What happens when a PC is turning off?

When I click the shut down button it gives me another screen saying shutting down:

What is actually going on during this stage?

I think in Windows XP it would say something like saving setting before it would power off. However what settings are there to save if when you apply a theme or something it is saved when you click apply.

If it is unmounting the HD then surely it would be the same as force the shut down (pulling the plug)

ss4566654768

Posted 2015-11-28T20:12:48.363

Reputation: 1 415

1Fushing any outstanding disk writes, closing services, ... – DavidPostill – 2015-11-28T20:15:19.003

16Drives are not properly unmounted when you pull the plug. – RockPaperLizard – 2015-11-29T04:24:22.643

Here is a good setting you may appreciate: http://superuser.com/questions/426029/how-can-i-display-additional-boot-and-shutdown-information-on-the-windows-7-welc

– RockPaperLizard – 2015-11-29T05:03:25.183

8"when you apply a theme or something it is saved when you click apply" -- saved yes, saved to disk not necessarily. Disks are extremely slow. So some amount of RAM is used to cache data on disk. You can close your program any time you want and the OS will make sure the data gets written to disk eventually. But the OS needs electricity to work. If you simply yank the plug (remove laptop battery) then that unsaved data is lost. What's worse, you don't know how much is unsaved - the last line? Half of your settings? All your settings? From your point of view all you experience is corrupted data – slebetman – 2015-11-30T07:01:21.440

This may interest you: some Linux systems show step-by-step updates of what the system does when it's shutting down. Here are a couple of examples: 1 2 (though neither of these shows the complete shutdown procedure; there are more items that come before). Windows goes through similar steps.

– David Z – 2015-11-30T12:53:44.370

@slebetman And in a transactional system, you could have written 2 GiBs of data, but if the final byte doesn't make it in time, it's as if you have never written anything in the first place. This is generally a good thing, but... :D – Luaan – 2015-11-30T13:54:44.207

Related question: What damage will powering down instead of shutting down do? goes into the why of shutting down, rather than the what.

– None – 2015-11-30T18:29:52.677

Answers

There are a lot of things happening during a shutdown. Here are just a few examples:

Check to see if any user applications havent closed (like an unsaved document) and prompt the user if necessary
Stop background services
Wait for the termination signal from open running services and applications
Flushes cache to disk
Write log files
All users are logged out
End the shell
Start installing Windows updates if necessary and tell the OS to finish updates on boot if necessary
Send the ACPI shutdown signal (this is what turns the machine off)

Edit: Feel free to add more in the comments if you can think of other items.

Keltari

Posted 2015-11-28T20:12:48.363

Reputation: 57 019

7On Linux, it also stores the entropy pool on disk. This is important for your next boot. Or am I wrong? – Ismael Miguel – 2015-11-29T02:36:05.873

3You need to get the filesystem into a stable state. At the very least, you'll have to flush all kernelspace buffers and (perhaps) flush hardware buffers as well. You may also need to write some kinds of metadata depending on the nature of the filesystem. This is generally one of the last things you'll do before ACPI poweroff, because after that, you can't save anything to disk. – Kevin – 2015-11-29T05:12:50.967

76Sends all of your "Private" information to Microsoft, in the case of Win10. – Lolums – 2015-11-29T08:51:40.173

30A good operating system would also inhibit laptop-lid induced suspend. I hate it when the shutdown procedure is what's resumed when I open the laptop again. – user2394284 – 2015-11-29T11:30:20.407

1...but all of the above I would expect to happen in the space of microseconds, but shutdown takes long enough for Microsoft to need to design a screen as shown in the OP. Why? – Ben – 2015-11-29T19:12:45.197

6@Ben it takes far longer than microseconds. thats why it takes so long – Keltari – 2015-11-29T20:03:58.957

@MaxRied The update installation can fail. Obviously. For one. Also, Keltari specifically said that this isn't necessarily in actual chronological order. – a CVn – 2015-11-29T21:36:44.410

Network connections are closed, but that's mostly a side effect of shutting down applications and services. E.g. shared network drives are managed by the "Workstation" service; when it shuts down the network drive letters disappear. – MSalters – 2015-11-29T22:46:09.590

1@IsmaelMiguel: That would vary by dist, but storing entropy on disk seems at best useless and at worst like it would potentially compromise information about the RNG state that could be useful to physical attackers. – R.. GitHub STOP HELPING ICE – 2015-11-30T02:12:32.843

4@Ben: All the above takes microseconds except writing cache to disk. It's the reason disk cache was invented in the first place - writing to disk is slow. While modern disks are quite fast, modern data is quite large. Writing back a 1GB cache (yes, that's normal) takes time. – slebetman – 2015-11-30T07:03:59.837

@R.. Not exactly. Linux has a few moments (after boot) where it has quite low entropy. (Doesn't apply to BSD). Storing this pool can be used as a seed to the RNG. But I don't know it's usefullness, I just reported what I think that happens. Anyone is free to disagree. – Ismael Miguel – 2015-11-30T09:12:32.667

5Each of those running processes including services and drivers get asked politely by the OS to stop what they are doing and clean up after themselves. They're not just killed off, that's before the OS gets to start tidying itself up with flushing buffers and caches – JamesB – 2015-11-30T11:59:07.440

@northkildonan I would say that flushing to the disks needs to happen after all disk write operations are done, i.e. after the logging part, and possibly after the install of the updates. – njzk2 – 2015-11-30T22:49:14.953

@Lolums Can you elaborate or provide a source for this? – user1354557 – 2015-11-30T23:04:35.527

From the perspective of a user that doesn't necessarily care how the system works, #1 is the most important. – Dan Henderson – 2015-12-01T00:44:14.790

1On Windows: Optionally clears the page file. The reason one may want to turn this on is because the page file could contain security-sensitive information that was held in the private memory space of a process and swapped to disk as part of virtual memory management. – njuffa – 2015-12-01T00:55:37.230

@user1354557, all the sources you want are here: https://www.gnu.org/proprietary/malware-microsoft.html

– Lolums – 2015-12-01T06:20:26.040

@Lolums Thanks, but I can't find anything in those links that suggests that sending private information to Microsoft is a function of the shut down operation. – user1354557 – 2015-12-02T00:55:21.570

@user1354557, I was being sarcastic there, apologies. However, as you can see from the sources under "Surveillance", it's pretty much a surveillance tool. – Lolums – 2015-12-02T06:31:00.607

The system registry is (maybe?) written to the disk. Back on XP I noticed that if you made any changes to the registry then pulled the power, the changes would not be saved. I'm not quite sure about this one, just pointing it out.

Here's an excerpt from a document that Microsoft released.

• System session shutdown. This phase includes the pre-shutdown notification and shutdown notification subphases:

• Pre-shutdown notification. Windows serially shuts down all services that registered to receive pre-shutdown notifications. Ordered services—services that have set up the shutdown order of dependent services—are shut down before non-ordered services.

• Shutdown notification. All services that registered to receive shutdown notifications are shut down in parallel. If all services have not exited after 20 seconds (in Windows Vista) or 12 seconds (in Windows 7 client operating systems), the system continues the shutdown. Processes and services that do not shut down in a timely manner are left running as the system shuts down.

• Kernel shutdown. The remainder of the system, such as all devices and drivers, are shut down during the kernel shutdown phase.

Basically what you're waiting on is each individual service to clean up and exit. Each service is given 12 seconds to exit before it's killed.

Half of the shutdown time is dedicated to shutting down system services. If you're really interesting in seeing what time is dedicated to what during your shutdown, Windows includes a tool for tracing shutdown time.

xbootmgr -trace shutdown -numRuns 3 -resultPath %systemdrive%\traces -postBootDelay 180 -traceFlags base

And to make sense of the generated file (be sure to run in %systemdrive%\traces)

xperf -i trace.etl -o summary.xml -a shutdown

Sources: Update: Links from Microsoft Servers no longer work

~~download.microsoft.com/download/3/C/A/3CA9058B-7EE5-4191-99E2-DB5917877522/OnOffTransPerf.docx~~

https://s3-us-west-1.amazonaws.com/omarpersonal/OnOffTransPerf.docx

~~download.microsoft.com/download/7/E/7/7E7662CF-CBEA-470B-A97E-CE7CE0D98DC2/OnOffTrans.docx~~

https://s3-us-west-1.amazonaws.com/omarpersonal/onofftrans.docx

zzarzzur

Posted 2015-11-28T20:12:48.363

Reputation: 256

Any chance you have the actual file Windows On/Off Transition Performance Analysis which is linked to from here: http://download.microsoft.com/download/3/C/A/3CA9058B-7EE5-4191-99E2-DB5917877522/OnOffTransPerf.docx on this page: https://msdn.microsoft.com/en-US/library/windows/hardware/dn550976. I can't find it anywhere. i'd love to get a definition of every field in the XML of the 100 event ID.

– Jordan W. – 2016-04-04T18:23:53.677

@JordanW. That's strange how the links on Microsoft's stopped working. Here's a link to the Performance Analysis document. https://s3-us-west-1.amazonaws.com/omarpersonal/OnOffTransPerf.docx

– zzarzzur – 2016-04-04T20:21:39.940