Vista SP 2 shutdown delays related to windows security ?
Shutting down my wife's Vista PC used to occasionally be delayed by a few minutes to several hours with an application in progress message. That delay is almost daily now and the best I can determine from the event log is that it's MS security auditing that's
causing the problem. An partial event log from the 16th shows the user logging off at 10:21 PM but the system does not stop processing and finally shutting down until 11:17 PM.
10:21 User shuts the PC down using the power button from the start menu (not hibernate)
User initiated logoff:
Subject:
Security ID: S-1-5-21-784749126-2002728142-715582954-1000
Account Name: Judy
Account Domain: Gilligan
Logon ID: 0x25d54
This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
-
- Provider
[ Name] Microsoft-Windows-Security-Auditing
[ Guid] {54849625-5478-4994-a5ba-3e3b0328c30d}
EventID 4647
Version 0
Level 0
Task 12545
Opcode 0
Keywords 0x8020000000000000
- TimeCreated
[ SystemTime] 2012-07-17T02:21:43.441000000Z
EventRecordID 42496
Correlation
- Execution
[ ProcessID] 232
[ ThreadID] 2320
Channel Security
Computer Gilligan
Security
- EventData
TargetUserSid S-1-5-21-784749126-2002728142-715582954-1000
TargetUserName Judy
TargetDomainName Gilligan
TargetLogonId 0x25d54
11:16:58 the event log stops processing
- System
- Provider
[ Name] Microsoft-Windows-Eventlog
[ Guid] {fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}
EventID 1100
Version 0
Level 4
Task 103
Opcode 0
Keywords 0x4020000000000000
- TimeCreated
[ SystemTime] 2012-07-17T03:16:57.792800000Z
EventRecordID 42497
Correlation
- Execution
[ ProcessID] 1144
[ ThreadID] 1624
Channel Security
Computer Gilligan
Security
-
UserData
ServiceShutdown
11:16:58
The event logging service encountered an error while processing an incoming event published from Microsoft-Windows-Security-Auditing.
- System
- Provider
[ Name] Microsoft-Windows-Eventlog
[ Guid] {fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}
EventID 1108
Version 0
Level 2
Task 101
Opcode 0
Keywords 0x4020000000000000
- TimeCreated
[ SystemTime] 2012-07-17T03:16:58.728000000Z
EventRecordID 42498
Correlation
- Execution
[ ProcessID] 1144
[ ThreadID] 3204
Channel Security
Computer Gilligan
Security
- UserData
- EventProcessingFailure
- Error
[ Code] 15007
EventID 4634
PublisherID Microsoft-Windows-Security-Auditing
11:16:58 Time Change
The system time was changed.
Subject:
Security ID: LOCAL SERVICE
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3e5
Process Information:
Process ID: 0x58c
Name: C:\Windows\System32\svchost.exe
Previous Time: 11:16:58 PM 7/16/2012
New Time: 11:16:58 PM 7/16/2012
This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.
11:15:58 logoff
An account was logged off.
Subject:
Security ID: ANONYMOUS LOGON
Account Name: ANONYMOUS LOGON
Account Domain: NT AUTHORITY
Logon ID: 0x4bc70
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
- System
- Provider
[ Name] Microsoft-Windows-Security-Auditing
[ Guid] {54849625-5478-4994-a5ba-3e3b0328c30d}
EventID 4634
Version 0
Level 0
Task 12545
Opcode 0
Keywords 0x8020000000000000
- TimeCreated
[ SystemTime] 2012-07-17T03:16:58.587600000Z
EventRecordID 42500
Correlation
- Execution
[ ProcessID] 232
[ ThreadID] 2668
Channel Security
Computer Gilligan
Security
- EventData
TargetUserSid S-1-5-7
TargetUserName ANONYMOUS LOGON
TargetDomainName NT AUTHORITY
TargetLogonId 0x4bc70
LogonType 3
11:17:06 final logoff and system finally shuts off
An account was logged off.
Subject:
Security ID: S-1-5-21-784749126-2002728142-715582954-1001
Account Name: UpdatusUser
Account Domain: Gilligan
Logon ID: 0x9e38b
Logon Type: 5
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
- System
- Provider
[ Name] Microsoft-Windows-Security-Auditing
[ Guid] {54849625-5478-4994-a5ba-3e3b0328c30d}
EventID 4634
Version 0
Level 0
Task 12545
Opcode 0
Keywords 0x8020000000000000
- TimeCreated
[ SystemTime] 2012-07-17T03:17:06.528000000Z
EventRecordID 42501
Correlation
- Execution
[ ProcessID] 232
[ ThreadID] 4044
Channel Security
Computer Gilligan
Security
- EventData
TargetUserSid S-1-5-21-784749126-2002728142-715582954-1001
TargetUserName UpdatusUser
TargetDomainName Gilligan
TargetLogonId 0x9e38b
LogonType 5
July 19th, 2012 6:44pm