On my corporate machine I had the issue where Windows would either:
I realized that when I didn’t use a hibernate file (powercfg /h off) scenario 2 would happen.
When troubleshooting the first scenario I configured the registry keys as described in “Windows feature lets you generate a memory dump file by using the keyboard” as can be found here. In order to get a full memory.dmp I configured the registry like described in KB254649. After that I initiated a shutdown and waited for a few minutes before creating a memory dump by holding down the right CTRL key and pressing the SCROLL LOCK key two times.
After rebooting the machine there was a file C:\Windows\Memory.dmp ready to be analyzed in the Windows Debugger. The interesting stack (thanks Rob Scheepens) turned out to be:
… | | WINLOGON.EXE!ShutdownWindowsWorkerThread | | |- WINLOGON.EXE!IsHiberboot | | | |- FMIFS.DLL!QueryIsDiskCheckScheduledForNextBoot | | | | |- FMIFS.DLL!QueryIsDiskCheckScheduledForNextBoot | | | | | |- FMIFS.DLL!InvokeAutoChk | | | | | | |- IFSUtil.DLL!IFS_SYSTEM::QueryCorruptionState …
I wasn’t sure why it was checking whether CHKDSK was scheduled for a next boot.
Since I also noticed the “IsHiberboot” part in the stack of the previous scenario, I enabled my hibernation file to check if this was to blame (using “Powercfg /h on").
After initiating a shutdown, nothing would happen except that winlogon.exe would take a 100% usage on a single core. After giving my PC a cold-reset I troubleshooting this using the following steps:
Note: If you don’t have the Windows 8 Performance Recorder installed, consult my previous blog for instructions:
I started Windows Performance Recorder, pressed Start and initiated a shutdown, waited a few minutes and finally pressed Save.
The result was a .ETL file which I loaded in Windows Performance Analyzer. We already know the problem is related to the process winlogon.exe as shown in Task Manager, so we need symbols to get more information. To configure this use “Trace/Configure Symbol Path” and entered the Microsoft Public Symbol path:
Now looking at the trace, we can confirm it’s winlogon.exe taking a 100% CPU usage on a single core:
Zooming in on the responsible thread and doing some stackwalking, the same stack was to blame:
Because the stack is identical to problem troubleshooted in scenario 1, we can confirm it’s the same issue.
The thing I didn’t understand was the QueryIsDiskCheckScheduledForNextBoot part. I looked in my registry to see if any CheckDisks (chkdsk) was scheduled and found this entry:
I searched the registry for HarddiskVolume7 but couldn’t find any other entry and realized this was a VHD that was mounted a while ago.
Turned out to be that in the past:
I followed up with the developers responsible for this code, turns out there might be a bug in autochk where it is not properly handling an explicit request to check a volume that no longer exists. This is currently being investigated.
The workaround is simple, remove this line from BootExecute:
autocheck autochk /m /f \Device\HarddiskVolum7
autocheck autochk /m /f \Device\HarddiskVolum7
If this info has helped you, please consider leaving a comment.
Wow! This article is amazing! Thanks you very much PWigle. Very sold, detailed and step by step covering of the resolution.
I've also helped to debug this in the technet forums:
Please create a KB article about this.
I would just like to thank you. I had the same problem with one of my drives and I stumbled upon this blog. It saved my bacon to say the least. Sadly I lost two hours of sleep (2pm at the moment) because of this Win8 stupidity,
YES! This was exactly the way to fix my computer! I was starting to get worried about having to format my PC after just finished to get things the way I like.
Thank you very much!
Great article !!!! It fixed my shutdown problem!
Great - looked for over an hour to find a fix - this exactly did it!
Awesome, worked here too. Thanks for sharing!
I'm having a problem with the winlogon.exe task gobbling up to 25% usage of my quad-core i7-920 after I've pressed Ctrl-Alt-Del to bring up the Lock screen on Windows 8 Pro 64-bit. This then prevents my PC from restarting or shutting down, forcing me to have to use the Reset button on the case.
I thought it might be caused by a third-party app that I have running in the background but after reading through this very informative post, it sounds remarkably similar to the problem I'm having; 25% CPU usage is obviously 100% of one of my four cores.
I will check my PC later today and hopefully this will be the fix. If so then I will report back and let you know in the hope that it will help other people who have the same problem.
@Darren, sounds like the same issue, if it isn't please contact me so we can grab a trace. (pwigle @ microsoft . com) Good luck!
will there be a hotfix to address this issue?
@ pwigle - Alas, my issue is not the same as yours and, unfortunately for me, I'm not proficient enough to understand how to use the Windows Performance Analyzer to identify what is causing it. I tried but I got horribly confused as to what I was doing. I did have an extra entry under HKLM\System\CurrentControlSet\Control\Session Manager for PDBoot but when I deleted it the issue still remained on rebooting. :(
The issue I have is rather strange... if I press Ctrl-Alt-Del to bring up the Lock screen then press Esc to exit it then winlogon.exe remains at 0% CPU use. If I right-click on the taskbar and select Task Manager then winlogon.exe remains at 0% CPU use.
However, if I press Ctrl-Alt-Del to go to the Lock screen then select Task Manager from there then I'm returned to the desktop without Task Manager opening and winlogon.exe shoots up to 15-25% CPU usage. This issue also occurs if I press Ctrl-Shift-Esc in an attempt to open Task Manager directly but it doesn't work and winlogon.exe shoots up to 15%+.
From that point, I can no longer use Ctrl-Alt -Del to go to the Lock Screen, athough I can still right-click on the taskbar to bring up Task Manager. When the high CPU bug occurs with winlogon.exe then I can no longer shutdown or restart as my PC just gets stuck and never completes its task. I then have to press the reset button on my case. As long as I don't press Ctrl-Shift-Esc or go to the Lock screen and select Task Manager then the winlogon.exe bug doesn't happen.
As I said, my issue is bizarre to say the least. I've tried disabling all startup apps and shutting down as many services as possible but the bug always returns if I do any of the things listed in the fourth paragraph. The only thing I haven't tried is booting into Safe mode to see if it happens there too...
Darren, if you can follow these steps I can analyze the trace for you:
1- Install the Windows Performance Toolkit like described here: blogs.technet.com/.../how-to-install-the-windows-8-performance-recorder.aspx
2 - Start "Windows Performance Recorder"
3 - Make sure that at "Performance Scenario" the default "General" is selected.
4 - Make sure that at "Detail Level" the default "Verbose" is selected.
5 - Hit Start
< repro the issue>
6 - Hit save
7- Hit cancel to stop tracing
8 - Zip the .ETL file that has been created
9 - Put the .ETL on a location I can download it and e-mail me the link (in case you don't have a location to store the .ETL let me know via e-mail and I'll open a workspace for you).
My e-mail address is pwigle @ microsoft . com (without the spaces).
In the last few months I have been buying and installing a number of Stardock apps, starting with Start8 and then I have subsequently installed Decor8, Fences 2, WindowsFX 5.1, ObjectDock 2.0 and finally ModernMix. I believe the issue I'm having has occurred since installing those but it may just be a coincidence as I disabled all of them during testing last night and the winlogon.exe issue still occurred. Also, because they do run in Safe mode and I was still getting that issue there as well that pretty much confirms they are not the cause but I felt I'd mention them as other than games, which is the primary use for my PC, I have not installed much else in the way of apps.
I'm wondering if the issue may be related to .NET Framework as I recently had problems with it when using ObjectDock but, unlike with earlier versions of Windows, there is no way to uninstall then reinstall it as it part of the operating system. Believe you me, I tried. That said, the NET Verify Tool reports that all of them are OK (from 2.0 to 4.5) but I'm not entirely convinced because I have a niggling issue with GeForce Experience not opening from the system tray icon for example (although it does open from the desktop shortcut). The current NET Repair Tool also only supports up to Windows 7 and 4.0 so is useless on Windows 8.
Anyway, enough of that! I'll install WPT tonight and run the recorder before I trigger the glitch and leave it running for 20-30 seconds. Do I need to select any of More Options shown at the bottom of Windows Performance Recorder or just leave it on default?
For some reason, the first part of my post has gone missing (it was quite a long post too!) so my existing reply looks a bit ignorant. Sorry about that.
Thanks for offering to help me. I do appreciate you offering your time. I have Dropbox so I have put the zipped .ETL files in their and send you the public link to the archive, hopefully later on tonight as I'm currently as work.