Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Tutorial how to use Sysinternals Process Monitor Procmon to trace slow boots
158 views
Skip to first unread message
Arlen Holder
Nov 15, 2020, 10:27:04 PM11/15/20
to
Tutorial how to use Sysinternals Process Monitor Procmon to trace slow boots
(As always, so that others always benefit from every action, please improve.)
Based 100% on Paul's excellent detailed instructions in this recent message:
From: Paul <nos...@needed.invalid>
Newsgroups: alt.comp.os.windows-10
Subject: Re: slow shutdown (again)
Date: Sun, 15 Nov 2020 00:03:57 -0500
Message-ID: <roqcs2$dkb$1...@dont-email.me>
References: <i13062...@mid.individual.net>
Found in this thread:
o slow shutdown (again)
<https://alt.comp.os.windows-10.narkive.com/meWMuTi9/slow-shutdown-again>
o Found in this message:
<https://alt.comp.os.windows-10.narkive.com/meWMuTi9/slow-shutdown-again#post12>
Screenshots:
o <https://i.postimg.cc/bwqfhkb7/procmon01.jpg> unfiltered trace
o <https://i.postimg.cc/BvwrHzy3/procmon02.jpg> filtered trace
Software:
A) Download Microsoft Sysinternals utilities process monitor v3.60
<https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite>
<https://docs.microsoft.com/en-us/sysinternals/downloads/procmon>
<https://download.sysinternals.com/files/ProcessMonitor.zip>
Name: ProcessMonitor.zip
Size: 2045618 bytes (1997 KiB)
CRC32: 2DE96697
CRC64: C1FDED53C12E53A4
SHA256: CCC6DDAA0ACA47B4CD739963FBE95806DA96CA6E9AB1A852C96EE5417028D6F5
SHA1: 7A500215D94417A3E94BC1909F66D8F2447A1ED4
BLAKE2sp: 937B57D3FE5B83019FFA78CA391BBB79E83ED1854E2425748C888FE3B239BACA
B) Unzip and place in your installation hierarchy:
move .\ProcessMonitor c:\app\os\procmon
Name: Procmon64.exe
Size: 1180544 bytes (1152 KiB)
CRC32: 9D28CF3E
CRC64: 6ADEE8555B9471DF
SHA256: 446477F6ADA7D89E6DC5A429E2A8AB7F9073A0C7674DB264768BE98986C866D5
SHA1: 45B99F3BE269A356EF22EB285A42F890699FAA6F
BLAKE2sp: 0C3E89363ECB37E2C17EB7705F745FD92750C10BA94C57203BCC3CE84D0177B0
C) Create a link to the process monitor & populate your taskbar menu:
Filespec = C:\menu\os\procmon.lnk
Target = C:\app\os\procmon\Procmon64.exe
Taskbar > menu > os > procmon
Sequence:
1) Start procmon & immediately stop the trace by unchecking a checkmark:
Taskbar > menu > os > procmon.lnk
Change from: Procmon:File > {x}Capture Events
Change to: Procmon:File > {_}Capture Events
2) In the file menu, set the backingfile to whatever you like:
Change from:
Procmon:File > Backing Files >
(o)Use virtual memory (18,677MB available)
(_)Use file named: [blank]
Change to:
Procmon:File > Backing Files >
(_)Use virtual memory (18,677MB available)
(o)Use file named: > c:\tmp\shut.pml > [OK]
[OK]
3) Up pops a warning:
Process Monitor
Your changes will take effect the next time you begin capturing a
new log. [OK]
4) Exit procmon & then restart procmon anew:
Procmon:File > Exit
Taskbar > menu > os > procmon.lnk
5) Procmon starts tracing, this time storing the trace in the backing file.
c:\tmp\shut.pml
6) Run whatever is your normal shutdown sequence.
Win+R > shutdown.exe /r /f /t 5 /c "Reboot in 5s!"
Note: The trace will automatically close itself.
Note: Windows will kill Procmon after the trace is successfully stored.
7) Now, when the system comes back up, start procmon64.exe
Taskbar > menu > os > procmon.lnk
8) Procmon knows that it has just written to the backing file.
Procmon will ask whether it should overwrite while attempting to trace.
Process Monitor
Okay to overwrite event log 'c:\tmp\shut.pml'?
[Yes][No]
Click "No".
9) Now, set the backingfile to the usage of RAM again.
Change from:
Procmon:File > Backing Files >
(_)Use virtual memory (18,677MB available)
(o)Use file named: > c:\tmp\shut.pml > [OK]
Change back to:
Procmon:File > Backing Files >
(o)Use virtual memory (18,677MB available)
(_)Use file named: [blank]
[OK]
10) Up pops a warning:
Process Monitor
Your changes will take effect the next time you begin capturing a
new log. [OK]
11) Kill & restart procmon64.exe
Procmon:File > Exit
Taskbar > menu > os > procmon.lnk
12) Immediately stop the automatic trace using the File menu:
Change from: Procmon:File > {x}Capture Events
Change to: Procmon:File > {_}Capture Events
13) In the file menu, Open the backing file previously created:
Procmon:File > Open > c:\tmp\shut.pml
Showing 381,025 of 584,359 events (65%) Backed by C:\tmp\shut.pml
<https://i.postimg.cc/bwqfhkb7/procmon01.jpg>
14) OK, *now* you're looking at a shutdown trace.
Discover which high-runner process is having a picnic for itself :-/
Procmon:Filter > Filter > Display entries matching these conditions:
Change from: [Architecture] [is] [blank] then [Include]
Change to: [Operation] [is] [CreateFile] then [Include]
[Add]
Change to: [Operation] [is] [ReadFile] then [Include]
[Add]
Change to: [Operation] [is] [WriteFile] then [Include]
[Add]
Note: You can leave the "excluded" stuff alone in the large window.
15) Press [OK] to filter.
Showing 100,152 of 584,359 events (65%) Backed by C:\tmp\shut.pml
<https://i.postimg.cc/BvwrHzy3/procmon02.jpg>
The theory is, the shutdown delay always involves file I/O.
Examine the filenames for hints on what's holding up the boot process.
--
Part of the high cost of freeware is in figuring out how to use it.
(As always, so that others always benefit from every action, please improve.)
Based 100% on Paul's excellent detailed instructions in this recent message:
From: Paul <nos...@needed.invalid>
Newsgroups: alt.comp.os.windows-10
Subject: Re: slow shutdown (again)
Date: Sun, 15 Nov 2020 00:03:57 -0500
Message-ID: <roqcs2$dkb$1...@dont-email.me>
References: <i13062...@mid.individual.net>
Found in this thread:
o slow shutdown (again)
<https://alt.comp.os.windows-10.narkive.com/meWMuTi9/slow-shutdown-again>
o Found in this message:
<https://alt.comp.os.windows-10.narkive.com/meWMuTi9/slow-shutdown-again#post12>
Screenshots:
o <https://i.postimg.cc/bwqfhkb7/procmon01.jpg> unfiltered trace
o <https://i.postimg.cc/BvwrHzy3/procmon02.jpg> filtered trace
Software:
A) Download Microsoft Sysinternals utilities process monitor v3.60
<https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite>
<https://docs.microsoft.com/en-us/sysinternals/downloads/procmon>
<https://download.sysinternals.com/files/ProcessMonitor.zip>
Name: ProcessMonitor.zip
Size: 2045618 bytes (1997 KiB)
CRC32: 2DE96697
CRC64: C1FDED53C12E53A4
SHA256: CCC6DDAA0ACA47B4CD739963FBE95806DA96CA6E9AB1A852C96EE5417028D6F5
SHA1: 7A500215D94417A3E94BC1909F66D8F2447A1ED4
BLAKE2sp: 937B57D3FE5B83019FFA78CA391BBB79E83ED1854E2425748C888FE3B239BACA
B) Unzip and place in your installation hierarchy:
move .\ProcessMonitor c:\app\os\procmon
Name: Procmon64.exe
Size: 1180544 bytes (1152 KiB)
CRC32: 9D28CF3E
CRC64: 6ADEE8555B9471DF
SHA256: 446477F6ADA7D89E6DC5A429E2A8AB7F9073A0C7674DB264768BE98986C866D5
SHA1: 45B99F3BE269A356EF22EB285A42F890699FAA6F
BLAKE2sp: 0C3E89363ECB37E2C17EB7705F745FD92750C10BA94C57203BCC3CE84D0177B0
C) Create a link to the process monitor & populate your taskbar menu:
Filespec = C:\menu\os\procmon.lnk
Target = C:\app\os\procmon\Procmon64.exe
Taskbar > menu > os > procmon
Sequence:
1) Start procmon & immediately stop the trace by unchecking a checkmark:
Taskbar > menu > os > procmon.lnk
Change from: Procmon:File > {x}Capture Events
Change to: Procmon:File > {_}Capture Events
2) In the file menu, set the backingfile to whatever you like:
Change from:
Procmon:File > Backing Files >
(o)Use virtual memory (18,677MB available)
(_)Use file named: [blank]
Change to:
Procmon:File > Backing Files >
(_)Use virtual memory (18,677MB available)
(o)Use file named: > c:\tmp\shut.pml > [OK]
[OK]
3) Up pops a warning:
Process Monitor
Your changes will take effect the next time you begin capturing a
new log. [OK]
4) Exit procmon & then restart procmon anew:
Procmon:File > Exit
Taskbar > menu > os > procmon.lnk
5) Procmon starts tracing, this time storing the trace in the backing file.
c:\tmp\shut.pml
6) Run whatever is your normal shutdown sequence.
Win+R > shutdown.exe /r /f /t 5 /c "Reboot in 5s!"
Note: The trace will automatically close itself.
Note: Windows will kill Procmon after the trace is successfully stored.
7) Now, when the system comes back up, start procmon64.exe
Taskbar > menu > os > procmon.lnk
8) Procmon knows that it has just written to the backing file.
Procmon will ask whether it should overwrite while attempting to trace.
Process Monitor
Okay to overwrite event log 'c:\tmp\shut.pml'?
[Yes][No]
Click "No".
9) Now, set the backingfile to the usage of RAM again.
Change from:
Procmon:File > Backing Files >
(_)Use virtual memory (18,677MB available)
(o)Use file named: > c:\tmp\shut.pml > [OK]
Change back to:
Procmon:File > Backing Files >
(o)Use virtual memory (18,677MB available)
(_)Use file named: [blank]
[OK]
10) Up pops a warning:
Process Monitor
Your changes will take effect the next time you begin capturing a
new log. [OK]
11) Kill & restart procmon64.exe
Procmon:File > Exit
Taskbar > menu > os > procmon.lnk
12) Immediately stop the automatic trace using the File menu:
Change from: Procmon:File > {x}Capture Events
Change to: Procmon:File > {_}Capture Events
13) In the file menu, Open the backing file previously created:
Procmon:File > Open > c:\tmp\shut.pml
Showing 381,025 of 584,359 events (65%) Backed by C:\tmp\shut.pml
<https://i.postimg.cc/bwqfhkb7/procmon01.jpg>
14) OK, *now* you're looking at a shutdown trace.
Discover which high-runner process is having a picnic for itself :-/
Procmon:Filter > Filter > Display entries matching these conditions:
Change from: [Architecture] [is] [blank] then [Include]
Change to: [Operation] [is] [CreateFile] then [Include]
[Add]
Change to: [Operation] [is] [ReadFile] then [Include]
[Add]
Change to: [Operation] [is] [WriteFile] then [Include]
[Add]
Note: You can leave the "excluded" stuff alone in the large window.
15) Press [OK] to filter.
Showing 100,152 of 584,359 events (65%) Backed by C:\tmp\shut.pml
<https://i.postimg.cc/BvwrHzy3/procmon02.jpg>
The theory is, the shutdown delay always involves file I/O.
Examine the filenames for hints on what's holding up the boot process.
--
Part of the high cost of freeware is in figuring out how to use it.
0 new messages