TroubleshootingShutdownProblems Improper system shutdown can harm any computer. Power failures or fluctuations, and improper system shutdowns caused by them, usually are listed first during discussions about the possible causes of hardware damage and data loss in corporate networks. For network servers, improper shutdown can be disastrous! Furthermore, most system startup problems—such as damaged Master boot record (MBR) or boot sectors, missing or corrupted files, or a damaged registry—are caused by improper shutdown. In general, if you experience problems that prevent your system from shutting down gracefully, you eventually will experience startup problems. As outlined in Chapter 9 , improper shutdowns also present a serious security threat. Do not overestimate the importance of graceful shutdown. Performing an Emergency Shutdown Curiously enough, even experienced users do not know what to do if a computer running Windows 2000, Windows XP, or Windows Server 2003 hangs or does not perform a graceful shutdown. When this happens, they simply power down the system. The best recourse, however, is to perform a so-called emergency shutdown. The procedure for emergency shutdown described in this section will be helpful if your system stops responding, you cannot shut down normally, or you need to shut down quickly and prevent current information from being saved. Note Although this procedure is less harmful than simply turning off the power, it should be used only in emergency situations. To perform an emergency shutdown: 1. Press <Ctrl>+<Alt>+<Del>. 2. When the Logon Information screen is displayed, hold down the <Ctrl> key and press the Shut Down button. You will receive the following system message: 3. If you continue, your machine will reboot and any unsaved data will be lost. Use this only as a last resort. 4. Press OK. You can discover which shutdown option was used when you last invoked shutdown, either from the Start menu or by pressing the <Ctrl>+<Alt>+<Del> keyboard combination. By default, the system records this information under the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer registry key. Under this key, you will find the Shutdown Setting value (REG_DWORD data type), which specifies the most recent shutdown method. The Shutdown Setting entry can have the following data values: 0x01—Log off. 0x02—Shut down. Ends your session and shuts down Windows 2000, Windows XP, or Windows Server 2003 so that you can safely turn off power. 0x04—Restart. Ends your session, shuts down, and restarts Windows. 0x10—Stand by. Maintains your session, keeping the computer running on low power with data still in memory (requires power management support). 0x20—Stand by (with wakeup events disabled). Maintains your session, keeping the computer running on low power with data still in memory (requires power management support). 0x40—Hibernate. Saves your session to disk so that you can safely turn off the power. Your session is restored the next time you start Windows. 0x80—Disconnect. Disconnects your Terminal Server session. You can reconnect to this session when you log on again. Common Methods of TroubleshootingShutdownProblems As outlined earlier in this chapter, shutdown and startup problems are interrelated. In addition, startup and shutdownproblems often are caused by similar factors. For example, components that cause startup problems also might interfere with the shutdown process, and vice versa. Graceful system shutdown is important. In this orderly process, Windows sends specific messages to devices, system services, and applications, notifying them of your intention to shut down the computer. While this process is in progress, Windows waits for applications to close files and allows them a certain amount of time to complete clean-up tasks, such as writing unsaved data to disk. Typically, every enabled device, system service, and application replies to the shutdown message request, indicating to the OS that shutdown can safely occur. The process of safely removing hardware, which I covered in Chapter 5 , is a good example of such a behavior. The most common reasons for shutdownproblems include: Device drivers, system services, or applications that do not respond to shutdown messages or send reply messages to the system, informing it that they are busy Faulty or incompatible device drivers, services, or applications Hardware changes that cause device conflicts Firmware incompatibility or incorrect changes to firmware settings Microsoft recommends the following methods of resolving problems that occur during system shutdown: Using Task Manager to close an unresponsive application or service Comparing normal and safe mode Bootlog.txt log entries To end an unresponsive application or service: 1. Start the Task Manager application by pressing <Ctrl>+<Shift>+<Esc>. 2. Click the Applications tab. The Applications tab provides status information and displays each application as either Running or Not Responding. Click the item labeled Not Responding, and then click the End Task button. 3. To close offending service or driver, go to the Processes tab of the Windows Task Manager window (Fig. 12.4 ). To close a specific process, select it from the list and click the End Process button. Figure 12.4: The Processes tab of the Windows Task Manager window Note Windows 2000, Windows XP, and Windows Server 2003 have a set of so-called default processes, which are listed in Table 12.3 . You cannot use Task Manager to close any of the processes that are marked with an asterisk (*) in this table. The processes that appear in Task Manager, but are not listed in this table, likely caused the problem. Table 12.3: Default System Processes Default process name Description Csrss.exe* Csrss stands for client/server run-time subsystem, an essential subsystem that is always active. It is responsible for console windows and creating or deleting threads. Explorer.exe An interactive graphical user interface shell. It provides the familiar Windows taskbar and desktop environment. Internat.exe When enabled, Internat.exe displays the EN and other language icons in the system notification area, allowing the user to switch between locales. In Control Panel, click the Regional and Language Options icon to add keyboard layouts. This tool runs at startup and loads different input locales specified by the user. The locales are determined by the HKEY_USERS\.DEFAULT\Keyboard Layout\Preload registry key. Lsass.exe* The local security authentication (LSA) subsystem server component generates the process that authenticates users for the Winlogon service. The LSA also responds to authentication information received from the Graphical Identification and Authentication (GINA) Msgina.dll component. If authentication is successful, Lsass.exe generates the user's access token, which starts the initial shell. Other processes that the user initiates inherit this token. Mstask.exe* The task scheduler service. It runs tasks at a time determined by the user. Smss.exe* The Session Manager subsystem, which starts the user session. This process is initiated by the system thread and is responsible for various activities, including starting the Winlogon.exe and Csrss.exe services and setting system variables. Spoolsv.exe* The spooler service. It manages spooled print and fax jobs. Svchost.exe* A generic process that acts as a host for other processes running from dynamic-link libraries (DLLs). Multiple entries for this process might be present in the Task Manager list. Services.exe* The Services Control Manager starts, stops, and interacts with system services. System* Most system kernel-mode threads run as the System process. System Idle* A separate instance of this process runs for each processor present, with the sole purpose of accounting for unused processor time. Taskmgr.exe The process for Task Manager itself. Winlogon.exe* The process that manages user logon and logoff. Winlogon becomes active when the user presses <Ctrl>+<Alt>+<Del>, after which the logon dialog box appears. Table 12.3: Default System Processes Default process name Description Winmgmt.exe* A core component of client management. It is a process that begins when the first client application connects, or when management applications request its services. To compare normal and safe mode Bootlog.txt log entries: 1. Restart the system in safe mode. This causes the system to create a safe mode version of the Ntbtlog.txt file. 2. Copy the safe mode Ntbtlog.txt log to a safe location, and rename the file to prevent it from being accidentally overwritten. 3. Restart the computer in normal mode with boot logging enabled. To enable boot logging, reboot the computer, press the <F8> key when prompted, and select the Enable Boot Logging option from the Windows Advanced Options menu. 4. Compare the normal and safe mode versions of Ntbtlog.txt to determine the components not processed in safe mode. In normal mode, one at a time, stop each application or service that does not appear in the safe mode list or in Table 12.3 , which lists the default system processes. Restart the computer until you pin the cause of the shutdown problem. After you identify the problem component, you can disable it and search for an update. Note In addition to these standard methods of troubleshootingshutdown problems, which are also available on Windows 2000, Windows Server 2003 includes Shutdown Event Tracker. This new feature provides a method for tracking why users restart or shut down their computers. This feature was discussed in Chapter 4 among methods of customizing system startup and shutdown behavior. Editing the Default Application Cleanup Timeout Sometimes, when you want to shut down or restart your Windows NT-based operating system, you may see a dialog similar to the one shown in Fig. 12.5 . Even worse, this may happen persistently and prevent you from shutting down correctly. This can result from Windows' cleanup default. When the OS shuts down, each running process is given 20 seconds to perform cleanup work. If a process does not respond within this timeout period, Windows displays this dialog. Figure 12.5: This process didn't respond within the default time-out, preventing Windows from shutting down To solve this problem, you can modify the default timeout by editing the registry. The timeout value is specified by the WaitToKillAppTimeout value under the following registry key: HKEY_CURRENT_USER\Control Panel\Desktop This value is expressed in milliseconds. You can use Registry Editor to modify this value. You must restart the computer for the change to take effect. Note In general, it is not recommended that you increase the shutdown time. In a power failure, your Uninterruptible Power Supply (UPS) may not be able to provide backup power for the computer long enough to allow all the processes, as well as the operating system, to shut down properly. Configuring Windows to Clear the Paging File at Shutdown Some third-party programs may temporarily store unencrypted (plain-text) passwords or other sensitive information in memory. Since Windows XP and products of the Windows Server 2003 family are based on the Windows NT/2000 kernel, this information may be in the paging file, presenting a potential danger to the system security. Users concerned about security may wish to clear the paging file (Pagefile.sys) during shutdown to ensure unsecured data is not in the paging file when the shutdown process is complete. Note This tip is applicable to all versions of Windows NT-based systems, starting with Windows NT 3.51. Clearing the paging file is not a substitute for a computer's physical security. Still, it helps to secure data when Windows NT/2000/XP or Windows Server 2003 is not running. To configure the system to clear the paging file at shutdown, proceed as follows: 1. If you are working with Windows XP or Windows Server 2003, start Regedit.exe. If you are working with Windows NT/2000, start Regedt32.exe. 2. Open the following registry key: 3. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\ 4. Memory Management 5. Find the ClearPageFileAtShutdown value (REG_DWORD data type) and set its value to 1. If this value doesn't exist, create it. Note This change does not take effect until you restart the computer. In Windows 2000, Windows XP, and Windows Server 2003, the same task can be accomplished using Group Policy Object Editor (Fig. 12.6 ). The procedures are slightly different for domain environment and for standalone computers. In the domain environment: 1. Start the Active Directory Users and Computers MMC snap-in. Right-click the container for the domain or the organizational unit to which you want to apply the policy settings. Select the Properties command from the right-click menu. 2. Go to the Group Policy tab, select the GPO that you want to edit, and click the Edit button. 3. The required option can be found under Computer Configuration | Windows Settings | Security Options. Double-click the policy named Shutdown: Clear virtual memory pagefile, and enable the policy by setting the Enabled radio button as shown in Fig. 12.6 . Figure 12.6: Configuring the system to clear virtual memory pagefile using Group Policy Object Editor On standalone or single computers, the procedure is similar, but you need to start Local Security Policy MMC snap-in and edit the required policy setting. This is located under Local Security Policy | Computer Configuration | Windows Settings | Security Options. . of Troubleshooting Shutdown Problems As outlined earlier in this chapter, shutdown and startup problems are interrelated. In addition, startup and shutdown. Troubleshooting Shutdown Problems Improper system shutdown can harm any computer. Power failures or fluctuations, and improper system shutdowns