To identify drivers, programs, and services that cause Windows to bool slowly, you must enable startup logging. In this guide, we will have a look at how to create a Windows boot log and analyze slow processes with the Process Monitor tool.
The Process Monitor system tool is typically used to monitor the activity of running processes, access to files and the registry in real-time. ProcMon also allows you to enable logging of all processes that run at Windows startup, get the execution time of each process, and save the log to a file for further analysis.
- Download and extract the Process Monitor archive (http://download.sysinternals.com/files/ProcessMonitor.zip)
- Run procmon.exe as an administrator;
- Select Enable Boot Logging in the Options menu;
- Select the option Generate thread profiling events -> Every second. In this mode, the procmon driver will capture the state of all processes every second;
- Save changes. ProcMon copies the procmon24.sys driver to the
%SystemRoot%\System32\Driversdirectory and creates a separate service PROCMON24 (under the reg HKLM\SYSTEM\CurrentControlSet\Services). This service starts after Winload.exe and logs the activity of all processes while Windows is booting and the user logs on;To disable boot logging mode, run:procmon.exe /noconnect
- Restart your computer and wait for the desktop to appear;
- The procmon24.sys driver will continue to write to the event log until the user manually starts the Process Monitor. This will disable the boot logging mode.
- Accept the proposal to save the collected data in the bootlog.pml file.
Note. If you don’t stop Process Monitor, the temporary log file%windir%\procmon.pmbwill eventually take up all the free space on your system drive. - The size of the bootlog.pml file is about 500MB in my case. Open this file with ProcMon;
- In the ProcMon click on the header of the table, then click on Select Columns and enable the Duration column;
- Create a new Filter;
- Select Duration as the filter parameter, more than as the condition, and specify the value
5. Click Add and OK;
- Only those actions that took more than 5 seconds will remain in the list of processes (for clarity, I have chosen 5 seconds);
- To analyze the boot process, you can also use Tools -> Process Tree feature which displays all processes as a graphical tree showing when each process started, ran, and finished.
You just have to analyze the list of processes you have got, match processes and services, apps, or drivers. Antivirus apps and other ‘heavy’ software are most likely to appear on this list.
In this example, the Edge browser update process started when the computer started and took almost 4 minutes.
The Edge browser is updated by a separate MicrosoftEdgeUpdateTaskMachineCore scheduler task which runs at any user sign-in. If you find that this problem occurs frequently, you can delay the task by adding a delay to its schedule.
You can also get CPU, RAM, and disk usage information for processes started when Windows boots. To do this, select the Process Activity Summary option from the Tools menu.
Sort processes to find the most resource-intensive processes that use a lot of CPU or RAM during boot.
You can use Network Summary to find slow network requests and processes that are downloading or sending large amounts of data over the network when Windows starts up. For example, the screenshot shows that the computer received approximately 0.5 MB of data from the domain controller when it started.
Analyze all the processes that are slowing down the booting of Windows (first of all, you need to analyze the child processes of Winlogon.exe). You need to optimize the system based on the information collected: remove/update problem apps or drivers, disable some services or change their startup type (Set to delayed or manual start), remove some apps from Startup, etc.