To diagnose the reasons of slow Windows boot, there is a number of quite powerful tools and techniques of log analysis that allow performing the detailed debugging of all steps of system boot and start of services (xperf/xbootmgr from Windows Performance Toolkit / Analyzer). But their use can cause some troubles, especially, for a beginning system administrator. In this article we’ll show how to easily and quickly detect, which apps, services and drivers work slow during the system start, thus increasing the total boot time.
Certainly, all Windows system administrators should be familiar with Process Monitor from from the Sysinternals system utilities kit. Process Monitor allows monitoring the activities of running processes, access to the file system and the registry in real time. One of the little-known Process Monitor features is the opportunity to enable monitoring of processes started during Windows startup.
To diagnose the boot stage, Process Monitor creates a separate service in HKLM\SYSTEM\CurrentControlSet\Services section of the registry. This service loads the boot mode driver procmon23.sys that starts after Winload.exe is launched and logs the activity of all processes run during system boot and user logon.
- Download and unpack the archive containing Process Monitor (http://download.sysinternals.com/files/ProcessMonitor.zip)
- Run procmon.exe with the administrator privileges
- Select Enable Boot Logging in the Options menu
- In the next window, select Generate thread profiling events -> Every second. In this mode, procmon driver will capture the state of all processes every second
- Restart your computer and wait till your desktop appears
- procmon23.sys will log all events until a user starts Process Monitor. After that the boot logging mode is disabled
- In Process Monitor window, accept the offer to save the collected data to a file.
- Select the directory you want to save the file to and wait till it is saved. In my case, three files: Bootlog .pml, Bootlog-1.pml and Bootlog-2.pml with the total size 700 MB appeared in the target directory.
- In ProcMon window, click the header of the table, then click Select Columns and enable the display of the Duration column
- Create a new filter in the Filter menu.
- Select Duration as the parameter of the filter, more than as the filter condition and specify the value 10.
- Thus, in the list of processes you will have only the processes that spend more that 10 seconds to perform some operations. (I have chosen 10 seconds to make the example more demonstrative).
- To analyze the boot process, you can also use Tools ->Process Tree feature that displays all processes as a graphic tree containing the information about the beginning, duration and completion of each process.
You just have to analyze the list of processes you have got (if necessary, you can carry out further analysis of the problem process having enabled the filter by the name of the executable file), match processes and services, apps or drivers, and optimize your system.
As a rule, this type of analysis helps to detect slow processes, infected programs (first of all, you should analyze the children processes of Winlogon.exe), make a decision on uninstallation/update of the problem software or driver, disable some services or change the type of their start (delayed or manual start), remove some apps from Autostart. Often antivirus software and other resource-consuming software get into this list.