JeremyNicoll

XP shutdown problem

Recommended Posts

I have two XP Pro and one XP Home machine, all with the current (non-beta) versions of EAM and OA installed.  Ever since installing these apps I've noticed that the machines frequently don't shutdown as cleanly as they used to do; when I do Start -> Turn Off Computer -> Turn Off, icons are removed from the desktop but instead of the desktop then progressing to the blue "Windows is shutting down" screen, I'm left staring at my desktop background.    The problem did not occur until I started using OA & EAM (previously I had ZoneAlarmPro and ESET NOD32).

 

At first I tried just waiting, several hours, then with less patience maybe 10 minutes - but nothing happens.  Nowadays I wait about a minute, then Ctrl-Alt-Delete to get a task manager display, then use its ShutDown menu to re-select TurnOff and the machine(s) then shut down immediately.

 

I have got into the habit of closing apps that previously I left running when I shut the machine down - eg my backup utility (which is never doing anything at the time - I make sure that if there's a backup about to start that it runs first), the Dropbox client, and pausing Scheduled Tasks (and waiting until whatever tasks were running have ended).  (I run lots of Scheduled tasks but all of them are simple scripts written in ooRexx and just terminating their processes - which is what I imagine XP does during shutdown - will not cause any problems).  However making sure that these apps are shut has not helped.

 

I've tried several times over the last few weeks to get to the bottom of this, on more than one machine. The only clue I have is that when OA's Debug is on, the problem seems not to happen, which is irritating.  There are no clues in the OA history, nor in XP's Event logs.

 

It's not happening absolutely every time I shut the machine(s) down, but happens more often than not - maybe 90% of the time.

 

Any ideas?

 

 

 

Share this post


Link to post
Share on other sites

I do have SysInternals' ProcExp.exe here, and also their PSxxx utils, eg pslist.  I'll try and research what processes are still running when a shutdown hangs.   I'm not expert in ProcExp's facilities but note that in theory it allows one to create a minidump or full dump of a specific process.  However when I tried that on oasrv.exe (while the system is running), I got an error message "Error writing dump file - handle invalid".   I'm guessing that there's code in OA to prevent users dumping it, presumably as that could help someone reverse engineer it, and OA's History shows various kernel events related to eg oasrv.exe and procexp.exe.

 

When I've found that shutdowns don't hang with OA's debug mode on, I've had all the subsidiary options for what to trace set on.  I suppose it's possible that setting only a handful of them on might allow OA (if the problem really is in OA) to have the problem aqnd yet capture some relevant info.  I'd need your suggestions on which options to set though.

Share this post


Link to post
Share on other sites

Most security software contains a self-protection mechanism of some sort to prevent other processes from accessing their memory.

Share this post


Link to post
Share on other sites

Yes; it hardly helps to solve such a problem though.

 

Yesterday I downloaded a tool - "NotMyFault.exe" - which allows one to provoke a BSOD, via a specially loaded driver named "myfault.sys", from

 

   http://technet.microsoft.com/en-gb/sysinternals/bb963901.aspx

 

and I'd also made sure that XP on the machine I'm using most at the moment was configured to take full memory dumps.  As luck would have it the machine stalled on shutdown.  I waited maybe 45 seconds, then Ctrl-Alt-Del to start task manager, then maybe 30 seconds later used its File -Run option to run the NotMyFault.exe, with no parameters.  That gives one a small GUI allowing a choice of types of system crash - I chose the 'Breakpoint' one (which BSODs because it issues a breakpoint with no debugger attached) and the system duly BSODed.

 

Remember that the stop code and reported problem in  myfault.sys   are because of the way I triggered the BSOD, not the cause of the underlying stalled shutdown...

 

It took about 20 minutes to save physical memory.  I then rebooted.  I was a little surprised that OA reported a minidump as well, which I duly submitted to you - id 73812 - at about 4am.

 

Then I moved the MEMORY.DMP file out of C:\WINDOWS and renamed it.   Using NirSoft's hashmyfiles I got hashes for that:

 

 Filename          : 20130526 0349 MEMORY.DMP
 MD5               : 14b933bcd48445d3b305ee545e36b165
 SHA1              : 63906e8e5ce162097236d01f89b3f467d8f379f8
 CRC32             : 39c947c3
 SHA-256           : ea99b74c97bc74393dd08b1c36110aede729bc29c46c8c47c2314dab084960ad
 SHA-512           : 0f1751ba7580b5a4eb28a04519b69990e50aa28145dfa12a17154ddfbe9a8f3ab0a06b28eaebc00e3d2a19b649b33ede6a559c2ba6dda37108d25c9b8dece74c
 SHA-384           : 0da44deca5b5c32050618bf7e67f26d1fd62ec8bbdc5bdc7da77ed634b7c406afc41b1121211bdf669a00ece3c2beb03
 Full Path         : C:\Documents and Settings\TheBoss\My Documents\Downloads\20130526 0349 MEMORY.DMP
 Modified Time     : 26/05/2013 03:49:56
 Created Time      : 17/03/2013 01:09:39
 File Size         : 2,137,407,488
 Extension         : DMP
 File Attributes   : A

 Then I used 7-zip to create a compressed copy of the dump.   Hashes for that are:

 Filename          : 20130526 0349 MEMORY.7z
 MD5               : 5db3ef7b7506272095f8f8bbeed3ac1d
 SHA1              : c8cba62b3f62698d689f10dca8a5e25cb757a893
 CRC32             : bc053b41
 SHA-256           : a512390b31624699aa0482c9a49e2f39aa1e972ad6fd0dfccbece9b48c3e5086
 SHA-512           : 1991fdf904fce3a6fa9708454ebc8d7f0a1a54d6384d0d1ce8593d1ff9fe78328ce25e8db9505cc4a28c5227ce2d702a9f879bc279d159488bd9c8cc76fe251c
 SHA-384           : 10a6394d16a77eb3e670f4075b80925791588c0979bd3b09d2b01a7219e984bfd557fef0748c83e96bf43096c57e6b26
 Full Path         : C:\Documents and Settings\TheBoss\My Documents\Downloads\20130526 0349 MEMORY.7z
 Modified Time     : 26/05/2013 05:07:52
 Created Time      : 26/05/2013 04:37:56
 File Size         : 795,261,198
 Extension         : 7z
 File Attributes   : A

 

I've uploaded this dump to dropbox - I'll PM you (Arthur) with a URL for it.

 

I have also run a chkdsk on the machine in question's hard disk, after all one can't be certain that after a forced BSOD it'd be ok.  No errors were reported, so I hope it is ok...

 

I would be grateful if someone could look at the dump to see if there's any clue why shutdown seems stalled.

Share this post


Link to post
Share on other sites

Unfortunately, Andrey isn't finding anything in the memory dump that shows Online Armor trying to block something. Lets try getting Debug Logs and see if they show the cause. Please open Online Armor, go to Options in the menu on the left, click the little check box to enable debug mode, and restart your computer. After you've been able to reproduce the issue with freezing on shutdown, please ZIP your entire logs folder (normally C:\Program Files\Online Armor\Logs), upload it to a website such as RapidShare/DepositFiles/BayFiles/etc (which one you use is up to you), and then copy and paste the link to download the file into a reply (or you can send it to me in a Private Message if you don't want the link posted publicly on the forums). Note that, if you don't have a utility such as 7-Zip, WinZip, or WinRar that you can ZIP files and folders by right-clicking on them, going to Send To, and clicking on Compressed (zipped) Folder.

Note that RapidShare and BayFiles have been having issues lately, and we may not be able to download the files from them. If you have DropBox, Google Cloud Storage, or Microsoft SkyDrive then those services would be more reliable. Also, you can attach files to private messages on these forums, and I would believe the limit is up to 128MB, so if the file is smaller than 128MB then you can just attach it to a private message to me on these forums.

Share this post


Link to post
Share on other sites

Are any of the OA tasks waiting for something?   I don't know what normally happens in XP during a shutdown; do tasks like OA get stopped, or does XP just decide that enough of the core services have stopped or reached a certain state of quiescence, and go to the next stage of the shutdown?   I have noticed that explorer seems to have stopped ok, when I bring up task manager prior to telling XP to shut for the second time.  But I have no idea what should happen next.

 

(I hate this; I used to work as an MVS systems programmer, and knew how to examine MVS standalone dumps to see why a system was stalled.  But I can't do it for XP.)

Share this post


Link to post
Share on other sites

Are any of the OA tasks waiting for something?

According to Andrey, the memory dump showed that Online Armor wasn't blocking anything. That's why he wanted to see Debug Logs, as he's fairly certain that they will contain more information than the memory dump.

I don't know what normally happens in XP during a shutdown; do tasks like OA get stopped, or does XP just decide that enough of the core services have stopped or reached a certain state of quiescence, and go to the next stage of the shutdown?

Windows sends a signal to each process asking them to terminate. This allows for each process to terminate on its own, so that they can save any data they need to and close and open file or registry handles.

Share this post


Link to post
Share on other sites

Windows sends a signal...   do tasks which get this signal shutdown in a random order, or do they do so within the hierarchy of dependencies that exists between system-started tasks/services?

 

I wonder if in the dump you've got you can see whether the OA and EAM services have been told to shutdown yet?

Share this post


Link to post
Share on other sites

... or in fact why all the still-running tasks have not yet shutdown.  Are those that are still running waiting for one of their number to stop before they do?

Share this post


Link to post
Share on other sites

Services are handled differently than normal applications. There is a specific order that they will start in, and I would believe they also shut down in a specific order. Normal applications begin closing once they receive the signal to terminate, which should be sent as soon as you tell Windows to shut down. Windows will wait until applications are able to save their data and terminate before it actually shuts down.

Share this post


Link to post
Share on other sites

I think we're back to the dump then... does it show why the OA and/or EAM services have not shut down?  Are they waiting for something else - what? - to happen?

Share this post


Link to post
Share on other sites

I don't think it did. Security software is often designed to shut down after other services, so it may have just been waiting on whatever was hanging to shut down.

Share this post


Link to post
Share on other sites

You need to close Emsisoft Anti-Malware's Guard by right-clicking on the System Tray icon and selecting Shut down Guard. After that, you need to stop the Emsisoft Anti-Malware Service. Click on the Start button, click Run, type in services.msc, and scroll down until you find the service. Just right-click on it and select Stop.

This process can be automated with a batch file, however you will need to disable Self protection in Emsisoft Anti-Malware and use a utility such as PsKill to terminate a2guard.exe before using the net command to stop the service. The proper syntax for using the net command to stop the service is as follows:

net stop a2AntiMalware

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.