Debugging system shutdown hang

OSR_Community_User · June 2, 2010, 3:36pm

I’ve been asked to look at a W2K3 system that fails to shutdown.

We’ve generated a kernel crash dump and it looked pretty uninteresting. None
of the thread stacks for any process seemed to be doing much (very shallow
call stacks), except waiting for some work to do. Irpfind found some active
irps, but none seemed to be in any non-standard system drivers. The system
disk must still be online, as NMI initiated crash dumps work.

The system has a WHQL signed NDIS im vlan driver, which may or may not have
anything to do with the issue, and a few custom user services. The app
developers tell me there is no chance they are cancelling the shutdown.

Are there any docs that might explain how the system shutdown works in
detail, and how I would tell if some user mode app is doing something bad.

Is there any ETW tracing that might be useful? I know W2K3 has much more
limited tracing that W2K8 and later.

It’s also not easily reproducible in front of me, so pretty much have to
send instructions off to a site and then get back the results.

Is this the kind of issue one could pay Microsoft support to debug and
expect an efficient analysis?

Jan

Michal_Vodicka-2 · June 2, 2010, 3:41pm

I’d try !poaction to see the state of shutdown power IRP processing.
Maybe you’d see something interesting there.

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com http:</http:>]

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Jan Bottorff
Sent: Wednesday, June 02, 2010 9:36 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Debugging system shutdown hang

I’ve been asked to look at a W2K3 system that fails to shutdown.

We’ve generated a kernel crash dump and it looked pretty
uninteresting. None of the thread stacks for any process seemed to be
doing much (very shallow call stacks), except waiting for some work to
do. Irpfind found some active irps, but none seemed to be in any
non-standard system drivers. The system disk must still be online, as
NMI initiated crash dumps work.

The system has a WHQL signed NDIS im vlan driver, which may or
may not have anything to do with the issue, and a few custom user
services. The app developers tell me there is no chance they are
cancelling the shutdown.

Are there any docs that might explain how the system shutdown
works in detail, and how I would tell if some user mode app is doing
something bad.

Is there any ETW tracing that might be useful? I know W2K3 has
much more limited tracing that W2K8 and later.

It’s also not easily reproducible in front of me, so pretty much
have to send instructions off to a site and then get back the results.

Is this the kind of issue one could pay Microsoft support to
debug and expect an efficient analysis?

Jan

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars
visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

OSR_Community_User · June 2, 2010, 3:53pm

!poaction was not very interesting, or maybe it actually says the kernel
thinks it’s not shutting down.

1: kd> !poaction

PopAction: fffff800011cc5c0

State…: 0 - Idle

Updates…: 0

Action…: None

Lightest State.: Unspecified

Flags…: 0

Irp minor…: ??

System State…: Unspecified

Hiber Context…: 0000000000000000

No Device State present

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Michal Vodicka
Sent: Wednesday, June 02, 2010 12:41 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Debugging system shutdown hang

I’d try !poaction to see the state of shutdown power IRP processing. Maybe
you’d see something interesting there.

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http:</http:> http://www.upek.com]