Analyzing Slow Startup and Shutdown using Event Viewer

by Mitch Tulloch [Published on 28 June 2012 / Last Updated on 28 June 2012]

How to filter for events that provide detailed information about startup and shutdown of Windows services.

If your computer takes a long time to boot up or shut down, you can use Event Viewer to perform a prelimiary analysis of what services are causing the most delay.  To do this, open Event Viewer and expand the following log:

Applications And Services Logs\Microsoft\Windows\Diagnostics-Performance\Operational

Right-click on this log and select Filter Current Log.

To filter for boot events, type 100-199 in the Event IDs field and click OK.

To filter for shutdown events, type 200-299 in the same field and click OK.

Here is an example of a service causing delayed shutdown:

This service caused a delay in the system shutdown process:

     File Name                               :               napagent

     Friendly Name                     :               Quarantine Agent Service Run-Time

     Version                   :               6.1.7600.16385 (win7_rtm.090713-1255)

     Total Time                              :               7521ms

     Degradation Time               :               4250ms

     Incident Time (UTC)           :               ‎2011‎-‎06‎-‎20T21:06:29.635549800Z

Mitch Tulloch is a seven-time recipient of the Microsoft Most Valuable Professional (MVP) award and widely recognized expert on Windows administration, deployment and virtualization. For more tips by Mitch you can follow him on Twitter or friend him on Facebook.

Featured Links