Trouble using Process Monitor to trace a cold boot RRS feed

  • Question

  • Hello fellow travelers,

    I understand and believe that one can use Process Monitor to trace a cold boot.  However, I have not been able to get it to work.  Apparently there is some consideration or a secret switch that I don't know about.  Perhaps there is someone out there who has been down this road ahead of me that might be able to help me to get unstuck.  Here is what I have done.

    Download Process Monitor.  It works find for monitoring processes in real time.  I have version  It has 2,046,608 bytes.  When I run it, it shows up in the Process Explorer as Procmon.exe with a child process Procmon64.exe.  I am running 64 bit Windows 7 on a Lenovo S431 notebook PC.

    I run Process Monitor with Administrator Privileges in my personal account which is an administrator account.

    When I open the program it begins to capture events immediately.  I turn off capture.

    Backing Files is set to Use Virtual Memory.  I have also tried setting backing files to a file on my desktop.

    I next select Options --> Enable Boot Logging

    A popup box comes up presenting a checkbox to enable thread profiling events.  I have tried checking the box, and not checking the box.  After this I select yes.

    I get out of everything except Process Monitor.

    At this point I have tried this two ways.  One of the ways is to turn on Process Monitor Capture again.  The other is to leave it off.

    At this point I have tried two things.  I have tried selecting File --> Exit and then Shutdown to shutdown the PC.  I have also tried going directly to shutdown the PC without getting out of Process Monitor.

    In either case the PC shuts down.  In some cases I have had to force a closure of Process Monitor during the shutdown.  In other cases I have not had to do that.

    After the machine is down, I wait 30 seconds and hit the power button to start the cold boot.

    After 5 minutes 9 seconds the log prompt comes up and I log in.  I wait five minutes for the boot/login process to complete.

    I open Process Monitor.

    At this point I expect to be asked whether to overwrite the Process Monitor log file with the results of this latest run.  I don't get this prompt.  At this point Process Monitor sits and thinks.  It has never once not done that.  Most of the time I lose patience within 15 minutes or so.  On one occasion I waited 3 hours and 42 minutes before I gave up.  With the Process Monitor is in this mode the process cannot be killed in any way I know how.  It cannot be killed from Process Explorer or Task Manager.  It cannot be killed with taskkill from a command prompt with elevated privileges.  The only way that I have discovered to kill the process is to shutdown the computer, and then after letting it sit at the Shutting Down screen for 1 to 10 minutes, push and hold the power button to force a shutdown.  When the machine next comes up Process Monitor behaves normally again.

    Does anyone out there see what I am not seeing?

    Thank you for any help.

    Monday, May 9, 2016 8:01 PM

All replies

  • Hello,

    I have been many places on the web looking to discover how to trace a cold boot.  I have an 8 minute cold boot and a 1+ minute restart.  From what I read about xbootmgr it just does restarts.  I don't want to trace a boot that is part of a restart.

    Also, I have tried many things and none have helped.  For example, cold boots into Safe mode are almost 8 minutes.  Cold boots to a very minimal operating system take almost 8 minutes.

    I would very much appreciate it if a knowledgeable person would tell me how to do it, or if it is not possible, to tell me that so I can stop looking.  In the case where it is not possible I would very much like to learn why that is so.  It seems like a very sensible, basic capability.

    Thank you

    Dudgeonous Tweet

    • Merged by ZigZag3143x Tuesday, May 10, 2016 2:05 PM Same topic
    Tuesday, April 26, 2016 3:49 PM
  • I don’t know if you think you have a driver problem, but you could boot to Safe Mode and choose Enable Boot Logging, which lists all the drivers that were successfully and unsuccessfully loaded. The log can be found in NTBTLOG.TXT.

    Ninety-nine per cent of politicians give the rest a bad name!

    Tuesday, April 26, 2016 4:46 PM
  • Thank you for your reply. 

    Yes, I have done that.  I neglected to mention it.  It just lists drivers.  With all non-Microsoft services disabled and all startup items disabled it still loads 153 drivers.  With a normal boot it is 176 drivers.  But they both take about 8 minutes.

    And I get the same lists when I do the 1+ minute restart.

    Dudgeonous Tweet

    Tuesday, April 26, 2016 5:04 PM
  • To check if a particular program or hardware device is slowing the machine when you switch on, e.g. an antivirus program, go to Control Panel > All Control Panel Items > Performance Information and Tools > Advanced Tools (in the left pane). The problem is sometimes shown on this screen, although you may have to click View performance details in the Event log and follow up any errors marked in red.

    If the problem isn’t shown, open a Command Prompt as Administrator. Copy and paste or type wevtutil qe Microsoft-Windows-Diagnostics-Performance/Operational /f:text > %userprofile%\Desktop\Event.txt (note the five spaces) and press Enter. If you Copy and Paste the command, use mouse right-click to paste it into the prompt. Close the Command Prompt and double-click Event.txt on the Desktop to open it. Go to the end of the file (Ctrl+End) to see the most recent events. Those with an Event ID in the 100 series are start up events. There may possibly be a name or reason in the event listing.

    Ninety-nine per cent of politicians give the rest a bad name!

    • Edited by BurrWalnut Tuesday, April 26, 2016 5:27 PM Typing error
    Tuesday, April 26, 2016 5:18 PM
  • Yours was a very helpful reply. Thank you.

    I had not been to the Diagnostics-Performance section of the Event Viewer before.  There are events listed there that I had not seen.  One was a warning drawing attention to about 2 seconds worth of degradation due to GWXUX.exe.

    The other was flagged "Critical".  The text is:

    Windows has started up:

    Boot Duration : 391585ms

    IsDegradation : false

    In the detailed section of the event report the boot duration is broken down.  A list of the longest times are:


    Tuesday, April 26, 2016 6:27 PM
  • First off, let’s explain what GWXUX.exe does. This application is in charge of updating your Windows 7, Windows 8 or Windows 8.1 to Windows 10. If you’re using older version of Windows, you’ve probably noticed the little icon in your Taskbar that asks you to update to Windows 10. That is GWXUX.exe, it scans your computer in order to see if you’re compatible to upgrade to Windows 10, and it informs you when the update is ready to be downloaded. However, after clicking the icon and trying to update to Windows 10 many users have received an Application Error. If you’re having this problem, don’t worry, there is a way that you can fix this.

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”

    Tuesday, April 26, 2016 6:34 PM
  • Something happened to eat my reply. As I was typing:

    MainPathBootTime: 338085

    BootDevicesInitTime: 259811

    BootExplorerInitTime: 41787

    BootPostBootTime: 53500

    BootPNPInitStartTimeMS: 259846

    SystemPNPInitStartTimeMS: 262719

    SessionInitStartTimeMS: 263937

    WinLogonStartTimeMS: 276650

    Windows and I agree that these startup times are very long.

    This is not a trace but it is more progress than I have made in a while.

    Thank you.

    Dudgeonous Tweet

    Tuesday, April 26, 2016 6:35 PM
  • I’m glad you’re getting somewhere with it.

    Ninety-nine per cent of politicians give the rest a bad name!

    Tuesday, April 26, 2016 6:41 PM
  • Is this Diagnostic-Performance section in the Event Viewer the closest I will get to a cold boot trace? 

    Thank you.


    Tuesday, April 26, 2016 6:59 PM
  • The only other diagnostics I use are these, which, admittedly, are après boot but may be of some help to you:

    1. To see which tasks are running, open a Run window, type cmd /k tasklist /svc (note the three spaces) and press Enter. To get a better description of the associated Service(s), go to Task Manager > Processes Tab and on a specific Svchost, right-click it > Go to Service(s) to see all the Services, which are highlighted.

    2. Alternatively, use Process Explorer to see which services/programs are using which files. To determine which process is using a particular file, click Find at the top, type the name of the file and click Search. To see the svchost processes, let the mouse pointer hover over each svchost.exe in the left pane. Run it from here http://technet.microsoft.com/en-gb/sysinternals/bb896653.aspx

    Ninety-nine per cent of politicians give the rest a bad name!

    • Edited by BurrWalnut Wednesday, April 27, 2016 7:49 AM
    Wednesday, April 27, 2016 7:17 AM
  • Hi DudgeonousTweet1,


    I found an article may help you, please refer to the link:

    How to collect a good boot trace on Windows 7:



    Best Regards,


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    • Proposed as answer by ZigZag3143x Wednesday, April 27, 2016 12:08 PM
    • Unproposed as answer by DudgeonousTweet1 Wednesday, April 27, 2016 3:49 PM
    Wednesday, April 27, 2016 11:52 AM
  • Thank for this.  I appreciate your attention to my problem.  I have been to both these places after having discovered them in the usual manner -- Brownian Motion. 

    Your answer does lend support to the conclusion that there is not a way to do what I want to do.

    Thank you.

    Wednesday, April 27, 2016 3:37 PM
  • This is a helpful reply.  Thank you for it.

    It appears to be worth doing for its own sake.  I have not done it yet so I cannot be sure but it appears that it does a restart.  It seems like it would allow me to very carefully scrutinize the boot that is fast on my machine (a restart) but leaves me unable to carefully scrutinize a boot that is slow (my 8 minute cold boot).

    With the caveat that I have not yet done it, it seems likely that this very good suggestion does amount to something other than a cold boot trace.

    If there is no way to do it, could we get someone with a gazillion points to swoop down and say so?  That one little photon of information would be of interest to many people.

    But I do appreciate these replies that I am getting.  Thank you.

    Wednesday, April 27, 2016 3:48 PM
  • Hi,

    We haven’t heard from you in a couple of days, have you solved the problem? We are looking forward to your good news.

    Best Regards,

    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Tuesday, May 3, 2016 7:35 AM
  • Hello,

    No.  The problem is still there.  My cold boot time is a rock solid 8 minutes 14 seconds.  I would like to turn on a trace so that I can see what is going on during those 8 minutes.  I have gotten a lot of advice on how to trace a restart, on this forum and on others, but my restart completes in 1 minute 15 seconds so I am not interested in tracing that.

    I still don't know how to trace a cold boot.  On my PC booting the PC is booting Windows 7.  There is nothing less than that.  It takes 8 minutes 14 seconds to cold boot into Safe Mode.  It takes 8 minutes 14 seconds to cold boot into a clean boot.  It takes 8 minutes 14 seconds to cold boot into a clean boot with no networking devices enabled (wireless radio turned off).  That is as small as I have gone.

    I have thought about going below a clean boot by disabling more devices and ever larger numbers of Microsoft services and but I am concerned about throwing out one too many and turning my computer into a brick.

    Since it is Windows 7 I am cold booting, I had been expecting that someone knowledgeable about Windows 7 would know how to trace a cold boot.

    If it is not possible to trace a cold boot I would have expected someone knowledgeable about Windows 7 would have been willing to tell me that.

    The fact that I have had no luck yet in getting anyone to address the question makes me wonder if it is an indelicate question that should not be asked.

    If that is the case, could someone in a position to know tell me that?  Then I would stop asking.

    Thank you.

    Tuesday, May 3, 2016 1:32 PM
  • Process monior can be used  to enable boot logging, We could also use it to trace cold boot. Please try it.


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Sunday, May 8, 2016 11:21 AM
  • Yes.

    This is a very good answer.  Thank you. 

    I will mark this as the answer.  I believe that this ought to be the answer.   At this point I will take it on faith that this is the answer.

    Sadly, I have invested most of two days without being able to prove that this is the answer.  I will keep trying, but I think I need some help.  After closing this post by accepting this answer I will open a second one with the title, Trouble using Process Monitor to trace a cold boot.

    Thank you for your help.

    Monday, May 9, 2016 7:21 PM
  • Hello,

    I have added to my list of unsuccessful attempts.  I turned off the radio so there is no network connection.  I disabled Malwarebytes Antimalware.  I was not able to disable Microsoft Antimalware Service (MsMpEng.exe).  There appears to be no way to turn it off short of uninstalling it.  I then started Process Monitor and set it up for boot logging.  I shut down the machine and did a cold boot.  After the machine came up I opened Process Monitor again.  It sat and thought.  I gave it 12 hours and 52 minutes to get done with what it was doing.  No luck.

    So far I have not been able to get boot logging to work on a cold boot.  Does anyone have a suggestion as to what else I might try?

    Thank you for any help.

    Tuesday, May 10, 2016 1:50 PM
  • Hi DudgeonousTweet1,

    According to your description, only when you get a cold boot need much time, I suspect that the BIOS or hardware may has problem. We could only use the process monitor to get a trace when the computer logs on. I suggest that we could update the BIOS to the latest version and check your hard disk for errors in Windows 7 in the link below


    Hope it will be helpful to you.

    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Thursday, May 12, 2016 11:48 AM
  • Hello Carl,

    I know that this thread is hard to read because the order got scrambled when two threads got munged into one.  The first thread had the title, "How do you trace a cold boot?".  This thread is starts with the post that is the second from the top and extends to my post on May 9.  In that post I marked Tony Tao's post as the answer.  Apparently he believes that Process Monitor can be used to trace a cold boot.  I took his answer as a jumping off point and have since come to believe that also.  I have seen a lot of chatter on the web that seems to indicate that it is can be done.  Sadly, I cannot yet prove it.  It was this inability to get it to work that brought me to post this second thread with the title, "Trouble using Process Monitor to trace a cold boot."  That thread is the first one at the top and then the last two including yours and now this one.

    Since my last post (May 10) I have tried many things.  I am trying to get Process Monitor to log a cold boot on a Lenovo S431 notebook computer running Windows 7 Home Premium.  It is a 64 bit machine.  Among the things that I have tried are:

    I had my laptop set up in the BIOS/UEFI Setup screen to do an extended Power on Self Test.  It is now back to a normal boot.  That did not help.

    I turned off boot logging that was set up in msconfig.  That did not work.

    I turned off log OS information that was set up in msconfig.  That did not work.

    I turned off Firewall and Real Time Antimalware protection.  That did not work.

    I took the notebook computer out of its docking station.  That did not work.

    I tried Process Monitor with a backing file defined.  That did not work.

    I tried Process Monitor while relying on Virtual Memory rather than the backing file.  That did not work.

    I tried launching Process Monitor from an elevated command prompt.  That did not work.

    I tried launching Process Monitor from an elevated command prompt with the /Run32 switch. That did not work.

    I tried shutting down the PC when the Process Monitor was left running.  Some recipes that I have read seem to imply that that is the proper procedure.  That did not work.

    I tried shutting down the PC after having exited the Process Monitor gracefully.  That did not work.

    I tried running some experiments to try to determine if windows was blocking execution of the Process Monitor.  I saw some chatter on the web from guys who had experienced that.  I was unable to confirm or deny that Windows is to blame.  There is nothing in the Event Viewer that says that ProcMon64.exe was blocked.  On the other hand there were events that recorded the fact that ProcMon64.exe might not work the next time it is invoked because it had hung up the registry the last time the pc was shut down.  That is because ProcMon.exe becomes an unkillable zombie process after it becomes unresponsive.  It cannot be killed from Task Manager, Process Explorer, or from a command prompt.  It can only be killed by shutting down the pc and then after it has been sitting at "Shutting down ..." for 10 minutes or so, forcing the shutdown with the power witch.  Owing to the error message relating to hanging the registry at the last shut down causing the Process Monitor not to work the next time it is invoked I tried two reboots after the shutdown.  That did not work.

    I have noticed some things.  When I set up Process Monitor to do boot logging with a backing file defined and exit the tool the backing file is written out.  I have captured up to 10 minutes worth of trace before shutting down the system and the backing file has been written correctly.  The backing file in that case was 223 MB.  When I shut the system down and then did a cold boot and waited for the bootup to settle down and opened the Process Monitor it prompted me with the question that I have read that it should. It asked for permission to overwrite the back file that was out there.  When I say yes the program sits and thinks.  Clicking on the window causes the window to declare that the program has become unresponsive.   It never finishes.  When I go out and look at the file, it is now 4,194,304 bytes.  Process Monitor has accessed the file and, apparently, written 4 MB into that file before becoming unresponsive.  Process Monitor does access the file on the way to becoming unresponsive.

    Each of these attempts is about a 20 minute cycle because of all the embedded cold boots in the experiments.  Some were longer.

    I infer from your post that folks in your environment only use Process Monitor to trace restarts.  Could you ask around and find out if that is just tradition, or is it because someone there has made a strenuous effort to trace a cold boot and never got it to work, or whether someone there knows that it does not work and cannot work and knows the reason?  If it is one of these cases would you let me know which it is?  And in the latter case, would you share the secret with me?

    Thank you for your reply.

    Friday, May 13, 2016 12:08 AM
  • Hi,

    I really understand that it's tough or time-cost for you to test this issue, thanks for all your efforts on this issue. We are willing to help you further on this issue.

    Based on my knowledge, it's hard to get the cold boot process. Please see following corresponding relationship between screen and what system do in background.

    Computer logo --- Electronic check

    Black screen ---- OS load

    Starting Windows logo ---- System initialize

    Blank screen just before logon --- logon UI initialize

    Then, logon starting

    Would you please let me know what screen you are seeing to take long time?

    Based on current information, the most possible cause could be hardware, is there any build-in OEM hardware test tool on your computer? Would you please contact your manufacturer also on hardware test to see if that's the trick?

    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Friday, May 13, 2016 9:37 AM
  • Thank you for your reply.

    I am running a Lenovo Thinkpad S431 notebook computer running Windows 7 Home Premium.  It is a 64 bit machine.  When you press the power button to start a cold boot it first displays a logo screen that is the word Thinkpad in large white text with a red dot over the letter "I".  After that it displays a message beneath the Thinkpad logo.  That stays up until the entire screen goes black.  Then after some time the words "Starting Windows" is displayed on the black background.  Then after that four moving dots appear in the middle of the black background and evolve until they form the Windows four color logo.  After some time the Screen goes entirely black again for a short time.  Then the cursor appears as an arrow.  Then as an arrow and a circle.  Then it changes more times.  Then the screen goes black again and then the logon prompt appears.  The times for these things are listed below.  All times are elapsed time after pushing the power on button.

    Display Event                                                            Elapsed time from power switch

    Press Power On                                                          0 sec

    ThinkPad Logo                                                            3 sec

    Message text (To Interrupt normal startup ...)              7 sec

    Black Screen                                                              54 sec

    "Starting Windows" at bottom black screen                   1 min 11 sec

    4 moving dots first appear; evolve to Windows logo       2 min 15 sec 

    Screen goes black                                                       3 min 44 sec

    Arrow Cursor appears (changes shape several times)     3 min 47 sec

    Windows login prompt first appears                              4 min 0 sec

    I have run all the hardware scans that come with the Lenovo PC.  I have run sfc /scannow and chkdsk.  They both testify that the harddrive has no problems.

    Can you give me a hint as to why it is so hard to get Process Monitor to trace a cold boot?

    Thank you.

    Friday, May 13, 2016 8:37 PM
  • Hello techies,

    Here is a refinement of those last numbers that result from further experiments.  The numbers below compare the time durations between visible features that appear on the screen as the system boots.  The comparison is between a cold boot and a restart.  The start time (t = 0) for the cold boot is the time at which the power button is pressed.  The start time (t = 0) for the restart is when the message "To interrupt normal startup, press Enter" appears on the screen.  There is no visible event prior to this to indicate when the shutdown ended and the restart began.  The comparison results are these.

    Time duration Cold Boot Restart Cold Boot Start Event set start (Push power button) time at 0 Restart Start Event set start (Display: To Interrupt Normal ...) time at 0 Start Event 55 sec 1 sec to Black screen after logo Start of black screen after logo 17 sec 1 sec to End of black screen after logo Appearance of "Starting Windows" 1 min 4 sec 4 sec to Appearance of 4 moving dots Appearance of 4 moving dots 1 min 28 sec 15 sec to Remove Windows logo Remove Windows logo 3 sec 4 sec to Appearance of arrow cursor 13 sec 10 sec to Appearance of logon prompt

    Total elapsed time 4 min 35 sec

    This is for a clean boot.  The driver loads that show up in ntbtlog.txt for the two boots is very close to identical.

    I updated the UEFI/BIOS to version 1.13.  All Lenovo test programs show that the HDD is in good condition.  chkdsk and sfc /scannow show the same.

    All the boot logging technologies provided by Microsoft that I know about seem to be aimed at the examination of the restart.  But as you can see, the mysterious action is all happening during the cold boot.

    Is there no way to trace a cold boot?

    Sunday, May 15, 2016 3:36 PM
  • Hi,

    I noticed that the major issue should  happen during Winlogon initialize and session initialize, during this process, Windows will call Winlogon process and initialize related system service and part of registry keys.

    The clean boot mode seems get some improved, we can first determine which 3rd party service or startup item cause the most slow startup issue first, would you please troubleshoot this issue by using dichotomy in MSconfig? Checking on half of Non-Microsoft service and restart, determining which half of the services cause the issue and repeating to check half of the problematic half services.

    Also, I would like to confirm with you if you have any other logon providers on your computer, if so, disable 3rd part provider to see if there is any change:


    Please also save the System Information and upload onto OneDrive and share the link for our research.

    Refer to this guide to collect information:http://windows.microsoft.com/en-us/windows/what-is-system-information#1TC=windows-7

    Please mark the reply as an answer if you find it is helpful.

    If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Tuesday, May 24, 2016 6:15 AM
  • Thank you very much for your reply.  Please find my answers below.

    I assume that by "dichotomy" you are referring to the use of a binary search approach that tries to narrow down the offending software by successive approximation.  I am well beyond that.  I have unchecked all non-Microsoft Services in msconfig.  Also I have unchecked everything in the msconfig startup list.  The boot times that I have quoted in earlier posts were all done with those services and startup programs turned off.   If you would tell me what additional Microsoft services might be safely turned off (temporarily, of course) I would like to turn off some of those also to see if that made a difference.

    I have done the experiment that you suggested.  I got the same code in Safe mode as I got in normal mode:


    Apparently I have no third party logon providers.  I think it was a good thing to try.

    I have on my desktop the file SystemInfo.nfo.  It is 3.58 MB.  I would like to send it to you but I don't want to use OneDrive.  I have removed all the SkyDrive stuff from my machine and I don't want to download any onto my machine by accident.  Does your OneDrive site permit me to upload the file without downloading any software?

    Or, if you would send me an email address I could zip up the file and send it to you that way.

    Thank you.

    Tuesday, May 24, 2016 9:30 PM
  • I have gotten to a resolution to my problem so I thought I would put an endpoint onto this thread.

    As far as I have been able to discover there is not a way to trace a cold boot.  For some reason the industry appears to be satisfied with that fact.  Without the ability to observe that leaves guess-and-check.  There are today so many variables that guess-and-check has evolved into guess-and-check-and-hope-you-get-lucky.

    I got lucky.  In my case the M.2 cache SSD was bad.  After I had removed the notebook backplate, taken out the battery, taken out the SSD, put the battery back in, and put the backplate back on, the cold boot time was reduced from 3 minutes 46 seconds to 44 seconds.  The restart time had always been 35 seconds.  A 9 second difference between a cold boot and a restart is very good.

    That guess was correct and since it was the correct guess the amount of time and effort required to check it was worth it.  However, you cannot string together too many checks like that before you run out of time, stamina and stubbornness. 

    The problem was a hardware problem.  It has been resolved.  I am happy about that.  But I think that it is a shame that the industry has left us no way to trace a cold boot short of virtual machines.  Only the spies and Malware producers have those.

    Tuesday, May 31, 2016 2:32 PM
  • Hi DudgeonousTweet1,

    Glad to hear that you have found a solution and thank you for sharing it here. As we discuss before, it could be caused by the hardware, it will be helpful to other community members who have same questions.

    Best regards,

    Carl Fan

    Please mark the reply as an answer if you find it is helpful.

    If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Wednesday, June 1, 2016 1:41 AM