none
Diagnostics-Performance log Event 100 - Critical, Error, or Warning - when and why?

    Question

  • Under what circumstances is Event 100 in the Diagnostics-Performance log categorized as a Critical, Error, Warning, Information event, or not recorded at all?

    Event 100 is associated with Boot Performance Monitoring; among the parameters it records are Boot Duration and whether Boot Duration represents degradation.  I have seen Critical, Error, and Warning instances of Event 100, and I have noticed that is not recorded at all on some boots, but I have not seen any Information instances.  Additionally, I haven't detected any correlation between the level of the event and whether IsDegradation is true or false.

    It would be helpful to understand more about the logic of this event.

    The following thread from August 2009 touches on this, but got only one response, and ihas not been answered http://social.technet.microsoft.com/Forums/en/w7itproperf/thread/13738c6f-d093-4769-bf2e-3a938f46c832

    Thanks.

    • Edited by sejong Wednesday, November 17, 2010 3:27 PM
    Wednesday, November 17, 2010 3:20 PM

Answers

  • These events are defined in Windows Source code

     

    PostBootMinorThreshold_Sec(30)     // The time in seconds for postboot must exceed to consider minor issue.

    PostBootMajorThreshold_Sec(60)   // The time in seconds for postboot must exceed to consider Serious issue.

    BootMinorThreshold_Sec(60)         // The time in seconds excluding postboot must exceed to consider minor issue.

    BootMajorThreshold_Sec(120)        // The time in seconds excluding postboot must exceed to consider Serious issue.

    At the highest level, there are two separate scenarios for boot, the kernel scenario and the user scenario. Depending on the Scenario (long or short delay) the timer is started. There is a Kernel Timer and a a timer that is triggered for User. We'll start the Post boot timer when the Winlogon process launches the User's shell.

    Troubleshoot function calls BootScenario::PerformTroubleshooting.  This then performs calculations and then logs the event by calling OutputSqmEventLog.  OutputSqmEventLog calls EventWriteEx/EventWriteBatchEx to write the events.

    This will internally check the BSS trigger for the event.

    The Critical Events are logged when we cross beyond BootMajorThreshold_sec

    We basically calculate two options for the level we’ll attach to event 100, an option based on what is logged as MainPathBootTime (i.e. BootTime – PostBootTime), and an option based on PostBootTime alone. Whichever option is more severe/critical/whatever is what we ultimately attach to the event. For example, a PostBootTime of 0 to 30 seconds will get a level of Warning, 30-60 seconds gets Error, and greater than 60 gets Critical.

    We hope that this helps answer your questions.


    David J. This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by Sabrina Shen Monday, December 27, 2010 9:16 AM
    Friday, December 17, 2010 12:01 AM
    Moderator
  • For example, a PostBootTime of 0 to 30 seconds will get a level of Warning,

    Hi David,

    thanks this is what I wanted to know, too. But I don't understand why booting under 30s is a warning. This confuses too many people. Under 30s this should be logged as information.

    Can you explain this a bit more in a blog entry, for example here:

    http://blogs.technet.com/b/askperf/

    André


    "A programmer is just a tool which converts caffeine into code" CLIP- Stellvertreter http://www.winvistaside.de/
    • Marked as answer by Sabrina Shen Monday, December 27, 2010 9:16 AM
    Friday, December 17, 2010 12:03 PM
  • @ David J - MSFT

    Thank your for your detailed answer.  It was exactly what I was hoping for.  I agree with Andre.Zigler that boot time < 30s should be an Information, rather than a Warning, event.

    • Marked as answer by Sabrina Shen Monday, December 27, 2010 9:16 AM
    Friday, December 17, 2010 4:17 PM

All replies

  • The logic is a confusing for me, too. Even when the Degradation is false a warning icon is set.

    Look at the values and if the boot is too long follow my 2 guides.

    1 st make sure you have the service Superfetch running and next try to speed up the boot with the help of my guide [1]. This trains the advanced prefetcher in Windows 7. This increase the boot performance a lot. All other tweaking tools are useless. Only use this method with this Microsoft Toolkit.

    If this doesn't speed up the boot process, follow my guide [2] to make a boot trace and compress the boot_BASE+CSWITCH+DRIVERS+POWER_1.etl as 7z or RAR and upload it to your Skydrive [3] and post the link here.

    I take a look at the trace, maybe I see what's wrong with your Windows.

    André

    [1] http://www.msfn.org/board/index.php?showtopic=140262
    [2] http://www.msfn.org/board/index.php?showtopic=140247
    [3] http://social.technet.microsoft.com/Forums/en-US/w7itproui/thread/4fc10639-02db-4665-993a-08d865088d65


    "A programmer is just a tool which converts caffeine into code" CLIP- Stellvertreter http://www.winvistaside.de/
    Wednesday, November 17, 2010 3:27 PM
  • Thanks for your quick reply.  In my case, I'm not concerned about anything being wrong - boot times on our systems are OK - I'd just like to know more about the logic behind this event.  Nevertheless, I'll follow your guide and check how it affects boot times and the recording and level of Event 100.

    Wednesday, November 17, 2010 3:33 PM
  • I followed your guide [1].   Boot Duration remained about the same, but I don't think there's anything "wrong".

    For reference, here is a list of Boot Duration in seconds, the level of Event 100 (Critical, Error, Warning), and the Boolean value of IsDegradation.  I can't see any association of the event level and the IsDegradation value, but there is a correlation between the event level and the BootMinorThreshold_Sec (60), BootMajorThreshold_Sec (120), and HardThresholds_CritServicesList values in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\Performance\Boot. Boot Duration less than 60 seconds is a Warning level event; 60-119 is an Error level, and 120 or more is a Critical error.  Boot #-5 below is a Critical level event even though Boot Duration (99 seconds) was in the Error level range because on that boot a "critical" service (event system) took longer than expected to start up (an instance of Event 103 recorded this).  This is incorrect - I revised in in the next post.

    In summary, I can understand why instances of Event 100 are Critical, Error, or Warning; I don't think there are any Information level instances of Event 100, and I don't know why sometimes there is no instance of Event 100 recorded at all.

    4. 76, Error, true

    3. 76, Error, false

    2. 77, Error, false

    1. 49, Warning, false

    0.  Trained advanced prefetcher per guide [1]

    -1. 48, Warning, false

    -2. 46, Warning, false

    -3. 69, Error, false

    -4. 48, Warning, false

    -5. 99, Critical, false

    -6. 42, Warning, false

    • Edited by sejong Wednesday, November 17, 2010 8:38 PM
    Wednesday, November 17, 2010 6:11 PM
  • Update - The values that seem to govern the level of Event 100 are PostBootMinorThreshold_Sec (30 seconds) and PostBootMajorThreshold_Sec (60 seconds) in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\Performance\Boot .  The BootPostBootTime parameter in Event 100 is compared with these values.  If it's less than 30 seconds, Event 100 is a Warning level; if between 60 and 59, Error level, and (I think) if 60 or more, or if a "critical" service took longer than expected to start up, Critical level.

    @Andre.Ziegler - in your guide [1], is it necesary to wait the 120 seconds during each of the 6 passes, and if so, should the system be left to idle during that time?

    Wednesday, November 17, 2010 6:36 PM
  • The 120s are the default time which xbootmgr captures after the Explorer was loaded (bootDoneViaExplorer). I always wait so that all data are captured. Windows detects that the boot is finished when the system is idle for 10s:

    <timing bootDoneViaExplorer="10054" bootDoneViaPostBoot="27754" (Boot to desktop in 10s and finished in 18s (PostBoot wait time is subtracted )


    "A programmer is just a tool which converts caffeine into code" CLIP- Stellvertreter http://www.winvistaside.de/
    Wednesday, November 17, 2010 10:44 PM
  • Thanks for the explanation.
    Thursday, November 18, 2010 3:12 PM
  • Hi Sejong,

     

    Does the information which Andre.Ziegler provided help? If so, please mark it as answer. By sharing your experience you can help other community members facing similar problems.

     

    If you would like further assistance, please do not hesitate to let us know. It is our pleasure to help. :)

     

    Thanks, and have a great day.

     

    Regards,

     

    Sabrina

     

    TechNet Subscriber Support in forum.

     

    If you have any feedback on our support, please contact tngfb@microsoft.com


    This posting is provided "AS IS" with no warranties or guarantees, and confers no rights. |Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, November 22, 2010 5:35 AM
  • Hi Sabrina Shen-

    Altough Andre.Zigler's information was helpful for reducing boot time, it did not answer the question I asked in my first post - Under what circumstances is Event 100 in the Diagnostics-Performance log categorized as a Critical, Error, Warning, Information event, or not recorded at all?

    If fact, Andre.Zigler's reply to my first post started out by saying "The logic is a confusing for me, too".

    Therefore, I don't think it's appropriate to mark Andre.Zigler's post as answer.

    Monday, November 22, 2010 1:39 PM
  • I also want to know a good explanation.

    "A programmer is just a tool which converts caffeine into code" CLIP- Stellvertreter http://www.winvistaside.de/
    Monday, November 22, 2010 7:45 PM
  • Hi Sejong,

     

    Would you like to collect the detailed Event Log for our further research?

     

    ·         Event Log

    ========================

    1. Click "Start", input "eventvwr" (without quotation marks) in the Search bar and press Enter.

    2. Right click on "Application" on the left frame, choose "Save Log file As"; in the pop-up window, click to choose the Desktop icon on the left frame, input "app" in the "File name" blank, and then click “Save”.

    3. Right click on "System", with the same method, save it as "sys".

    4. Locate the two saved log files on the Desktop and send them to us.

     

    You can refer to the following link to upload the information:

     

    http://social.technet.microsoft.com/Forums/en-US/w7itproui/thread/4fc10639-02db-4665-993a-08d865088d65

     

    Regards,

     

    Sabrina

     

    TechNet Subscriber Support in forum.

     

    If you have any feedback on our support, please contact tngfb@microsoft.com


    This posting is provided "AS IS" with no warranties or guarantees, and confers no rights. |Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Wednesday, November 24, 2010 8:07 AM
  • Hi Sabrina Shen-

    Thanks for your suggestion about uploading the Application and System logs.  I'd upload them if I thought it would be productive, but the question here is not that whether is something "wrong" with a particular computer - nothing is "wrong".  It's "Under what circumstances is Event 100 in the Diagnostics-Performance log categorized as a Critical, Error, Warning, Information event, or not recorded at all".

    Ideally, this question can be addressed by someone (possibly from Microsoft) who is knowledgeable about the design of the Diagnostics-Performance log and boot and shutdown eventing.

    Wednesday, November 24, 2010 5:50 PM
  • These events are defined in Windows Source code

     

    PostBootMinorThreshold_Sec(30)     // The time in seconds for postboot must exceed to consider minor issue.

    PostBootMajorThreshold_Sec(60)   // The time in seconds for postboot must exceed to consider Serious issue.

    BootMinorThreshold_Sec(60)         // The time in seconds excluding postboot must exceed to consider minor issue.

    BootMajorThreshold_Sec(120)        // The time in seconds excluding postboot must exceed to consider Serious issue.

    At the highest level, there are two separate scenarios for boot, the kernel scenario and the user scenario. Depending on the Scenario (long or short delay) the timer is started. There is a Kernel Timer and a a timer that is triggered for User. We'll start the Post boot timer when the Winlogon process launches the User's shell.

    Troubleshoot function calls BootScenario::PerformTroubleshooting.  This then performs calculations and then logs the event by calling OutputSqmEventLog.  OutputSqmEventLog calls EventWriteEx/EventWriteBatchEx to write the events.

    This will internally check the BSS trigger for the event.

    The Critical Events are logged when we cross beyond BootMajorThreshold_sec

    We basically calculate two options for the level we’ll attach to event 100, an option based on what is logged as MainPathBootTime (i.e. BootTime – PostBootTime), and an option based on PostBootTime alone. Whichever option is more severe/critical/whatever is what we ultimately attach to the event. For example, a PostBootTime of 0 to 30 seconds will get a level of Warning, 30-60 seconds gets Error, and greater than 60 gets Critical.

    We hope that this helps answer your questions.


    David J. This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by Sabrina Shen Monday, December 27, 2010 9:16 AM
    Friday, December 17, 2010 12:01 AM
    Moderator
  • For example, a PostBootTime of 0 to 30 seconds will get a level of Warning,

    Hi David,

    thanks this is what I wanted to know, too. But I don't understand why booting under 30s is a warning. This confuses too many people. Under 30s this should be logged as information.

    Can you explain this a bit more in a blog entry, for example here:

    http://blogs.technet.com/b/askperf/

    André


    "A programmer is just a tool which converts caffeine into code" CLIP- Stellvertreter http://www.winvistaside.de/
    • Marked as answer by Sabrina Shen Monday, December 27, 2010 9:16 AM
    Friday, December 17, 2010 12:03 PM
  • @ David J - MSFT

    Thank your for your detailed answer.  It was exactly what I was hoping for.  I agree with Andre.Zigler that boot time < 30s should be an Information, rather than a Warning, event.

    • Marked as answer by Sabrina Shen Monday, December 27, 2010 9:16 AM
    Friday, December 17, 2010 4:17 PM
  • I'll see what we can do about getting a Blog post out there.
    David J. This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, December 20, 2010 11:56 PM
    Moderator
  • I'll see what we can do about getting a Blog post out there.
    Please try to get a blog post and explain WHY booting under 30s is a warning. This is really the most confusing point.
    "A programmer is just a tool which converts caffeine into code" CLIP- Stellvertreter http://www.winvistaside.de/
    Tuesday, December 21, 2010 12:30 PM
  • I have noticed boot warnings and assume they are owing to a RAMDisk I create on startup, and save on shutdown, and wish to make these go away (and the diagnostics I believe they are triggering, along with their own log entries) but am having no luck tweaking the registry keys e.g. I get a "Cannot edit PostBootMinorThreshold_Sec: Error writing the value's new contents."

    I've booted into Safe Mode to no effect, and also tried the trick of running regedit in the special mode for a "system" regedit:

    psexec -s -i regedit

    What is the magic incantation for altering these diagnostic entries?

    Thanks for any help here.

    PostBootMinorThreshold_Sec(30)     // The time in seconds for postboot must exceed to consider minor issue.

    PostBootMajorThreshold_Sec(60)   // The time in seconds for postboot must exceed to consider Serious issue.

    BootMinorThreshold_Sec(60)         // The time in seconds excluding postboot must exceed to consider minor issue.

    BootMajorThreshold_Sec(120)        // The time in seconds excluding postboot must exceed to consider Serious issue.


    Thursday, July 21, 2011 11:35 PM
  • Interesting posts.  These are typical boot durations for me in a lab machine:  169s 131s 187s 142s.  I've just come to accept it and avoid rebooting.  Windows 7 just seems to boot slower the more software you put on it. 

     

    Friday, July 22, 2011 5:15 PM
  • I have noticed boot warnings and assume they are owing to a RAMDisk I create on startup, and save on shutdown, and wish to make these go away (and the diagnostics I believe they are triggering, along with their own log entries) but am having no luck tweaking the registry keys e.g. I get a "Cannot edit PostBootMinorThreshold_Sec: Error writing the value's new contents."

    I've booted into Safe Mode to no effect, and also tried the trick of running regedit in the special mode for a "system" regedit:

    psexec -s -i regedit

    What is the magic incantation for altering these diagnostic entries?

    Thanks for any help here.

    PostBootMinorThreshold_Sec(30)     // The time in seconds for postboot must exceed to consider minor issue.

    PostBootMajorThreshold_Sec(60)   // The time in seconds for postboot must exceed to consider Serious issue.

    BootMinorThreshold_Sec(60)         // The time in seconds excluding postboot must exceed to consider minor issue.

    BootMajorThreshold_Sec(120)        // The time in seconds excluding postboot must exceed to consider Serious issue.



    I didn't start a new topic because this one had all the background info appropriate to my question, but maybe that was a mistake as no one notices my question?
    Saturday, July 23, 2011 12:28 PM
  • Did you ever find an answer to this? How to edit those keys to change the thresholds?
    Sunday, January 29, 2012 10:57 PM
  • I know this doesn't answer your question directly, but if you just don't like seeing these events, you can disable the log.  This log doesn't exist in Server 2008 R2.

    Another thing you can try if you are a member of the local Administrators group is to change the owner on the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\Performance\Boot key from SYSTEM to the local Administrators group, and give that group Full Control permissions.  Then edit the values.
    • Edited by sejong Monday, January 30, 2012 9:18 PM
    Monday, January 30, 2012 6:42 PM
  • Did anybody ever answer the question (asked multiple times above) about why the ID 100 events are sometimes not written to the log?  I've rebooted my wins7 machine 7 times today and gotten only 2 event ID 100 entries.
    Tuesday, February 7, 2012 11:32 PM
  • Hi.. everyone here.. Has anyone noticed if (like in my case) if you look at the time on the event that the system shut down .. and the time you receive the CRITICAL on the start up with event 100 ???

    In my case there is just seconds.. and the reason for that???? I was doing updates on the security that Microsoft loves to issue... so I do not allow the updates to install them self.. I go through and double check each one and load according to date..

    example... these last few weeks there was tooooo many updates .. and it messed my system up and I lost a lot of data so I did a factory restore with a backup of my data.. I just got done loading over 170 updates (THANK YOU MS ...NOT ) and the only place I received these Criticals is during the process of having to restart in order for the update to be applied and finish..

    Hope you all are getting it only there.. so to answer the question of the post.. why a critical on a 30 sec or less.... the event manager can not figure out that the system is restarting due to a system request and not a actual error,, so the system is not seeing a major reason for a shut down by a restart command and it is putting the critical there JUST in case..

    hope that makes sense.

    Ms Robie 

    Hope 


    MsRobie

    Tuesday, March 17, 2015 1:05 AM
  • Hi, Is it applied to Windows 10 too?

    I have tried to capture the shutdown time, boot time, suspend and Resume time from the Diagnostic-Performance at Event viewer but for the hibernate, there is totally no event and for the restart, intermittently no event is generated.

    Do you have any idea? thkq


    pass by

    Tuesday, January 19, 2016 8:24 AM
  • Has anyone figured out why the Event ID 100 events are sometimes not written to the 'Diagnostic-Performance' Event log folder? 

    I was trying to benchmark my current system configuration by restarting my system multiple times and taking the average of the Boot Duration results before disabling some third party services, and noticed that there was no Event ID 100 log message for the fourth system restart.  The first three system restarts logged the Event ID 100 log just fine and I haven't changed anything on my system between each restart.
    Saturday, July 8, 2017 5:24 AM