Using Process Monitor to Solve a Slow Boot
Problems
To diagnose the reasons of slow Windows boot, there is a number of quite powerful tools and
techniques of log analysis that allow performing the detailed debugging of all steps of system
boot and start of services (xperf/xbootmgr from Windows Performance Toolkit / Analyzer).
But their use can cause some troubles, especially, for a beginning system administrator. In
this article we’ll show how to easily and quickly detect, which apps, services and drivers
work slow during the system start, thus increasing the total boot time.
Certainly, all Windows system administrators should be familiar with Process Monitor from
from the Sysinternals system utilities kit. Process Monitor allows monitoring the activities of
running processes, access to the file system and the registry in real time. One of the little-
known Process Monitor features is the opportunity to enable monitoring of processes started
during Windows startup.
To diagnose the boot stage, Process Monitor creates a separate service in HKLM\SYSTEM\
CurrentControlSet\Services section of the registry. This service loads the boot mode driver
procmon23.sys that starts after Winload.exe is launched and logs the activity of all processes
run during system boot and user logon.
1. Download and unpack the archive containing Process Monitor
(http://download.sysinternals.com/files/ProcessMonitor.zip)
2. Run procmon.exe with the administrator privileges
3. Select Enable Boot Logging in the Options menu
4. In the next window, select Generate thread profiling events -> Every second. In
this mode, procmon driver will capture the state of all processes every
second
5. Restart your computer and wait till your desktop appears
6. procmon23.sys will log all events until a user starts Process Monitor. After that the
boot logging mode is disabled
7. In Process Monitor window, accept the offer to save the collected data to a file.
Note. If you don’t stop Process Monitor, the temporary log file %windir%\procmon.pmb will
eventually take up all free space on the system drive.
12. Select the directory you want to save the file to and wait till it is saved. In my case,
three files: Bootlog .pml, Bootlog-1.pml and Bootlog-2.pml with the total size 700
MB appeared in the target directory.
13. In ProcMon window, click the header of the table, then click Select Columns and
enable the display of the Duration column
14. Create a new filter in the Filter menu.
15. Select Duration as the parameter of the filter, more than as the filter condition and
specify the value 10.
16. Thus, in the list of processes you will have only the processes that spend more that 10
seconds to perform some operations. (I have chosen 10 seconds to make the example
more demonstrative).
17. To analyze the boot process, you can also use Tools ->Process Tree feature that
displays all processes as a graphic tree containing the information about the
beginning, duration and completion of each
process.
You just have to analyze the list of processes you have got (if necessary, you can carry out
further analysis of the problem process having enabled the filter by the name of the
executable file), match processes and services, apps or drivers, and optimize your system.
As a rule, this type of analysis helps to detect slow processes, infected programs (first of all,
you should analyze the children processes of Winlogon.exe), make a decision on
uninstallation/update of the problem software or driver, disable some services or change the
type of their start (delayed or manual start), remove some apps from Autostart. Often
antivirus software and other resource-consuming software get into this list.