If Windows 7 is taking a long time to shutdown, and you are running with driver verifier turned on, you may come across the following message in kernel debugger to your rescue –
Driver Verifier detected that this system didn’t finish shutting
down in more than 20 minutes. To display information about the
thread that is responsible for shutting down, use these debugger
commands:dp nt!VfShutdownThread l1;!thread @$p
This is a very helpful message when tracking down those shutdown time hangs. Verifier helpfully saves the shutdown thread address at nt!VfShutdownThread for you, so you can start looking at what the hold up is about perhaps starting with the stack trace of the shutdown thread.
This information can be helpful even if you are not investigating a shutdown hang but debugging things while the system is shutting down. Let us look at what verifier does to get us there.
When Windows 7 system shutdown processing hits nt!NtSetSystemPowerState (via wininit.exe calling ntdll!ZwShutdownSystem which translates to nt!NtShutdownSystem), a CriticalWorkQueue item at nt!PopShutdownWorkItem is queued and the wininit thread suspends itself.
That leads to a system worker thread continuing shutdown processing in worker thread routine nt!PopGracefulShutdown for the queued work item. PopGracefulShutdown in turn calls nt!VfShutdownScheduleWatchdog which sets up the infrastructure required for the notification we ultimately see in case shutdown takes a long time.
VfShutdownScheduleWatchdog checks if verifier is enabled and if it is, writes current thread address at nt!VfShutdownThread. It also sets up a 10 minute NotificationTimer timer associated with a DPC routine that will be called upon timer expiry. When shutdown takes longer than 10 minutes, the DPC at nt!ViShutdownWatchdogExecuteDpc fires.
- 1 2
