Hey ET - Shut down problem COntinued

[Mister Bushice]

I posted this elsewhere, but I haven't solved it, and had a couple of questions.

It will go through normal shutdown, but then it will stop, not freeze, just stop, at the "windows is shutting down" screen. I have to do a hard reboot to shut it down.

I can shut down with no problem in hibernate mode.

Here is a list of the processes that are typically active:

TASKMGR.EXE
CIDAEMON.EXE (2 of these)
ashserv.exe This is avast
aswUpdsv.exe I think this is the Avast Virus Update program
mainserv.exe
ashdisp.exe This is Avast
zlclient.exe - Zone Alarm
explorer.exe - Obvious
ashMaisv.exe - This is Avast
SPOOLSV.EXE
SVCHOST.EXE (6 of these)
LSASS.EXE
SERVICES.EXE
winlogon.exe
CSRSS.EXE
SMSS.EXE
vxmon.exe
mxtask.exe
CISVC.EXE
System
System Idle Process


Any ideas which one the culprit might be? I only have 6 items checked in my startup menu right now, zone alarm, avast, Adobe Gamma Loader, digital line detect and live menu.lnk, as well as one that is just a group of 6 boxes (encrypted I guess) located in the same file where the Zone Alarm is, but it seems to be an XP based file, from what I have read. BTW, the problem began before I loaded up Avast.

[Red]

It's odd that there would be two instances of cidaemon.exe running. It is the Indexing service that is supposed to make searching faster, which is handy when you need to find your pron STAT! but it might be what's holding you up.

To disable Indexing, click Start> Search> Change Preferences> With Indexing Services> No, do not enable Indexing Service> OK

See if that works.

[ElTaco]

TASKMGR.EXE
CIDAEMON.EXE (2 of these)
ashserv.exe This is avast
aswUpdsv.exe I think this is the Avast Virus Update program (yes)
mainserv.exe (try disabling PowerChute to make sure ti doesn't interfere)
ashdisp.exe
zlclient.exe
explorer.exe -
ashMaisv.exe -
SPOOLSV.EXE

SVCHOST.EXE (6 of these)
Are you sure you have 6? Some look close to svchost.exe but I generally only ever see 4 of them. Make sure you don't have W32.Welchia.Worm.

LSASS.EXE
SERVICES.EXE
winlogon.exe
CSRSS.EXE
SMSS.EXE

vxmon.exe - vXmon.exe or vSmon.exe. The later is part of Zonealarm. The first is nothing thats normal. I'll assume its a typo since you have zona alarm

mxtask.exe
CISVC.EXE
System
System Idle Process

As I said, I would try a few things. First try booting into Safe mode and see if you can shut down from there. That will insure that you only have the absolute minimum loaded. Try turning off Avast. Norton used to cause something similar with Dell Laptops and PCs. Make sure you don't have the Welchia worm and some of the other LSASS worms. Welchia in particular used svchost.exe filename for the virus to confuse people. Look it up on Norton's site and look for some tell tale signs. Run your antivirus in safe mode and don't forget to disable the auto restore function if you are running XP.

You might also try turning off the firewall. It integrates into the IP stack and some other windows functionality so I could see it screwing things up. If its none of those then you may have to do some windows trouble shooting. Could be some driver that isn't being unloaded properly. In Safemode only the absolutely necessary drivers are loaded so if you can shut down in safe mode but not in Normal mode and its not a software thats preventing the shutdown, it would be a valid assumption on your part to suspect some driver that isn't necessary to run windows.

Other then that, you can make sure everything is up to date and patched. Sometimes that will fix freak problems, at least until new ones develop a few days later.

Also did it ever shut down? Some old computers just don't support things like the soft shutdown and such. You could update to the latest bios. As a last resort, just fix windows by doing a repair install. It replaces all the core dlls and files so it should fix problems that stem from something being corrupt. This isn't the type of problem I'd expect to see if windows got corrupt, but it might fix it anyway, and its better then the alternative (reinstall from scratch).

[ElTaco]

God damn I hate accidentally clicking on Edit instead of Quote. Thank you Back button.

[Mister Bushice]

TASKMGR.EXE
CIDAEMON.EXE (2 of these)
ashserv.exe This is avast
aswUpdsv.exe I think this is the Avast Virus Update program (yes)
mainserv.exe (try disabling PowerChute to make sure ti doesn't interfere)
ashdisp.exe
zlclient.exe
explorer.exe -
ashMaisv.exe -
SPOOLSV.EXE

Tried that. Didn't affect it.

SVCHOST.EXE (6 of these)
Are you sure you have 6? Some look close to svchost.exe but I generally only ever see 4 of them. Make sure you don't have W32.Welchia.Worm.

This time, I have five, four are grouped together in the list, one is apart. I ran the welchia worm removal tool, and that came up empty, no infection. One interesting thing - one of the SVCHOST files in the group of four runs much larger - 14,000 k range as opposed to all of the others, which run in the 1-3,000 k range. When I end that large process and try to shut down, the computer shuts down normally, so now - how do I determine what program is using that large SVCHOST program, and how do I go about removing it if it is unnecessary?

LSASS.EXE
SERVICES.EXE
winlogon.exe
CSRSS.EXE
SMSS.EXE

vxmon.exe - vXmon.exe or vSmon.exe. The later is part of Zonealarm. The first is nothing thats normal. I'll assume its a typo since you have zona alarm

No, it is no typo. The file is in all lower case "vsmon.exe" I always thought that was for the monitor.

mxtask.exe
CISVC.EXE
System
System Idle Process

As I said, I would try a few things. First try booting into Safe mode and see if you can shut down from there. That will insure that you only have the absolute minimum loaded. Try turning off Avast. Norton used to cause something similar with Dell Laptops and PCs. Make sure you don't have the Welchia worm and some of the other LSASS worms. Welchia in particular used svchost.exe filename for the virus to confuse people. Look it up on Norton's site and look for some tell tale signs. Run your antivirus in safe mode and don't forget to disable the auto restore function if you are running XP.

You might also try turning off the firewall. It integrates into the IP stack and some other windows functionality so I could see it screwing things up. If its none of those then you may have to do some windows trouble shooting. Could be some driver that isn't being unloaded properly. In Safemode only the absolutely necessary drivers are loaded so if you can shut down in safe mode but not in Normal mode and its not a software thats preventing the shutdown, it would be a valid assumption on your part to suspect some driver that isn't necessary to run windows.

Other then that, you can make sure everything is up to date and patched. Sometimes that will fix freak problems, at least until new ones develop a few days later.

Also did it ever shut down? Some old computers just don't support things like the soft shutdown and such. You could update to the latest bios. As a last resort, just fix windows by doing a repair install. It replaces all the core dlls and files so it should fix problems that stem from something being corrupt. This isn't the type of problem I'd expect to see if windows got corrupt, but it might fix it anyway, and its better then the alternative (reinstall from scratch).

This is not an old computer, perhaps it is 15 months old, bought it new, a P4 dell. I have stopped avast with no luck, and also zonealarm. it never shuts down unless I kill that one SVChost.exe process.

How do I do a repair install?

Thanks for the help.

[Mister Bushice]

It's odd that there would be two instances of cidaemon.exe running. It is the Indexing service that is supposed to make searching faster, which is handy when you need to find your pron STAT! but it might be what's holding you up.

To disable Indexing, click Start> Search> Change Preferences> With Indexing Services> No, do not enable Indexing Service> OK

See if that works.

Well, I will give it a try. The computer won't shut down even if I only boot up then shut down without opening any programs.

Thanks.

[ElTaco]

svchost.exe is used by windows to run some of the processes and interprocess communications as far as I understand. Why don't you look through all the Services you are running and shut down the ones that aren't necessary. Again, you still haven't answered my safe mode boot/shutdown question. Does it shut down if you boot into safe mode?

[Mister Bushice]

Haven't tried that one yet. I will do so next.

What do you mean by "services"?

[Shlomart Ben Yisrael]

Do you have ACPI Enabled in your BIOS?

Check your power management in windows also.

[Red]

Why don't you look through all the Services you are running and shut down the ones that aren't necessary.

What do you mean by "services"?

Maybe Bushice poking around in the services is not the best idea. :P

[Mister Bushice]

Hey ET,

It shuts down normally in Safe mode. Takes a little time, but it gets there.


Martyred,

Do you have ACPI Enabled in your BIOS?

why is this a possible factor?


Check your power management in windows also.

what power management state would cause this problem?


Red,

Thanks for contributing absolutely nothing to this thread.

[Red]

Red,

Thanks for contributing absolutely nothing to this thread.

You must have missed my previous post re: cidaemon.exe, fucker.

I know computer problems are frustrating, but if you don't know what services are, you don't need to be screwing with them and potentially disabling stuff you actually need.

[Mister Bushice]

Red,

Thanks for contributing absolutely nothing to this thread.

You must have missed my previous post re: cidaemon.exe, fucker.

"Its odd that you have two instances of cidaemon.exe running" That is helping? How is that helping? That presented me with no reasons why or solutions to the problem, ergo, it was no help at all.

Granted the indexing services was a point, but it had no effect on the operation of the machine, and I was referring to the last post mostly, anyway.

I know computer problems are frustrating, but if you don't know what services are, you don't need to be screwing with them and potentially disabling stuff you actually need.

I have built my own computer in the past. I have not dealt with XP system administration, management, services or anything very detailed or complex in that area much beyond restore points, setting up a home network, defragging etc. , but I know what NOT to do, that being to mess around with anything I don't understand yet.
Which is why I asked the question in the first place. How in hell am I supposed to learn something I don't know unless I do?

Again, thanks for contributing. :roll:

[ElTaco]

I don't have anything off the top of my head for you. If it shuts down in safe mode but not in normal mode, that means that its something that runs in normal mode but its not one of the absolutely necessary things to windows that runs in Safe mode. Remember when you load safe mode, by default it will only load the absolute minimum.

So what does this mean? Well your problem could be a program that you load on start. The fact that you said that killing that one instance fixed svchost.exe fixed the problem would suggest to me that your problem has to do with a service so here is what you do:

Start -> Run -> cmd /x (enter)
Type in tasklist /SVC
c:\documents and settings\>tasklist /SVC

Image Name PID Services
========================= ====== =============================================
System Idle Process 0 N/A
System 4 N/A
smss.exe 440 N/A
csrss.exe 488 N/A
winlogon.exe 512 N/A
services.exe 556 Eventlog, PlugPlay
lsass.exe 568 Netlogon, PolicyAgent, ProtectedStorage,
SamSs
svchost.exe 740 RpcSs
svchost.exe 804 AudioSrv, Browser, CryptSvc, Dhcp, dmserver,
ERSvc, EventSystem, helpsvc, lanmanserver,
lanmanworkstation, Messenger, Netman, Nla,
RasMan, Schedule, seclogon, SENS,
ShellHWDetection, srservice, TapiSrv,
TermService, Themes, TrkWks, uploadmgr,
W32Time, winmgmt, wuauserv, WZCSVC
svchost.exe 952 Dnscache
svchost.exe 980 LmHosts, RemoteRegistry, SSDPSRV, WebClient
spoolsv.exe 1088 Spooler
mdm.exe 1240 MDM
svchost.exe 1960 stisvc
explorer.exe 1008 N/A
qttask.exe 2020 N/A
aim.exe 548 N/A
ctfmon.exe 1552 N/A
IEXPLORE.EXE 396 N/A
cmd.exe 1956 N/A
tasklist.exe 376 N/A
wmiprvse.exe 480 N/A

c:\documents and settings\>
Now you can see all the Windows services that are interacting with any of tasks. Find the problem task and look at all the services that are using it. Next you bring up your Service window to find all the services running. You do this by rightclicking on your 'my computer' and doing Manage or you go to your Control pannel, Admin tools and find it under there. Then I would start looking up whats necessary and what isn't. If it is a service related to a program you installed, I'd disable it for now. Do be careful because certain services are very necessary to windows running and you'll have to start all over again if you kill an important one.

And thats all I can say really. You might want to do some research on Windows services before tackling this problem. Look through the MS/MSDN website and do some research as to what each service does and if its necessary or not.

If the faulty service is related to Windows, you'll probably have to do a Fix install with a disk and all or a complete reinstall. On the other hand if the problem is related to a program you installed, you can probably just disable that program or re-install it to fix the problem.

[Mister Bushice]

Thanks ET. I can handle doing all that. I've made enough mistakes over the years to KNOW that I have to be careful,think twice act once. :)
I'll keep you updated.

UPDATE:

One difference I noted in my large SVCHOST and your list was I have something called "FastUserSwitchingCompatability"

Ever hear of it.

[ElTaco]

FastUserSwitchingCompatability is a service that allows users to switch between users. Only XP has it. This is an XP machine but its on a Domain so it doesn't support that feature (only allows one user at a time to be logged on). Home and Pro standalone versions run it to allow you to switch between users.

I quickly looked through my busiest SVChost and most of those are fairly useless services so you should be able to reduce the size of that and disable a whole bunch of them. Just go through them or find a list of necessary services and disable the ones that aren't on it. Then if that fixes the problem, re-enable them a few at a time, or figure out which ones you want and which ones serve you no purpose and try to shut down again.

[DiT]

BI,go to your windows folder and delete everything inside the Prefetch folder.

[Mister Bushice]

I solved it. It was a process in the busiest SVCHOST that was causing it. I disabled just one of them that was obviously not necessary, and it worked. It now shuts down normally.

Thanks for all the help everyone. Its great to have a place to go to where you can always get real answers to stuff like this.