Troubleshooting lengthy startups

Windows event logs are a very important tool for monitoring the health of systems and troubleshooting issues when they arise. Since Windows Vista, Microsoft added additional logs known as Application and Service logs, so that applications and services installed on the computer will have individual logs. This category of logs includes four subtypes for which the application or service can provide events, which are Admin, Operational, Analytic, and Debug logs. Details about the category of logs will be explained in a separate article, however, a brief explanation of the Operational events is needed as to help us troubleshoot startup problems!

I have created a small application called Boot Time that helps you monitor Boot times. The Boot Time utility requires administrative privileges to run successfully, hence if you are logged as a normal user without admin rights, start the application by right-clicking BootTime.exe and then click Run as administrator. For further details read below

Operational Events that are found in the Operational channels are used for analyzing and diagnosing a problem or occurrence. They can be used to trigger tools or tasks based on the problem or occurrence. An example of an operational event is an event that occurs for example when the boot duration is longer than normal due some delays caused by auto-starting applications! These events can found in the Microsoft-Windows-Diagnostics-Performance/Operational log.

To view the Boot performance event log follow these steps:

Open the Computer Management console by typing computer management in the search text box of the Start menu
On the Left-hand side pane of the Computer Management window expand Event Viewer by clicking on its respective arrow
Click the Applications and Services Logs arrow, then Microsoft and finally Windows to expand the list
Expand Diagnostics-Performance and click Operational

In the centre pane, the log presents a list of performance events such as, Boot, Shutdown, Standby and other monitored issues with different severity grades such as, Warning, Error and Critical levels. Each event category has a specific event ID such as, Boot Performance Monitoring events have an ID of 100. Each event when clicked displays detailed info in the bottom-centre pane of the window. So, let us take an example of a troubleshooting exercise:

I noticed that the computer took longer than usual to boot up
I open the Operational event log as described above and look for any recent Error/Critical events related to Boot performance with ID:100
I verify that the error boot event has a longer than usual Boot duration
I click the event on top of ID:100 (the one that follows) usually with ID:101 to view which application has caused such delay
From the event details, I can tell which application has caused the delay – in this case, mmc.exe took longer than usual to start up, resulting in performance degradation in the system startup process

The Boot Time application

It displays the last boot duration by default in the top text box, however, it can display the last 10 or all logged boot times when you click the respective button. It displays an error message when the user has no administrative privileges or when logging is disabled. Logging is enabled by default, however, if this is not the case, go to the Windows-Diagnostics-Performance/Operational event log, right-click Operational and click Enable Log. If you have just enabled logging, you need to restart your computer as to start recording some events!

The Boot Time small application can be copied to your Startup folder as to display the boot delay every time you turn on your computer or else just double click the exe file.

Boot Time displays the last boot duration, the previous 10 and/or all logged events. It simply retrieves this information from the event log. Although, the end user becomes accustomed with his/her machine normal boot times, the application uses an arrow as to show the criticality of each recorded time.

No Arrow before displayed time means a normal boot duration
->(short arrow) means a delay was encountered during boot up – Error level
—>(long arrow) means boot time is Critical

Download the application from the downloads section on the side bar.

Ari says:

August 10, 2011 at 6:38 am

Hi.
This is really nice tool and exactly what is needed in order to monitor the startup time. Have you planned to include any command line options with this tool? It would be nice to run this silently in the background when needed and write the information in one file.

George says:

August 11, 2011 at 4:24 am

That would be nice if time permits! Thanks for your comments

Troubleshooting lengthy startups

2 Responses to “Troubleshooting lengthy startups”

Leave a Comment

Further Reading

Penetration testing tool for domain controllers

Tails Operating System

Recovering a user local profile flagged as ‘backup’

Google’s Project Shield

Security Guidelines for Windows 7 and Windows 8

Windows Phone 7 Application Security Survey

Unveiling an Indian Cyberattack Infrastructure

Malware Prevention and Handling Guide

5 Essential Tips for Windows 8 Networking

Using nmap scripts to enhance vulnerability assessment results

Downloads

Categories

Command line Tips

News