Process Monitor Boot Log Discovery

So I downloaded Process Monitor supposedly compatible with Win XP Pro.

I enable boot logging.
I booted.
Everything hung at partial desktop icon loading.
Re-booted.
All came back. Phew !

Looked at boot log files!

I see all kinds of stuff (overwhelming) happening BUT how do I tell what
is causing the slow boot ?

Is there a way to search for large time gaps ?

If not, how can I convert the log to a text file so I can use another
app to search for time gaps. or is that not the correct way to find
slow booting apps?

Suggestions please.

XPHelp wrote:
So I downloaded Process Monitor supposedly compatible with Win XP Pro.

I enable boot logging.
I booted.
Everything hung at partial desktop icon loading.
Re-booted.
All came back. Phew !

Looked at boot log files!

I see all kinds of stuff (overwhelming) happening BUT how do I tell what
is causing the slow boot ?

Is there a way to search for large time gaps ?

If not, how can I convert the log to a text file so I can use another
app to search for time gaps. or is that not the correct way to find
slow booting apps?

Suggestions please.

You can save the results as a native .PML file, which allows
re-opening the file later.

You can click the button to save in .CSV mode. That's comma separated
variable, suitable for usage in Excel. I use that mode, and open
the file in Notepad.

In Excel, if you opened the CSV file, could you work out the
time difference between successive timestamps and make a separate
column ? Then plot delta_T versus event number, and look for
a high spike in the delta_T. That's not a very effective algorithm
and doesn't really function as a good indicator, but I can't really
think of any other math right now.

Even if you sorted events by PID, and counted the events
per second, I doubt that would mean anything either. Some PID
could be doing I/O, in which case you'd have ReadFile/WriteFile/CreateFile
calls. By sorting the items by PID, at least you'd have some
idea how many processes are in your trace.

In the menu Tools : Count Occurrence, you can select
"Process" and get a table of processes and the number
of events they generated. The program does have some
statistics info it can capture itself. The main problem
I have with Windows, is the usage of SVCHOSTs and hiding
stuff inside, and how hard that makes analysis later.
Process Explorer allows "looking inside" a process (if you
run the program as Administrator), but when boot logging or
logging during a shutdown, that option isn't available to you.

Paul

Paul wrote:

In Excel, if you opened the CSV file, could you work out the
time difference between successive timestamps and make a separate
column ? Then plot delta_T versus event number, and look for
a high spike in the delta_T. That's not a very effective algorithm
and doesn't really function as a good indicator, but I can't really
think of any other math right now.

Doesn't that algorithm presume that drivers, system files, services, and
whatnot all load in serially fashion which is not what happens on
Windows startup? For example, when starting a process, the OS doesn't
wait until that services reports itself in "started" status. Starting a
service is asynchronous: start one, start another, etc, and monitor for
commit status up to some timeout (i.e., service not responding) but not
waiting for each service to finish starting.

Most users don't realize there is a boot-time disk defrag that happens.
They think that manually running a defragmenter or scheduling it is the
only time it runs. They may even use a 3rd party defragger without
realizing that some of its work gets undone by Microsoft's own defragger
that runs on boot (every defragger seems to think it has a more perfect
layout so using more than one means they conflict on what goes where).
If using a 3rd party defragger then make sure to disable the boot-time
defrag (a registry setting), or stick with using/scheduling the MS
defrag tool so it doesn't conflict with the layout used by the same
defragger used at boot time.

Windows startup loads drivers and there is a delay waiting for the
devices to return status. The OP might want to disconnect all
peripheral devices, like USB drives or printers or anything else USB
(except mouse and keyboard), and check boot time without having to wait
for all those devices to initialize.

The OP never even mentioned if he disabled all startup programs to check
how much change there would be for the boot time. Tis a lot easier to
disable all startup programs, test for boot time, and then enable them
one at a time to see if one of them causes a much longer delay. Even
starting Windows in its safe mode would eliminate all those startup
programs and non-critical services due to all the software that the OP
installed.

https://helgeklein.com/blog/2013/07/...rder-analyzer/

I have the Home edition of Windows 7 so WPR or Xperf aren't available on
it (the tribulations of dealing with non-Pro editions). Doesn't look
like something available for Windows XP, either. Looks like xperf is
available back on Windows XP; however, available and usable aren't
necessarily the same. Those tools have to be copied from a Vista+ host
back to an XP host.

https://blogs.msdn.microsoft.com/pig...upport-for-xp/
https://support.microsoft.com/en-us/...d-logon-traces
https://blogs.technet.microsoft.com/...tion-to-xperf/

I remember something called bootvis back on Windows XP, and found:

http://www.windowsdevcenter.com/pub/...ap1/index.html

http://www.majorgeeks.com/files/details/bootvis.html

I have never used any of these boot analyzers to know if they are
better, worse, or the same as the boot monitor log in Process Monitor.

http://www.techrepublic.com/article/...t-performance/

"XPHelp" wrote in message
news
So I downloaded Process Monitor supposedly compatible with Win XP Pro.

I enable boot logging. I booted.
Everything hung at partial desktop icon loading.
Re-booted. All came back. Phew !

Looked at boot log files!
I see all kinds of stuff (overwhelming) happening BUT how do I tell what
is causing the slow boot ?
Is there a way to search for large time gaps ?

If not, how can I convert the log to a text file so I can use another app
to search for time gaps. or is that not the correct way to find slow
booting apps?

Suggestions please.


Start
Setting
Control Panel
Automatic Updates

Trun Off Automatic Updates

Then Reboot

The time gaps
Will Go Away

On Wed, 14 Jun 2017 23:06:38 +0100, VanguardLH wrote:



Most users don't realize there is a boot-time disk defrag that happens.
They think that manually running a defragmenter or scheduling it is the
only time it runs. They may even use a 3rd party defragger without


I don't realise it. (I don't think it happens in XP)


--
Bah, and indeed, Humbug

Kerr Mudd-John wrote:
On Wed, 14 Jun 2017 23:06:38 +0100, VanguardLH wrote:



Most users don't realize there is a boot-time disk defrag that happens.
They think that manually running a defragmenter or scheduling it is the
only time it runs. They may even use a 3rd party defragger without


I don't realise it. (I don't think it happens in XP)

You can find mention of it.

https://forum.piriform.com/?showtopic=29682

While you normally think of dfrg being something you
"run on demand for your own self", the system can run it
with a different parameter, as in "dfrg -b" when the system
is idle.

I wouldn't have known anything about this process, except
it got stuck in a loop on my WinXP and I had to do something
to fix it. It was reading and writing to the same sector
over and over again, as the "calc" to figure out the
optimal position, ended up being the same sector the
file was already in.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Dfrg\BootOpt imizeFunction
Enable Y -- N

Since the flag is a boolean, and is instead stored as a "letter"
instead of the normal DWORD 0 or 1, I have to guess this
was something President Software added to the design, and
not Microsoft. That's my guess. As otherwise, storing
a boolean like that is... goofy.

In my case, I could hear a slightly weird sound coming from
the HDD, and that's when I got curious enough to run
Process Monitor and see what the hell was going on.

Paul

What automatic updates ? Only Windows or other app too ?

Start
Setting
Control Panel
Automatic Updates

Trun Off Automatic Updates

Then Reboot

The time gaps
Will Go Away

Kerr Mudd-John wrote:

VanguardLH wrote:

Most users don't realize there is a boot-time disk defrag that happens.
They think that manually running a defragmenter or scheduling it is the
only time it runs. They may even use a 3rd party defragger without

I don't realise it. (I don't think it happens in XP)

https://technet.microsoft.com/en-us/...(v=WS.10).aspx

Microsoft has destroyed many of their KB articles about Windows XP; that
is, pages that existed for Windows XP have disappeared. The date for
the above article was 2003. XP was released in 2001. Even if I tried,
I suspect the XP article about BootOptimizeFunction is long gone.

If a registry entry is missing then its default is used. The default is
BootOptimizeFunction = Y (enabled).

My recollection for workstation editions of Windows is that boot time
defrag first showed up in XP. I remember trialing several 3rd party
free or trial versions of defragmenters and one of them changed the
BootOptimizeFunction key's Enable value. The folks below are discussing
XP (notice mention of the BootOptimizeFunction key and the Enable data
item):

https://social.technet.microsoft.com...orum=itproxpsp
https://social.technet.microsoft.com...orum=itproxpsp

https://forum.piriform.com/index.php...82#entry177610
I think the 2nd setting is about PreFetch. It mentions:
https://msdn.microsoft.com/en-us/lib...bedded.5).aspx
Alas, Microsoft did not bother to list for which versions of Windows or
editions thereof that this article is applicable; however, there is
mention of Windows XP.

I've seen mention of using TweakUI to disable boot time defrag. TweakUI
was part of the Windows XP Powertoys (that Microsoft pulled awhile back
so have to find it archived somewhere else). All I found was mention of
an "optimize" option but not enough information about what it does.

Something XP users can check is if there is a scheduled event in Task
Scheduler to run a defrag. If it is there and enabled, that must also
be disabled when using a 3rd-party defragger.

On Sun, 18 Jun 2017 12:00:47 +0100, Paul wrote:

Kerr Mudd-John wrote:
On Wed, 14 Jun 2017 23:06:38 +0100, VanguardLH wrote:



Most users don't realize there is a boot-time disk defrag that happens.
They think that manually running a defragmenter or scheduling it is the
only time it runs. They may even use a 3rd party defragger without


I don't realise it. (I don't think it happens in XP)

You can find mention of it.

https://forum.piriform.com/?showtopic=29682

While you normally think of dfrg being something you
"run on demand for your own self", the system can run it
with a different parameter, as in "dfrg -b" when the system
is idle.

Well I'll be; there's still stuff I'm learning about ye olde XP!


I wouldn't have known anything about this process, except
it got stuck in a loop on my WinXP and I had to do something
to fix it. It was reading and writing to the same sector
over and over again, as the "calc" to figure out the
optimal position, ended up being the same sector the
file was already in.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Dfrg\BootOpt imizeFunction
Enable Y -- N

Since the flag is a boolean, and is instead stored as a "letter"
instead of the normal DWORD 0 or 1, I have to guess this
was something President Software added to the design, and
not Microsoft. That's my guess. As otherwise, storing
a boolean like that is... goofy.

In my case, I could hear a slightly weird sound coming from
the HDD, and that's when I got curious enough to run
Process Monitor and see what the hell was going on.

Paul



--
Bah, and indeed, Humbug