Vista SP 2 shutdown delays related to windows security ? (Network Steve Forum)

Vista SP 2 shutdown delays related to windows security ?

Shutting down my wife's Vista PC used to occasionally be delayed by a few minutes to several hours with an application in progress message. That delay is almost daily now and the best I can determine from the event log is that it's MS security auditing that's causing the problem. An partial event log from the 16th shows the user logging off at 10:21 PM but the system does not stop processing and finally shutting down until 11:17 PM. 10:21 User shuts the PC down using the power button from the start menu (not hibernate) User initiated logoff: Subject: Security ID: S-1-5-21-784749126-2002728142-715582954-1000 Account Name: Judy Account Domain: Gilligan Logon ID: 0x25d54 This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event. - - Provider [ Name] Microsoft-Windows-Security-Auditing [ Guid] {54849625-5478-4994-a5ba-3e3b0328c30d} EventID 4647 Version 0 Level 0 Task 12545 Opcode 0 Keywords 0x8020000000000000 - TimeCreated [ SystemTime] 2012-07-17T02:21:43.441000000Z EventRecordID 42496 Correlation - Execution [ ProcessID] 232 [ ThreadID] 2320 Channel Security Computer Gilligan Security - EventData TargetUserSid S-1-5-21-784749126-2002728142-715582954-1000 TargetUserName Judy TargetDomainName Gilligan TargetLogonId 0x25d54 11:16:58 the event log stops processing - System - Provider [ Name] Microsoft-Windows-Eventlog [ Guid] {fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148} EventID 1100 Version 0 Level 4 Task 103 Opcode 0 Keywords 0x4020000000000000 - TimeCreated [ SystemTime] 2012-07-17T03:16:57.792800000Z EventRecordID 42497 Correlation - Execution [ ProcessID] 1144 [ ThreadID] 1624 Channel Security Computer Gilligan Security - UserData ServiceShutdown 11:16:58 The event logging service encountered an error while processing an incoming event published from Microsoft-Windows-Security-Auditing. - System - Provider [ Name] Microsoft-Windows-Eventlog [ Guid] {fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148} EventID 1108 Version 0 Level 2 Task 101 Opcode 0 Keywords 0x4020000000000000 - TimeCreated [ SystemTime] 2012-07-17T03:16:58.728000000Z EventRecordID 42498 Correlation - Execution [ ProcessID] 1144 [ ThreadID] 3204 Channel Security Computer Gilligan Security - UserData - EventProcessingFailure - Error [ Code] 15007 EventID 4634 PublisherID Microsoft-Windows-Security-Auditing 11:16:58 Time Change The system time was changed. Subject: Security ID: LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 0x58c Name: C:\Windows\System32\svchost.exe Previous Time: 11:16:58 PM 7/16/2012 New Time: 11:16:58 PM 7/16/2012 This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer. 11:15:58 logoff An account was logged off. Subject: Security ID: ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x4bc70 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. - System - Provider [ Name] Microsoft-Windows-Security-Auditing [ Guid] {54849625-5478-4994-a5ba-3e3b0328c30d} EventID 4634 Version 0 Level 0 Task 12545 Opcode 0 Keywords 0x8020000000000000 - TimeCreated [ SystemTime] 2012-07-17T03:16:58.587600000Z EventRecordID 42500 Correlation - Execution [ ProcessID] 232 [ ThreadID] 2668 Channel Security Computer Gilligan Security - EventData TargetUserSid S-1-5-7 TargetUserName ANONYMOUS LOGON TargetDomainName NT AUTHORITY TargetLogonId 0x4bc70 LogonType 3 11:17:06 final logoff and system finally shuts off An account was logged off. Subject: Security ID: S-1-5-21-784749126-2002728142-715582954-1001 Account Name: UpdatusUser Account Domain: Gilligan Logon ID: 0x9e38b Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. - System - Provider [ Name] Microsoft-Windows-Security-Auditing [ Guid] {54849625-5478-4994-a5ba-3e3b0328c30d} EventID 4634 Version 0 Level 0 Task 12545 Opcode 0 Keywords 0x8020000000000000 - TimeCreated [ SystemTime] 2012-07-17T03:17:06.528000000Z EventRecordID 42501 Correlation - Execution [ ProcessID] 232 [ ThreadID] 4044 Channel Security Computer Gilligan Security - EventData TargetUserSid S-1-5-21-784749126-2002728142-715582954-1001 TargetUserName UpdatusUser TargetDomainName Gilligan TargetLogonId 0x9e38b LogonType 5

July 18th, 2012 12:28pm

Hi, Thanks for posting in Microsoft TechNet forums. Please understand that this forum is for Windows Server system and this issue is more related to Windows Vista client. I suggest we post this issue at our Windows Vista IT Pro forum. There you can get more effective suggestion by other experts who familiar with the Windows Vista system. Your understanding is appreciated. Windows Vista IT Pro http://social.technet.microsoft.com/Forums/en/category/windowsvistaitpro In the meantime, here is an article regarding Microsoft-Windows-Security-Auditing in Windows Vista: Enable Auditing for Security Events on Windows Vista Systems http://technet.microsoft.com/en-us/magazine/dd365937.aspx We can check this article and try disabling auditing as a test. Hope the information can be useful to you. Regards Kevin

Free Windows Admin Tool Kit Click here and download it now

July 19th, 2012 2:10am

July 19th, 2012 2:15am

This topic is archived. No further replies will be accepted.