Navigation

Troubleshoot performance in Windows Vista, 7, 8 and 8.1

By . Last modified: 2014-08-14.

How to troubleshoot system performance in Windows Vista, 7, 8 and 8.1

Windows might sometimes be really slow during startup, shutdown or returning from sleep/hibernation. This might be caused by a bad or outdated driver, or some program/service running startup/shutdown tasks. Worst cases end up with delays up to 30 minutes.

Windows XP has no real tools for troubleshooting such behavior and the only tool provided by Microsoft is the User Profile Hive Cleanup utility for speeding up logoffs. Well, Task Manager can also be used for finding out resource-hungry programs and services.

Windows Vista, 7, 8 and 8.1, however, have a special Diagnostics-Performance log that can be checked using Event Viewer. This log records slowdowns while Windows starts, runs, shuts down or goes to or returns from sleep or hibernation.

But in all cases, running essential anti-virus and anti-malware checks are the first two steps in troubleshooting Windows performance.
You should also check Windows Experience Index (aka WEI) for determining the hardware bottlenecks of your system performance, and if possible, replace or upgrade weakest parts.

Starting Event Viewer in Windows Vista, 7, 8 and 8.1

In Windows Vista and 7, open Start menu by clicking Start button or using keyboard shortcut Ctrl+Esc. Type "event" into Search box and click Event Viewer in the results.
In Windows 8 and 8.1, use keyboard shortcut Windows Key+X to open Quick Links menu (a list of system tools) and click Event Viewer. Alternatively, open Apps search/Search everywhere using keyboard shortcut WINDOWS KEY+Q, type event into Search box and click the result.
Windows Vista, Start menu. To start Event Viewer, type event into Search box and click Event Viewer. Windows 8, list of system utilities (Windows Key+X). Click Event Viewer. Windows 8, Start screen, Apps search. To start Event Viewer, type 'event' into Search box and click Event Viewer.

In Windows Vista, User Account Control greets you with a confirmation prompt, click Continue.
Windows Vista, User Account Control dialog for Microsoft Management Console. Click Continue.

Event Viewer opens Overview and Summary screen with summary of recent Administrative Events, recently viewed log names and log size and overwriting policies summary.
Windows 7, Event Viewer

Expand Applications and Services Logs, Microsoft, Windows, Diagnostics-Performance. Then click Operational.
Windows Vista, Event Viewer. To see performance events, expand 'Applications and Services Logs', 'Microsoft', 'Windows', 'Diagnostics-Performance'. Then click 'Operational'.

You might want to learn more about using Event Viewer for filtering and finding events.

System events to look for if Windows is slow

In all versions of Windows, you should always check for disk and page file error events first - see if there are error events with ID 7, 49 or 55 in System log of Event Viewer:

  • Event ID 7 - "The device <device name> has a bad block". If the device is something like \Device\CdRom0, there is no need to panic - a CD or DVD you entered had some unreadable sectors on it.
    If the device name is like \Device\HardDisk0\Partition1, your hard disk drive might be faulty. There are some unreadable sectors on it and this will ultimately lead to data loss. You might have experienced computer slowdown before and after the event occurred. Back up your data immediately to an external drive and run disk check! Then try to find a replacement drive and restore Windows on it.
  • Event ID 49 - "Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory".
    This happens when you manually set Page File size, then add Random Access Memory (RAM) to your computer and do not adjust Windows Page File size accordingly. A typical Windows Page File size is one and a half times of RAM size - if you have 1 GB of RAM, the Page File size should be at least 1.5 GB.
  • Event ID 55 - "The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume <volume name>". Files and folders on a disk are messed up. Load Disk Management and see what drive letter(s) is/are assigned to the hard disk with specified number. Then run Disk Check.

You should also check if there is enough free space (at least 10% available) on all hard drives - running out of space slows Windows down significantly.

Important events in Diagnostics-Performance log of Windows Event Viewer

The Diagnostics-Performance log is often full of critical, error and warning events. This is normal because no events are recorded here while Windows performs as expected. Always check the date and time of recorded events to prevent wasting time on problems that have already been solved.
All events are divided into different categories:

  • Event ID-s 100-199 deal with Windows startup/boot problems (Boot Performance Monitoring category).
  • Event ID-s 200-299 deal with Windows shutdown problems (Shutdown Performance Monitoring category).
  • Event ID-s 300-399 deal with Windows standby (sleep or hibernation) problems (Standby Performance Monitoring category).
  • Event ID-s 400-499 deal with disk and memory utilization (System Performance Monitoring category).
  • Event ID-s 500-599 deal with CPU and video utilization (Desktop Window Manager Monitoring category).

All Event ID-s in the 100-399 range are related - 101, 201, 301 reveal the same type of trouble (slowdown due to an application), but during startup, shutdown or sleep/hibernation.

Event ID 100/200/300

Events 100, 200 and 300 in the Diagnostics-Performance log mean that Windows has started up, shut down or resumed from standby (sleep or hibernation).

The level of events (Warning, Error, Critical) shows how much slower the recorded event is than what Windows considers to be normal:

  • If the slowdown is under 30 seconds, it has warning level.
  • Slowdowns that consume between 30-60 seconds, have error level.
  • If the recorded slowdown takes over 60 seconds, it is considered to be critical.

Here is an example of Event ID 100 - Windows has started up.
Boot Duration displays the total time (in milliseconds) it took Windows to start -  a little over 246 seconds (4.1 minutes). In case of Event ID 200, the line reads Shutdown Duration instead.
IsDegradation "true" means that some Windows built-in application or service has caused this slowdown. For example sidebar.exe (Desktop Gadgets) or ssdpsrv (SSDP Discovery). If it reads "false", the problem lies elsewhere.
Incident Time reveals the exact date and time when this event was recorded (time zone here is UTC).
Windows 7, Event Viewer, Diagnostics-Performance log. Event 100, Windows has started up. Boot Duration shows how much time it took for Windows to start.

Event ID 300 (Windows has resumed from standby) also displays the time when the sleep/hibernation event occurred (Standby Incident Time) and how long it took (Standby Duration).
The Resume Duration and Resume Incident Time lines should now be self-explanatory, right? Smile
Windows 7, Event Viewer, Diagnostics-Performance log. Event 200, Windows has resumed from standby. Standby Incident Time reveals when the computer hibernated or went to sleep; Standby Duration shows how much time it took. Resume Incident Time displays the date and time when the computer resumed from sleep or hibernation; Resume Duration reveals how long it took.

Event ID 101/201/301

Events 101, 201 and 301 in the Diagnostics-Performance log reveal that an application caused the slowdown during Windows startup, shutdown or going to/resume from standby.

Here's an example of Event ID 101, "This application took longer than usual to start up, resulting in a performance degradation in the system startup process". Event ID 201 is called "This application caused a delay in the system shutdown process" and Event ID 301 is called "This application caused a delay during standby".
File Name, Friendly Name and Version reveal the exact application.
Total Time means the time it took for the application to start or shut down.
Degradation Time displays how much longer than usual it took the application to start or shut down.
Incident Time reveals the exact date and time when this event was recorded.
Windows 7, Event Viewer, Diagnostics-Performance log. Event 101, This application took longer than usual to start up. File Name, Friendly Name and Version reveal the exact application that caused the slowdown.

If this event happens only once, it probably needs no attention. In the example above, avast! Anti-Virus was updating itself to a newer version - so the delay was normal.

In case of repeated events related to the application, seek for software update or use CCleaner for safely turning it off during Windows startup. Many unnecessary programs run in the background and cause Windows startup, shutdown and standby problems.

If you are absolutely certain you do not need the troublesome program at all, uninstall it by opening Control Panel and clicking Programs and Features (aka Uninstall a program). Start menu Search box also finds the items.

Event ID 102/202/302, 109/209/309 and 151/251/351

Events 102, 202 and 302 in the Diagnostics-Performance log mean that a driver has caused a delay during startup, shutdown or standby.
Events 109, 209 and 309 mean the same for a device.
Events 151, 251 and 351 indicate slow response time for a driver during Windows startup, shutdown or standby.

Here's an example of Event ID 302 - This driver caused a delay during standby while servicing a device. Event ID 102 is called "This driver took longer to initialize, resulting in a performance degradation in the system start up process".
Driver File Name, Driver Friendly Name and Driver Version reveal the exact driver.
Driver Total Time means the total delay caused by the driver.
Driver Degradation Time displays how much longer than normal it took for the driver to start or shut down.
Incident Time reveals the exact date and time when this event was recorded.
Windows 7, Event Viewer, Diagnostics-Performance log. Event 302, This driver caused a delay during standby while servicing a device. Seek for driver update.

Here's an example of Event ID 109 - This device took longer to initialize, resulting in a performance degradation in the system start up process. In case of Event ID 309, the message might also read "Preparing core system for sleep was slower than expected" - meaning that defragmentation can be helpful.
File NameFriendly Name and Version reveal the exact device.
Total Time means the total delay caused by the device.
Degradation Time displays how much longer than normal it took for the device to start or shut down.
Incident Time reveals the exact date and time when this event was recorded.
Windows 7, Event Viewer, Diagnostics-Performance log. Event 109, This device took longer to initialize. Seek for driver update.

And finally, an example of Event ID 351 - This driver responded slower than expected to the resume request while servicing this device.
Driver File NameDriver Friendly NameDriver Version, Device Name and Device Friendly Name reveal the exact driver and device.
Driver Total Time and Device Total Time mean the total delay caused by the driver and the device.
Driver Degradation Time and Device Degradation Time display how much longer than normal it took for the driver and the device to start or shut down.
Incident Time reveals the exact date and time when this event was recorded.
Windows 7, Event Viewer, Diagnostics-Performance log. Event 351, This driver responded slower than expected to the resume request while servicing this device. Seek for driver update.

If these events happen only once, they probably need no attention. But in the cases above, an outdated audio driver and outdated chipset software caused multiple delays.

In case of repeated events related to the driver, seek for device driver update. First, open Windows Update and see if there is an software update available to the device among Optional updates. If there is, install it and re-check the Diagnostics-Performance log after a system restart.
Intel has free online Driver Update Utility that uses either ActiveX control for Internet Explorer or Java for other browser to automatically detect available updates.
You can also use some free driver update software, SlimDrivers for example.

For many storage devices, you should also visit the manufacturer's home page and check for some optimization software (e.g. Intel Rapid Storage Technology aka Intel Matrix Storage Manager).

Event ID 103/203/303

Events 103, 203 and 303 in the Diagnostics-Performance log mean that some service has caused a delay in Windows startup, shutdown or standby.

Here's an example of Event ID 203 - This service caused a delay in the system shutdown process.  Event ID 103 is titled "This startup service took longer than expected to startup, resulting in a performance degradation in the system start up process" and Event 303 is called "This service caused a delay during hybrid-sleep".
File NameFriendly Name and Version reveal the exact service.
Total Time means the total delay caused by the service.
Degradation Time displays how much longer than normal it took for the service to start or shut down.
Incident Time reveals the exact date and time when this event was recorded.
Windows Vista, Event Viewer, Diagnostics-Performance log. Event 203, This service caused a delay in the system shutdown process. Seek for driver update.

If this event happens only once, it probably needs no attention. In the example above, the delay was again caused by an outdated audio device driver.

For services related to hardware devices, you should update the corresponding driver - see the previous section (Event ID 102/202/302, 109/209/309 and 151/251/351) for instructions on this.

For repeated incidents with other services, you should either look for a software update/upgrade or use Windows Update.
Sometimes, essential system optimization (defragmentation, disk cleanup, cleaning Windows Registry or even using ReadyBoost) is solution here.
If the troublesome service is related to a program you do not use, uninstall it by opening Control Panel and clicking Programs and Features (aka Uninstall a program). Start menu Search box also finds the items.

Event ID 106

Event 106 means that background optimization/prefetching took longer than usual. A special Prefetcher process checks which files are commonly in heavy use during booting and optimizes calls to these files the next time, therefore reducing Windows startup time.
SuperFetch and ReadyBoost optimize most used applications the same way, but only when Windows is already running. Windows Disk Defragmenter also uses this data to move files used the most into the area of hard disk where access time is the lowest.

Here's an example of Event ID 106 - Background optimizations (prefetching) took longer to complete, resulting in a performance degradation in the system start up process.
Name is always "BackgroundPrefetchTime" here.
Total Time means the total delay caused by the Prefetcher.
Degradation Time displays how much longer than normal it took for the Prefetcher to finish its job.
Incident Time reveals the exact date and time when this event was recorded.
Windows Vista, Event Viewer, Diagnostics-Performance log. Event 106, Background optimizations (prefetching) took longer to complete. No action is required.

This message normally appears every week or two and it is no call for action. Prefetcher re-optimizes its cache for newly installed or update programs.

In case you do see this message almost every day, you should remove older applications from Prefetcher's cache using CCleaner (the Old Prefetch data item in the Advanced section). Defragmenting system drive (the drive where Windows is installed) might also help.

Event ID 110/210/310

Events 110, 210 and 310 in the Diagnostics-Performance log mean that some essential Windows component has caused a delay in startup, shutdown or standby.

Here's an example of Event ID 110 - Session manager initialization caused a slow down in the startup process.
Name reveals the essential component that caused the slowdown.
Total Time means the total delay caused by the component.
Degradation Time displays how much longer than normal it took for the component to finish its job.
Incident Time reveals the exact date and time when this event was recorded.
Windows Vista, Event Viewer, Diagnostics-Performance log. Event 110, Session manager initialization caused a slow down in the startup process. Try defragmenting system disk.

And here's an example of Event ID 310 - Preparing system worker threads for sleep was slower than expected.
Windows 7, Event Viewer, Diagnostics-Performance log. Event 310, Preparing system worker threads for sleep was slower than expected. Try defragmenting system disk.

Again, if such events appear only once in a long time, there is no need for additional actions.

Repeated cases call for essential system optimization: defragmentationdisk cleanupcleaning Windows Registry or ReadyBoost.

Event ID-s 400/401/402/407

Event 400 in the Diagnostics-Performance log indicates that a system slowdown was recorded and analysis of the cause has been completed.
The Scenario field shows which component had performance trouble.
The Analysis result field reveals whether the rootcause was or was not found. This is an informational event only, further events indicate the exact cause, if possible.
Windows Vista, Event Viewer, Diagnostics-Performance log. Event 400, System responsiveness analysis was successful and  rootcauses were found. Further events with ID 401, 402 or 407 reveal the exact cause. Windows Vista, Event Viewer, Diagnostics-Performance log. Event 400, Start menu responsiveness analysis was unable to find any rootcauses.

Events 401, 402 and 407 in the Diagnostics-Performance log mean that some process is consuming too many CPU, disk or memory resources.

Here's an example of Event ID 401, "This process is using up processor time and is impacting the performance of Windows". File Name and Friendly Name fields show the program that caused the slowdown.
It is Windows Sidebar (aka Desktop Gadgets) in this example, a component that often hogs Windows Vista (in Windows 7, its performance is way better). If the event occurs often, you can either reduce the number of elements displayed in Sidebar, or even better - turn it off completely by clearing the Start Sidebar when Windows starts check box.
Windows Vista, Event Viewer, Diagnostics-Performance log. Event 401, This process is using up processor time and is impacting the performance of Windows. Close the program or seek for an update to it.

Let's see an example of Event ID 402, "This process is doing excessive disk activities and is impacting the performance of Windows". Again, File Name and Friendly Name fields show the program to blame for the slowdown.
In this example, it is Java Updater. In case of repeated events, you can either turn the updater off with CCleaner and use free Secunia PSI for automated updates, or you can uninstall Java completely if it is not required. More experienced users might want to switch from traditional hard drive to SSD to gain more disk performance.
Windows Vista, Event Viewer, Diagnostics-Performance log. Event 402, This process is doing excessive disk activities and is impacting the performance of Windows. Close the program or seek for an update to it.

And finally, an example of Event ID 407, "This process is using up too much system memory". As usual, File Name and Friendly Name fields can be used for determining the program.
Here it is Google Chrome browser - you can reduce the number of open Tabs, installed extensions, or verify that the program is up to date. If possible, upgrade system memory (RAM).
Windows Vista, Event Viewer, Diagnostics-Performance log. Event 407, This process is using up too much system memory. Close the program or seek for an update to it.

Event ID-s 500 and 501

Events 500 and 501 in the Diagnostics-Performance log mean that a resource (usually CPU aka processor, or video/graphics subsystem) is over-utilized. This reflects in very bad responsiveness of Windows and running programs - mouse pointer might stop moving, program windows go blank and using keyboard keys has effect after several seconds or even minutes.

Here are examples of Event ID 501 - The Desktop Window Manager is experiencing heavy resource contention, CPU and Graphics subsystem resources are over-utilized.
Reason reveals the exhausted resource.
Diagnosis shows what part of Windows slowed down.
Windows 7, Event Viewer, Diagnostics-Performance log. Event 501, The Desktop Window Manager is experiencing heavy resource contention, Reason: CPU resources are over-utilizied. Try closing unneeded programs and defragmenting system disk. Windows Vista, Event Viewer, Diagnostics-Performance log. Event 501, The Desktop Window Manager is experiencing heavy resource contention, Reason: Graphics subsystem resources are over-utilized. Disable some effects or the whole Aero manager.

In Event Viewer, Event 501 is always followed by Event ID 500 that has the same title - The Desktop Window Manager is experiencing heavy resource contention.
Scenario reveals what part of Windows has slowed down.
Windows 7, Event Viewer, Diagnostics-Performance log. Event 500, The Desktop Window Manager responsiveness has degraded. Try closing unneeded programs and defragmenting system disk. Windows Vista, Event Viewer, Diagnostics-Performance log. Event 500, Video memory resources are over-utilized. Try closing unneeded programs and disabling some or all Aero effects.

If you see such events rarely, there is no need to do anything particular.

In case your computer's processor (CPU) is often over-utilized and you have updated all drivers and software, it is time to either perform essential system optimization (defragmentationdisk cleanupcleaning Windows Registry or utilizing ReadyBoost), disable visual effectsupgrade memory (RAM).

Windows Vista users should verify that Search and Indexing setting in Advanced Power Options is not set to High Performance - this will noticeably degrade system responsiveness.

Monitoring real-time performance with Task Manager and Resource Manager helps determining which programs or apps hog CPU and RAM.

If the events are related to graphics subsystem, you should disable some or all visual effects (aka Aero interface), keep less graphics-intensive programs running at the same time, or upgrade your graphics/video adapter.

 

Sub Navigation

Sub Navigation
Next: Update device drivers with SlimDrivers
Previous: Use ReadyBoost in Windows Vista, 7, 8 and 8.1
comments powered by Disqus