Understanding windows Shutdown Process

1. Shutdown Principle
After we perform the shutdown operation, we usually see the system shutdown screen, followed by a short or long wait. What is the process hidden after the shutdown screen? Shutdown actually involves multiple processes like starting a machine. There is a process of mutual collaboration between components. Let's take a closer look at the process below:
1) Initiate a shutdown command
When the user initiates the shutdown command, the Shutdown program will be started. For windows XP, shutdowm.exe, win98and win2000are rundll32.exe. the program will notify the windows sub-system of the Process csrss.exe and CSRSS. after receiving the notification, the EXE will communicate with Winlogon. EXE performs a data exchange and prepares for shutdown, followed by Winlogon. EXE notifies CSRSS. EXE starts to shut down the system.
Csrss.exe is a client service subsystem used to control windows Graphics subsystems;
Winlogon.exe is a windows NT user logon program, mainly used to manage user logon and exit.
2) notify the user process to exit
In the first process, after receiving the notification from winlogon.exe, the Windows sub-system csrss.exewill query the user processes with top-level windows in sequence, such as common user programs, anti-virus software, and firewall to exit these processes. If a user process does not exit within the default timeout period of 5000 milliseconds (you can set the timeout period by modifying the registry key value HKEY_CURRENT_USER \ Control Panel \ Desktop \ HungAppTimeout, in Windows, the End Task dialog box is displayed to ask whether the task is terminated. By default, this dialog box is displayed and remains unchanged without being automatically closed. For the console program, the basic situation is similar, but Windows uses the HKEY_CURRENT_USER \ Control Panel \ Desktop \ WaitToKillAppTimeout value to set the timeout time.
3) Shut Down System Processes
Will be terminated. The process of terminating a system process is slightly different from that of terminating a user process. When a windows system terminates a system process, it is not like terminating a user process. If a user cannot be prompted during the specified time, the process is skipped directly, to terminate the next system process. The timeout value is the same as that used in step 1.

The above three points are soft protection during the shutdown process, which can protect the operating system or third-party applications. If it is forcibly disabled, it may cause exceptions such as file damage.

4) Exit and final shutdown of Core Components
In this step, winlogon.exe calls the system API function NtShutdownSystem () or ZwShutdownSystem to run the exit and final shutdown of windows core components. For example, the device driver completes some special operations on the driver settings in this phase. At this stage, the configuration management system writes the modified registry data to the disk. After all subsystems except the power management are completed and exited, the power management completes the final operations, such as restart and shutdown.

2. Response to shutdown Event Analysis
Whether you press the Power button on the chassis or click the Start Menu> close the computer (logout, shutdown, or restart), our applications can respond to such events, that is, the window message WM_QUERYENDSESSION and WM_ENDSESSION.
The system provides a common API to log out, shut down, and restart the system. Its declaration is as follows:
BOOL ExitWindowsEx (
UINT uFlags,
DWORD dwReason
);
The uFlags parameter can be divided into two types, which can be combined with "|:
1 ). shutdown: EWX_LOGOFF, EWX_SHUTDOWN (do not cut off the power after the system is turned off, even if the motherboard supports ATX power management), EWX_POWEROFF (shut down, shut down the system and then cut off the power supply, required for motherboard support) and EWX_REBOOT (restart ).
2 ). closing strength, which has the following signs: Value 0 (this is the default value when this flag is not used), EWX_FORCEIFHUNG (force disabled after the application is suspended for a period of time), EWX_FORCE (force disabled, whether the application is suspended or not ).
If the disable intensity sign (EWX_FORCE or EWX_FORCEIFHUNG) is not used, shutdown is safe, that is, during soft protection of shutdown, the system sends the WM_QUERYENDSESSION message to each top-level Window Process on the desktop. If no WM_QUERYENDSESSION message is returned, you can modify the registry key value HKEY_CURRENT_USER \ Cont rol Panel \ Desktop \ HungAppTimeout to set the timeout value, the End Task dialog box is displayed to check whether the task is completed. By default, this dialog box is displayed and remains unchanged, but it is not automatically closed. If the automatic end task is set (the HKEY_CURRENT_USER \ Cont rol Panel \ Desktop \ AutoEndTasks key value is changed to 1 ), if the returned value of the WM_QUERYENDSESSION message still does not exist after the timeout (HungAppTimeout), the task is terminated without displaying the End Task dialog box. If multiple processes respond to WM_QUERYENDSESSION and are suspended (for example, if a message box asking whether to save is displayed in Notepad), the system processes each process in a serial mode, that is, wait for the first pending process to respond to WM_QUERYENDSESSION and return it (send WM_ENDSESSION immediately to notify users in the same window of the selection <confirm to close>), send WM_QUERYENDSESSION to the next process, and wait for the pending timeout.

4. fast shutdown
Based on the previous description of the shutdown process, we can know that the shutdown process is completed step by step, and errors in one step may cause shutdown failure, the first three steps are the most time-consuming part of the shutdown process. Common shutdown problems are caused by these three steps.
I often hear about fast shutdown or shutdown optimization software. How can they be implemented? Is it useful?
1) Two registry key values are mentioned in the shutdown principle, which correspond to the timeout response time of the relevant program. We can modify and reduce these two key values, HKEY_CURRENT_USER \ Control Panel \ Desktop \ HungAppTimeout and HKEY_CURRENT_USER \ Control Panel \ Desktop \ WaitToKillAppTimeout are valid, as described earlier, the reason is that the first key value sets the timeout time for the user process to exit automatically, and the last key value sets the timeout time for the console program to exit automatically. Reducing these two key values will speed up the exit of the user and console processes and speed up shutdown.
2) Classic shutdown Techniques
Press ctrl to work with the task manager to quickly shut down the instance and immediately shut down the instance within one or two seconds. The principle is that the shutdown process skips the first three steps and goes directly to step 1, the risk is that your application data may be lost, and the operating system files may be damaged and cannot enter the system. The so-called fast shutdown software directly calls the ZwShutdownSystem () Implementation in ntdll. dll. In fact, most of the problems with slow windows Shutdown are that users use too many programs before shutdown, or they have not exited some large software before shutdown, or some software exit management problems, resulting in a delay in shutdown, so speed up shutdown, the correct way is to reduce the impact of applications on the shutdown process, if you try to shut down the user program before shutting down, try not to shut down the computer when it is busy.
Let's take a look at the code for power-off:
Const int SE_SHUTDOWN_PRIVILEGE = 0x13;
Typedef int (_ stdcall * PFN_RtlAdjustPrivilege) (INT, BOOL, BOOL, INT *);
Typedef int (_ stdcall * PFN_ZwShutdownSystem) (INT );
HMODULE hModule =: LoadLibrary (_ T ("ntdll. dll "));
If (hModule! = NULL)
{
PFN_RtlAdjustPrivilege pfnRtl = (PFN_RtlAdjustPrivilege) GetProcAddress (hModule, "RtlAdjustPrivilege ");
PFN_ZwShutdownSystem pfnShutdown = (PFN_ZwShutdownSystem) GetProcAddress (hModule, "ZwShutdownSystem ");
If (pfnRtl! = NULL & pfnShutdown! = NULL)
{
Int en = 0;
Int nRet = pfnRtl (SE_SHUTDOWN_PRIVILEGE, TRUE, TRUE, & en );
If (nRet = 0x0C000007C)
NRet = pfnRtl (SE_SHUTDOWN_PRIVILEGE, TRUE, FALSE, & en );
// SH_SHUTDOWN = 0;
// SH_RESTART = 1;
// SH_POWEROFF = 2;
Const int SH_POWEROFF = 2;
NRet = pfnShutdown (POWEROFF );
}

}

3. Unable to shut down the debugging instance

Http://blogs.msdn.com/ntdebugging/archive/2009/11/09/system-won-t-power-down.aspx

This article details the shutdown principle and a debugging instance that cannot be shut down by the system. The debugging process is worth learning.