Vista SP 2 shutdown delays related to windows security ?
Shutting down my wife's Vista PC used to occasionally be delayed by a few minutes to several hours with an application in progress message. That delay is almost daily now and the best I can determine from the event log is that it's MS security auditing that's
causing the problem. An partial event log from the 16th shows the user logging off at 10:21 PM but the system does not stop processing and finally shutting down until 11:17 PM.
10:21 User shuts the PC down using the power button from the start menu (not hibernate)
User initiated logoff:
Subject:
Security ID: S-1-5-21-784749126-2002728142-715582954-1000
Account Name: Judy
Account Domain: Gilligan
Logon ID: 0x25d54
This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
-
- Provider
[ Name] Microsoft-Windows-Security-Auditing
[ Guid] {54849625-5478-4994-a5ba-3e3b0328c30d}
EventID 4647
Version 0
Level 0
Task 12545
Opcode 0
Keywords 0x8020000000000000
- TimeCreated
[ SystemTime] 2012-07-17T02:21:43.441000000Z
EventRecordID 42496
Correlation
- Execution
[ ProcessID] 232
[ ThreadID] 2320
Channel Security
Computer Gilligan
Security
- EventData
TargetUserSid S-1-5-21-784749126-2002728142-715582954-1000
TargetUserName Judy
TargetDomainName Gilligan
TargetLogonId 0x25d54
11:16:58 the event log stops processing
- System
- Provider
[ Name] Microsoft-Windows-Eventlog
[ Guid] {fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}
EventID 1100
Version 0
Level 4
Task 103
Opcode 0
Keywords 0x4020000000000000
- TimeCreated
[ SystemTime] 2012-07-17T03:16:57.792800000Z
EventRecordID 42497
Correlation
- Execution
[ ProcessID] 1144
[ ThreadID] 1624
Channel Security
Computer Gilligan
Security
-
UserData
ServiceShutdown
11:16:58
The event logging service encountered an error while processing an incoming event published from Microsoft-Windows-Security-Auditing.
- System
- Provider
[ Name] Microsoft-Windows-Eventlog
[ Guid] {fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}
EventID 1108
Version 0
Level 2
Task 101
Opcode 0
Keywords 0x4020000000000000
- TimeCreated
[ SystemTime] 2012-07-17T03:16:58.728000000Z
EventRecordID 42498
Correlation
- Execution
[ ProcessID] 1144
[ ThreadID] 3204
Channel Security
Computer Gilligan
Security
- UserData
- EventProcessingFailure
- Error
[ Code] 15007
EventID 4634
PublisherID Microsoft-Windows-Security-Auditing
11:16:58 Time Change
The system time was changed.
Subject:
Security ID: LOCAL SERVICE
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3e5
Process Information:
Process ID: 0x58c
Name: C:\Windows\System32\svchost.exe
Previous Time: 11:16:58 PM 7/16/2012
New Time: 11:16:58 PM 7/16/2012
This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.
11:15:58 logoff
An account was logged off.
Subject:
Security ID: ANONYMOUS LOGON
Account Name: ANONYMOUS LOGON
Account Domain: NT AUTHORITY
Logon ID: 0x4bc70
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
- System
- Provider
[ Name] Microsoft-Windows-Security-Auditing
[ Guid] {54849625-5478-4994-a5ba-3e3b0328c30d}
EventID 4634
Version 0
Level 0
Task 12545
Opcode 0
Keywords 0x8020000000000000
- TimeCreated
[ SystemTime] 2012-07-17T03:16:58.587600000Z
EventRecordID 42500
Correlation
- Execution
[ ProcessID] 232
[ ThreadID] 2668
Channel Security
Computer Gilligan
Security
- EventData
TargetUserSid S-1-5-7
TargetUserName ANONYMOUS LOGON
TargetDomainName NT AUTHORITY
TargetLogonId 0x4bc70
LogonType 3
11:17:06 final logoff and system finally shuts off
An account was logged off.
Subject:
Security ID: S-1-5-21-784749126-2002728142-715582954-1001
Account Name: UpdatusUser
Account Domain: Gilligan
Logon ID: 0x9e38b
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
- System
- Provider
[ Name] Microsoft-Windows-Security-Auditing
[ Guid] {54849625-5478-4994-a5ba-3e3b0328c30d}
EventID 4634
Version 0
Level 0
Task 12545
Opcode 0
Keywords 0x8020000000000000
- TimeCreated
[ SystemTime] 2012-07-17T03:17:06.528000000Z
EventRecordID 42501
Correlation
- Execution
[ ProcessID] 232
[ ThreadID] 4044
Channel Security
Computer Gilligan
Security
- EventData
TargetUserSid S-1-5-21-784749126-2002728142-715582954-1001
TargetUserName UpdatusUser
TargetDomainName Gilligan
TargetLogonId 0x9e38b
LogonType 5
July 18th, 2012 12:28pm
Hi,
Thanks for posting in Microsoft TechNet forums.
Please understand that this forum is for Windows Server system and this issue is more related to Windows Vista client.
I suggest we post this issue at our Windows Vista IT Pro forum. There you can get more effective suggestion by other experts who familiar with the Windows Vista system. Your understanding is appreciated.
Windows Vista IT Pro
http://social.technet.microsoft.com/Forums/en/category/windowsvistaitpro
In the meantime, here is an article regarding Microsoft-Windows-Security-Auditing in Windows Vista:
Enable Auditing for Security Events on Windows Vista Systems
http://technet.microsoft.com/en-us/magazine/dd365937.aspx
We can check this article and try disabling auditing as a test.
Hope the information can be useful to you.
Regards
Kevin
Free Windows Admin Tool Kit Click here and download it now
July 19th, 2012 2:10am
Hi,
Thanks for posting in Microsoft TechNet forums.
Please understand that this forum is for Windows Server system and this issue is more related to Windows Vista client.
I suggest we post this issue at our Windows Vista IT Pro forum. There you can get more effective suggestion by other experts who familiar with the Windows Vista system. Your understanding is appreciated.
Windows Vista IT Pro
http://social.technet.microsoft.com/Forums/en/category/windowsvistaitpro
In the meantime, here is an article regarding Microsoft-Windows-Security-Auditing in Windows Vista:
Enable Auditing for Security Events on Windows Vista Systems
http://technet.microsoft.com/en-us/magazine/dd365937.aspx
We can check this article and try disabling auditing as a test.
Hope the information can be useful to you.
Regards
Kevin
July 19th, 2012 2:15am