services.exe batters disk writes on startup

1

I have a Windows 7 Professional workstation that takes about ~3 full minutes to boot from cold. The CPU runs nice and low throughout the boot, but the disks are being battered. Resource Monitor suggests that 'services.exe' within C:\Windows\System32\ is to blame.

I have run virus checks and run 'msconfig' to clear the startup, but with no luck. What is services doing that is taking so long?

Some Googling revealed a possible virus/trojan - but I'm not quite willing to jump to that conclusion quite yet.

Help and suggestions appreciated.

dooburt

Posted 2011-03-23T18:22:17.563

Reputation: 113

Run Malwarebytes to eliminate a trojan/malware. Just to confirm, once you see the mouse its a black screen for a couple minutes until you can log in? – Campo – 2011-03-23T18:25:37.627

@Campo; No, perhaps I should have been more clear. After Windows login, icons load as 'white' icons, whilst computer moans and groans through its startup. The windows desktop is visible and the computer is somewhat responsive - to the point I can start and run Resource Monitor to see disk usage. @Chopper3, my mistake - apologies ;) – dooburt – 2011-03-23T18:58:55.663

1

Enable boot logging using Process Monitor, http://www.msigeek.com/6231/how-to-enable-system-boot-time-logging-using-process-monitor-tool

– Moab – 2011-03-23T21:38:13.837

@Moab, I'm going to try that and come back... – dooburt – 2011-03-23T23:56:51.607

@Moab, can you pop back and put this as your answer please? :) – dooburt – 2011-09-10T13:13:37.950

Answers

2

Enable boot logging using Process Monitor, then you can attempt to find the problem.

.

Step 1: Execute the procmon.exe; Goto Options menu, and Click Enable Boot Logging.

. enter image description here

. Step 2: This will further give you this below Boot logging options. You can choose to Enable the Profiling Events, if you need.

. enter image description here

. Step 3: You can now reboot your PC. When the machine restarts, the process monitor will start monitoring all the processes and applications which gets invoked during the system boot and generates a dump file.

Step 4: Execute procmon.exe again. You will see this below dialog which tells you that, a log of the boot-time activity was created by the previous instance of process monitor. To save the collected Data, press the Yes Button.

. enter image description here

. Step 5: The file will initially be saved as a dump file in C:\Windows, you will need to convert it to Process Monitor Log (pml) log files. Save the Log file using this below dialog. This will start converting the dump file to pml file.

. enter image description here enter image description here

. Once the Log is converted, it will open in the Process Monitor tool.

Here you can get an idea on all the applications and processes which was executed during the system boot. This report will help you identify, which process was invoked by whom and how much time did it take to for its complete execution. You can also identify if any malwares are running in your PC, which is affecting your system boot.

. enter image description here

. Step 6: You can choose to filter these reports; when you click on any entry you will get the below dialog which will give you a complete snapshot on the process attributes, Who invoked it, its architecture, the Parent Process Id, along with information on when did the process transition from User mode to a Kernel mode through the Stack.

. enter image description here

.

Source of Information

.

Moab

Posted 2011-03-23T18:22:17.563

Reputation: 54 203

+1 Moab, Perfect answer :) Thanks very much. Sorry it took me so long to come back and marked this as answered. Better late than never eh!? :) – dooburt – 2011-09-10T14:48:25.797

Asked: 2011-03-23T18:22:17.563

Viewed: 609 times

Active: 2011-09-10T15:03:05.443