Shutting down my wife's Vista PC used to occasionally be delayed by a few minutes to several hours with an application in progress message. That delay is almost daily now and the best I can determine from the event log is that it's MS security auditing that's causing the problem. An partial event log from the 16th shows the user logging off at 10:21 PM but the system does not stop processing and finally shutting down until 11:17 PM. 10:21 User shuts the PC down using the power button from the start menu (not hibernate) User initiated logoff: Subject: Security ID: S-1-5-21-784749126-2002728142-715582954-1000 Account Name: Judy Account Domain: Gilligan Logon ID: 0x25d54 This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event. - - Provider [ Name] Microsoft-Windows-Security-Auditing [ Guid] {54849625-5478-4994-a5ba-3e3b0328c30d} EventID 4647 Version 0 Level 0 Task 12545 Opcode 0 Keywords 0x8020000000000000 - TimeCreated [ SystemTime] 2012-07-17T02:21:43.441000000Z EventRecordID 42496 Correlation - Execution [ ProcessID] 232 [ ThreadID] 2320 Channel Security Computer Gilligan Security - EventData TargetUserSid S-1-5-21-784749126-2002728142-715582954-1000 TargetUserName Judy TargetDomainName Gilligan TargetLogonId 0x25d54 11:16:58 the event log stops processing - System - Provider [ Name] Microsoft-Windows-Eventlog [ Guid] {fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148} EventID 1100 Version 0 Level 4 Task 103 Opcode 0 Keywords 0x4020000000000000 - TimeCreated [ SystemTime] 2012-07-17T03:16:57.792800000Z EventRecordID 42497 Correlation - Execution [ ProcessID] 1144 [ ThreadID] 1624 Channel Security Computer Gilligan Security - UserData ServiceShutdown 11:16:58 The event logging service encountered an error while processing an incoming event published from Microsoft-Windows-Security-Auditing. - System - Provider [ Name] Microsoft-Windows-Eventlog [ Guid] {fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148} EventID 1108 Version 0 Level 2 Task 101 Opcode 0 Keywords 0x4020000000000000 - TimeCreated [ SystemTime] 2012-07-17T03:16:58.728000000Z EventRecordID 42498 Correlation - Execution [ ProcessID] 1144 [ ThreadID] 3204 Channel Security Computer Gilligan Security - UserData - EventProcessingFailure - Error [ Code] 15007 EventID 4634 PublisherID Microsoft-Windows-Security-Auditing 11:16:58 Time Change The system time was changed. Subject: Security ID: LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 0x58c Name: C:\Windows\System32\svchost.exe Previous Time: 11:16:58 PM 7/16/2012 New Time: 11:16:58 PM 7/16/2012 This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer. 11:15:58 logoff An account was logged off. Subject: Security ID: ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x4bc70 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. - System - Provider [ Name] Microsoft-Windows-Security-Auditing [ Guid] {54849625-5478-4994-a5ba-3e3b0328c30d} EventID 4634 Version 0 Level 0 Task 12545 Opcode 0 Keywords 0x8020000000000000 - TimeCreated [ SystemTime] 2012-07-17T03:16:58.587600000Z EventRecordID 42500 Correlation - Execution [ ProcessID] 232 [ ThreadID] 2668 Channel Security Computer Gilligan Security - EventData TargetUserSid S-1-5-7 TargetUserName ANONYMOUS LOGON TargetDomainName NT AUTHORITY TargetLogonId 0x4bc70 LogonType 3 11:17:06 final logoff and system finally shuts off An account was logged off. Subject: Security ID: S-1-5-21-784749126-2002728142-715582954-1001 Account Name: UpdatusUser Account Domain: Gilligan Logon ID: 0x9e38b Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. - System - Provider [ Name] Microsoft-Windows-Security-Auditing [ Guid] {54849625-5478-4994-a5ba-3e3b0328c30d} EventID 4634 Version 0 Level 0 Task 12545 Opcode 0 Keywords 0x8020000000000000 - TimeCreated [ SystemTime] 2012-07-17T03:17:06.528000000Z EventRecordID 42501 Correlation - Execution [ ProcessID] 232 [ ThreadID] 4044 Channel Security Computer Gilligan Security - EventData TargetUserSid S-1-5-21-784749126-2002728142-715582954-1001 TargetUserName UpdatusUser TargetDomainName Gilligan TargetLogonId 0x9e38b LogonType 5