Navigation


Content

Tip: keyboard shortcut Ctrl+F searches in the page contents.

Troubleshoot performance in Windows Vista, 7, 8 and 8.1

How to troubleshoot startup and shutdown performance in Windows Vista, 7, 8 and 8.1

By . Last modified: 2013-09-11.

Windows might sometimes be really slow during startup, shutdown or returning from sleep/hibernation. This might be caused by a bad or outdated driver, or some program/service running startup/shutdown tasks. Worst cases end up with delays up to 30 minutes!

Windows XP has no real tools for troubleshooting such behavior and the only tool provided by Microsoft is the User Profile Hive Cleanup utility for speeding up logoffs. Well, Task Manager can also be used for finding out resource-hungry programs and services.

Windows Vista, 7, 8 and 8.1, however, have a special Diagnostics-Performance log that can be checked using Event Viewer. This log records all slowdowns while Windows starts, runs, shuts down or goes to or returns from sleep - events appear only when something slows Windows down; expected behavior is not recorded.

But in all cases, running essential anti-virus and anti-malware checks are the first two steps in troubleshooting Windows performance.

Starting Event Viewer in Windows Vista, 7, 8 and 8.1

In Windows Vista and 7, open Start menu by clicking Start button or using keyboard shortcut Ctrl+Esc. Type "event" into Search box and click Event Viewer in the results.
In Windows 8 and 8.1, use keyboard shortcut Windows Key+X to open Quick Links menu (a list of system tools) and click Event Viewer. Alternatively, open Apps search/Search everywhere using keyboard shortcut WINDOWS KEY+Q, type event into Search box and click the result.
Windows Vista, Start menu. To start Event Viewer, type event into Search box and click Event Viewer. Windows 8, list of system utilities (Windows Key+X). Click Event Viewer. Windows 8, Start screen, Apps search. To start Event Viewer, type 'event' into Search box and click Event Viewer.

In Windows Vista, User Account Control greets you with a confirmation prompt, click Continue.
Windows Vista, User Account Control dialog for Microsoft Management Console. Click Continue.

Event Viewer opens Overview and Summary screen with summary of recent Administrative Events, recently viewed log names and log size and overwriting policies summary.
Windows 7, Event Viewer

Expand Applications and Services Logs, Microsoft, Windows, Diagnostics-Performance. Then click Operational.
Windows Vista, Event Viewer. To see performance events, expand 'Applications and Services Logs', 'Microsoft', 'Windows', 'Diagnostics-Performance'. Then click 'Operational'.

You might want to learn more about using Event Viewer for filtering and finding events.

First things to check if Windows is slow

In all versions of Windows, you should always check for disk and page file error events first - see if there are error events with ID 7, 49 or 55 in System log of Event Viewer:

  • Event ID 7 - "The device <device name> has a bad block". If the device is something like \Device\CdRom0, there is no need to panic - a CD or DVD you entered had some unreadable sectors on it.
    If the device name is like \Device\HardDisk0\Partition1, your hard disk drive might be faulty. There are some unreadable sectors on it and this will ultimately lead to data loss. You might have experienced computer slowdown before and after the event occurred. Back up your data immediately to an external drive and run disk check! Then try to find a replacement drive and restore Windows on it.
  • Event ID 49 - "Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory".
    This happens when you manually set Page File size, then add Random Access Memory (RAM) to your computer and do not adjust Windows Page File size accordingly. A typical Windows Page File size is one and a half times of RAM size - if you have 1 GB of RAM, the Page File size should be at least 1.5 GB.
  • Event ID 55 - "The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume <volume name>". Files and folders on a disk are messed up. Load Disk Management and see what drive letter(s) is/are assigned to the hard disk with specified number. Then run Disk Check.

You should also check if there is enough free space (at least 10% available) on all hard drives - running out of space slows Windows down significantly.

Important events in Diagnostics-Performance log of Windows Event Viewer

The Diagnostics-Performance log is often full of critical, error and warning events. This is normal because no events are recorded here while Windows performs as expected. Always check the date and time of recorded events to prevent wasting time on problems that have already been solved.
All events are divided into different categories:

  • Event ID-s 100-199 deal with Windows startup/boot problems (Boot Performance Monitoring category).
  • Event ID-s 200-299 deal with Windows shutdown problems (Shutdown Performance Monitoring category).
  • Event ID-s 300-399 deal with Windows standby (sleep or hibernation) problems (Standby Performance Monitoring category).

All Event ID-s are related - 101, 201, 301 reveal the same trouble (slowdown due to an application), but during startup, shutdown or sleep/hibernation.

In addition, events with ID-s 500 and 501 (Desktop Window Manager Monitoring category) are recorded in the Diagnostics-Performance log while Windows slows down to a crawl because some resources are over-utilized. During such events, Windows is not responding normally - mouse pointer does not move or moves very slowly, using keyboard seems to have no effect whatsoever, programs stop responding and their windows go blank.

Event ID 100/200/300

Events 100, 200 and 300 in the Diagnostics-Performance log mean that Windows has started up, shut down or resumed from standby (sleep or hibernation).

The level of events (Warning, Error, Critical) shows how much slower the recorded event is than what Windows considers to be normal. If the slowdown is under 30 seconds, it has warning level. Slowdowns that consume between 30-60 seconds, have error level. If the recorded slowdown takes over 60 seconds, it is considered to be critical.

Here is an example of Event ID 100 - Windows has started up.
Boot Duration displays the total time (in milliseconds) it took Windows to start -  a little over 246 seconds (4.1 minutes). In case of Event ID 200, the line reads Shutdown Duration instead.
IsDegradation "true" means that some Windows built-in application or service has caused this slowdown. For example sidebar.exe (Desktop Gadgets) or ssdpsrv (SSDP Discovery). If it reads "false", the problem lies elsewhere.
Incident Time reveals the exact date and time when this event was recorded (time zone here is UTC).
Windows 7, Event Viewer, Diagnostics-Performance log. Event 100, Windows has started up. Boot Duration shows how much time it took for Windows to start.

Event ID 300 (Windows has resumed from standby) also displays the time when the sleep/hibernation event occurred (Standby Incident Time) and how long it took (Standby Duration).
The Resume Duration and Resume Incident Time lines should now be self-explanatory, right? Smile
Windows 7, Event Viewer, Diagnostics-Performance log. Event 200, Windows has resumed from standby. Standby Incident Time reveals when the computer hibernated or went to sleep; Standby Duration shows how much time it took. Resume Incident Time displays the date and time when the computer resumed from sleep or hibernation; Resume Duration reveals how long it took.

Event ID 101/201/301

Events 101, 201 and 301 in the Diagnostics-Performance log reveal that an application caused the slowdown during Windows startup, shutdown or going to/resume from standby.

Here's an example of Event ID 101, "This application took longer than usual to start up, resulting in a performance degradation in the system startup process". Event ID 201 is called "This application caused a delay in the system shutdown process" and Event ID 301 is called "This application caused a delay during standby".
File Name, Friendly Name and Version reveal the exact application.
Total Time means the time it took for the application to start or shut down.
Degradation Time displays how much longer than usual it took the application to start or shut down.
Incident Time reveals the exact date and time when this event was recorded.
Windows 7, Event Viewer, Diagnostics-Performance log. Event 101, This application took longer than usual to start up. File Name, Friendly Name and Version reveal the exact application that caused the slowdown.

If this event happens only once, it probably needs no attention. In the example above, avast! Anti-Virus was updating itself to a newer version - so the delay was normal.

In case of repeated events related to the application, seek for software update or use CCleaner for safely turning it off during Windows startup. Many programs that are not really needed, run in the background and cause Windows startup, shutdown and standby problems.
If you are absolutely certain you do not need the program at all, uninstall it by opening Control Panel and clicking Programs and Features (aka Uninstall a program). Start menu Search box also finds the items.

Event ID 102/202/302, 109/209/309 and 151/251/351

Events 102, 202 and 302 in the Diagnostics-Performance log mean that a driver has caused a delay during startup, shutdown or standby.
Events 109, 209 and 309 mean the same for a device.
Events 151, 251 and 351 indicate slow response time for a driver during Windows startup, shutdown or standby.

Here's an example of Event ID 302 - This driver caused a delay during standby while servicing a device. Event ID 102 is called "This driver took longer to initialize, resulting in a performance degradation in the system start up process".
Driver File Name, Driver Friendly Name and Driver Version reveal the exact driver.
Driver Total Time means the total delay caused by the driver.
Driver Degradation Time displays how much longer than normal it took for the driver to start or shut down.
Incident Time reveals the exact date and time when this event was recorded.
Windows 7, Event Viewer, Diagnostics-Performance log. Event 302, This driver caused a delay during standby while servicing a device. Seek for driver update.

Here's an example of Event ID 109 - This device took longer to initialize, resulting in a performance degradation in the system start up process. In case of Event ID 309, the message might also read "Preparing core system for sleep was slower than expected" - meaning that defragmentation can be helpful.
File NameFriendly Name and Version reveal the exact device.
Total Time means the total delay caused by the device.
Degradation Time displays how much longer than normal it took for the device to start or shut down.
Incident Time reveals the exact date and time when this event was recorded.
Windows 7, Event Viewer, Diagnostics-Performance log. Event 109, This device took longer to initialize. Seek for driver update.

And finally, an example of Event ID 351 - This driver responded slower than expected to the resume request while servicing this device.
Driver File NameDriver Friendly NameDriver Version, Device Name and Device Friendly Name reveal the exact driver and device.
Driver Total Time and Device Total Time mean the total delay caused by the driver and the device.
Driver Degradation Time and Device Degradation Time display how much longer than normal it took for the driver and the device to start or shut down.
Incident Time reveals the exact date and time when this event was recorded.
Windows 7, Event Viewer, Diagnostics-Performance log. Event 351, This driver responded slower than expected to the resume request while servicing this device. Seek for driver update.

If such events happen only once, they probably need no attention. But in the cases above, an outdated audio driver and outdated chipset software caused multiple delays.

In case of repeated events related to the driver, seek for device driver update. First, open Windows Update and see if there is an software update available to the device among Optional updates. If there is, install it and re-check the Diagnostics-Performance log after a system restart.
Intel has free online Driver Update Utility that uses either ActiveX control for Internet Explorer or Java for other browser to automatically detect available updates.
You can also use some free driver update software, SlimDrivers for example.

For many storage devices, you should also visit the manufacturer's home page and check for some optimization software (e.g. Intel Rapid Storage Technology aka Intel Matrix Storage Manager).

Event ID 103/203/303

Events 103, 203 and 303 in the Diagnostics-Performance log mean that some service has caused a delay in Windows startup, shutdown or standby.

Here's an example of Event ID 203 - This service caused a delay in the system shutdown process.  Event ID 103 is titled "This startup service took longer than expected to startup, resulting in a performance degradation in the system start up process" and Event 303 is called "This service caused a delay during hybrid-sleep".
File NameFriendly Name and Version reveal the exact service.
Total Time means the total delay caused by the service.
Degradation Time displays how much longer than normal it took for the service to start or shut down.
Incident Time reveals the exact date and time when this event was recorded.
Windows Vista, Event Viewer, Diagnostics-Performance log. Event 203, This service caused a delay in the system shutdown process. Seek for driver update.

If this event happens only once, it probably needs no attention. In the example above, the delay was again caused by an outdated audio device driver.

For services related to hardware devices, you should update the corresponding driver - see the previous section (Event ID 102/202/302, 109/209/309 and 151/251/351) for instructions on this.

For repeated incidents with other services, you should either look for a software update/upgrade or use Windows Update.
Sometimes, essential system optimization (defragmentation, disk cleanup, cleaning Windows Registry or even using ReadyBoost) is solution here.
If the troublesome service is related to a program you do not use, uninstall it by opening Control Panel and clicking Programs and Features (aka Uninstall a program). Start menu Search box also finds the items.

Event ID 106

Event 106 means that background optimization/prefetching took longer than usual. A special Prefetcher process checks which files are commonly in heavy use during booting and optimizes calls to these files the next time, therefore reducing Windows startup time.
SuperFetch and ReadyBoost optimize most used applications the same way, but only when Windows is already running. Windows Disk Defragmenter also uses this data to move files used the most into the area of hard disk where access time is the lowest.

Here's an example of Event ID 106 - Background optimizations (prefetching) took longer to complete, resulting in a performance degradation in the system start up process.
Name is always "BackgroundPrefetchTime" here.
Total Time means the total delay caused by the Prefetcher.
Degradation Time displays how much longer than normal it took for the Prefetcher to finish its job.
Incident Time reveals the exact date and time when this event was recorded.
Windows Vista, Event Viewer, Diagnostics-Performance log. Event 106, Background optimizations (prefetching) took longer to complete. No action is required.

This message normally appears every week or two and it is no call for action. Prefetcher re-optimizes its cache for newly installed or update programs.

In case you do see this message (almost) every day, you should remove older applications from Prefetcher's cache using CCleaner (the Old Prefetch data item in the Advanced section). Defragmenting system drive (the drive where Windows is installed) might also help.

Event ID 110/210/310

Events 110, 210 and 310 in the Diagnostics-Performance log mean that some essential Windows component has caused a delay in startup, shutdown or standby.

Here's an example of Event ID 110 - Session manager initialization caused a slow down in the startup process.
Name reveals the essential component that caused the slowdown.
Total Time means the total delay caused by the component.
Degradation Time displays how much longer than normal it took for the component to finish its job.
Incident Time reveals the exact date and time when this event was recorded.
Windows Vista, Event Viewer, Diagnostics-Performance log. Event 110, Session manager initialization caused a slow down in the startup process. Try defragmenting system disk.

And here's an example of Event ID 310 - Preparing system worker threads for sleep was slower than expected.
Windows 7, Event Viewer, Diagnostics-Performance log. Event 310, Preparing system worker threads for sleep was slower than expected. Try defragmenting system disk.

Again, if such events appear only once in a long time, there is no need for additional actions.

Repeated cases call for essential system optimization: defragmentationdisk cleanupcleaning Windows Registry or ReadyBoost.

Event ID-s 500 and 501

Events 500 and 501 in the Diagnostics-Performance log mean that a resource (normally, CPU aka processor) is over-utilized. This reflects in very bad responsiveness of Windows and running programs - mouse pointer might stop moving, program windows go blank and using keyboard keys has effect after several seconds or even minutes.

Here's an example of Event ID 501 - The Desktop Window Manager is experiencing heavy resource contention.
Reason reveals the exhausted resource.
Diagnosis shows what part of Windows slowed down.
Windows 7, Event Viewer, Diagnostics-Performance log. Event 501, The Desktop Window Manager is experiencing heavy resource contention. Try defragmenting system disk.

In Event Viewer, Event 501 is always followed by Event 500 that has the same title - The Desktop Window Manager is experiencing heavy resource contention.
Scenario reveals what part of Windows has slowed down.
Windows 7, Event Viewer, Diagnostics-Performance log. Event 500, The Desktop Window Manager is experiencing heavy resource contention. Try defragmenting system disk.

If you see such events rarely, there is no need to do anything particular.

In case your computer's processor (CPU) is often over-utilized and you have updated all drivers and software, it is time to either perform essential system optimization (defragmentationdisk cleanupcleaning Windows Registry or ReadyBoost), disable visual effectsupgrade memory (RAM) or monitor real-time performance with Task Manager and Resource Manager for determining which programs or apps hog CPU and RAM.

Please support winhelp.us:
No PayPal account required!

 Comments? Suggestions? Ideas? Let me know! 
Your name (public):
Your e-mail (will not be displayed):
Title:
Notify me of new comments to this item: (send e-mail to info[at]winhelp.us to stop receiving)
Your comments/suggestions/ideas (no HTML code!)
winhelp.us owners reserve the right to remove or not publish comments that they find unacceptable because of strong language, inappropriate contents, advertising or spamming.
winhelp.us Privacy Policy.
This is a captcha-picture. It is used to prevent mass-access by robots. (see: www.captcha.net)
Share: Facebook Google+ Twitter LinkedIn StumbleUpon Pinterest E-mail

Browser and plugin check Google Custom Search Donate to keep this site running