywhere..........

Edited August 2, 2011 by Dave-H

[dencorso]

Other thoughts:

One of the possible cause: ClearPageFileAtShutdown

Understand a bit about shutdown

Meanwhile, here are some info if you wish to apply some tweak to speedup shutdown.

Never mind Event 1517 for the time being. Did you go through all the steps in those links in the above quote?

Also, did you read this? Can it be relevant?

[MagicAndre1981]

So, now what?

The cause could be absolutely anywhere..........

run chkdsk C: /r /f and sfc /scannow to detect and fix hard drive issue and defect Windows files.

[Dave-H]

Well I have good news.

The problem seems to have gone!

Unfortunately, as is often the way with this sort of thing in my experience, I'm not 100% sure exactly why it has gone away.

I restored everything back to how it was before I started messing around with extra profiles.

I restored a version of the registry from before I made the "Admin" or "Test" profiles, and deleted their user folders.

As I expected the problem was still there of course, as the problem was there when the registry backup was made.

I then decided to clean the registry of any references to other profiles, and there was one old key, generated by Rapport, that had always referenced the non-existent "Admin" profile, which I think is a profile that is on most XP machines as one of the defaults.

Now Rapport protects all its files and registry keys from alteration or deletion, as all good security programs do, and I've never had any luck modifying this key before.

I decided to try in Safe Mode, which for some reason I'd never done before, and was surprised to find that I could now modify the key to reference the "Dave" profile instead of "Admin".

After that I rebooted, and on the next reboot, the system shut down normally, and the error events had gone!

The key in question referred to one of Rapport's services, RapportPG.

I have no idea what that service does.

Whether doing that profile path correction cured the problem I really can't be sure.

I'm certainly not going to put it back as it was before to find out now it's working properly again!

I just can't believe it was that simple to cure the problem, as that registry key with the incorrect path had been there for weeks and weeks before the slow shutdown problem appeared.

Again one of those things that we'll never know, but I'll certainly be looking out for the problem re-appearing, and making sure that it isn't there before I do any system backups in the future!

As always, many thanks to all the people who helped out with this issue.

This forum is the greatest!

Edited August 3, 2011 by Dave-H

[MagicAndre1981]

have you used this tool?

http://www.trusteer.com/product/trusteer-rapport

[Dave-H]

have you used this tool?

http://www.trusteer.com/product/trusteer-rapport

Yes, that's exactly the program I'm talking about.

Been on the machine for quite some time now, in fact since soon after I upgraded from Windows 2000 to Windows XP (it doesn't work on Windows 2000).

Never caused a problem, although that mystery registry key that was pointing to a non-existent profile folder has always niggled me.

Whether finally fixing the path made the slow shutdown problem go away I have no idea, but the problem did seem to spontaneously disappear after I fixed it.

Of course i did have to go into Safe Mode to fix it, so maybe that had an effect, although I'd been into Safe Mode before with no apparent effect on the problem.

I have a feeling that we'll never know for sure what the cause and cure were.

Don't you just love computers!

[Geej]

Glad you made it. But as part of 'post-mortem' review on the general troubleshooting step taken, I am curious to know if you have shutdown 3rd party services as I suggested in #29 when you are trouble-shooting all this while.