After issuing Shutdown command, the PC at times shuts down fast, but at times hanging for 15-20 min with high disk activity and blue shutdown screen showing "Shutting down" message. No defrag, virus scan, or media DB scan job is scheduled at shutdown, auto defrag is turned off, system restore files and pagefile are relatively small, hibernation is off, Windows Update is set to Manual download, no Bluetooth & WiFi devices connected & installed.

Any way to log & find out what exactly the PC is doing during that long shutdown time? May be updating Windows Search DB or such? How to identify what program causes that activity at shutdown, while having no access to screen and no way to enter any command during shutdown? What events to look for in Event Viewer after restart to analyze that?

Can Procmon record shutdown process activities to a file? Or what utility can help record & analyze shutdown activities? Does Windows 8.1 automatically create a shutdown log saved anywhere, or how to make it log & troubleshoot shutdown process?

At times I have to stop endless shutdown by PC Power or Restart hardware buttons. How to find out, if it resulted in any damage to app or system files, and what files were affected?

I don't ask for now, how to make the system shutdown faster. Just want to find out, what exactly causes periodic shutdown slowdown. After all, it may be a malware, though suggestion for virus scan is trivial. Pls advice on shutdown process monitoring tools and methods, or how would you approach the issue?

• Edited by sambul13 Sunday, May 25, 2014 4:20 PM

Found a few tools to look at shutdown delays:

In Event Viewer:

open Applications and Services - Microsoft - Windows - Diagnostics-Performance - Operational

look for Shutdown Performance Monitoring, i.e. events 200 and 203. They identify time delay and what process caused it. Record not available, if you restarted the PC by hardware power button.

However, the previous records show they don't seem to relate to high and lengthy hard drive activity during shutdown. The impression is, required records are missing. Any other analysis tools & suggestions? Any way to find out if certain events were blocked from being recorded to the log or filtered from it?

Good example of using Process Monitor for tracing is offered by Mark Russinovich:

The Case of the Veeerrry Slow Logons

Someone is also offering help with using tools from Windows Performance Toolkit (WPT) for that:

Trace why Windows 8 boots, shutdowns or hibernates slowly

and the reference resource on using WPA tool from the Tookit.

 

Since PC shutdown times may vary greatly over time as in my case, one would need to schedule running traces at each shutdown with Windows Task Scheduler, running them instead of a regular shutdown command. Recorded trace .etl files can then be visually analysed using GUI based  Windows Performance Analyser (WPA) supplied with the WPT. One can also analyse traces with Xperfview  from WPT, or with a standalone Perfview. This would help to identify the processes and activities affecting most system shutdown time. The same approach can be used to analyse boot, standby & wakeup, hibernate times.

WP Toolkit also includes GUI based Windows Performance Recorder (WPR) that one can start manually or via Task Scheduler to record any installed packages activities and interactions during a Windows session.

• Edited by sambul13 15 hours 25 minutes ago

Have you look into the Event Viewer for those events that was created after the shutdown was initiated? 

Cheers.

Unfortunately, last time I just Restarted it by a PC button after waiting 20 min looking at high disk activity without a certain repeat LED pattern typical for a bug, being concerned that either a trojan or someone searches through PC disks over web, so no log was left in Event Viewer for this shutdown, probably because the log is left after event is completed to record its duration. Next time will do... :)

• Edited by sambul13 Monday, May 26, 2014 2:28 PM

I did some traces and found some delaying activities at shutdown. Like svchost.exe takes quite some time to close. But such generic process usually runs multiple system activities, and its not detailed in the trace, so what activity within the process actually take that long to complete? Besides I've several svchost.exe processes running in the system simultaneously, each serving a set of different activities. Also, any malware can hide in a generic svchost.exe process among other activities run by it. Are their any analysis tools offering more details about what actually goes on with such generic process during shutdown?

    

Suppose a process like svchost.exe is identified that slows the system down. How can I find which one of several svchost.exe processes? And what can I do about it to improve shutdown speed?

      

Another culprit is dataserv.exe process extending shutdown and boot times almost twice in my system. The process maintains a USB link btw PC and APC Power Supply. So what should I do - switch it off, basically get rid of the APC - hardly makes sense... Can probably set a delayed start for it, but... how to close it ahead of actual shutdown, and would it make sense given its nature? 

• Edited by sambul13 Friday, May 30, 2014 3:15 PM