In this session, I will talk about the windows system shutdown process.
Below graphs illustrate the whole shutdown process.
1. A process initiates a shutdown by calling the Windows ExitWindowsEx function, a message is sent to Csrss instructing it to perform the shutdown.
2. Csrss instructs Winlogon to perform a system shutdown. Winlogon then impersonates the currently logged-on user (who might or might not have the same security context as the user who initiated the system shutdown) and calls ExitWindowsEx with some special internal flags.
3. Csrss receives the message from Winlogon in step 2.
4. Then Csrss loops through all the processes in the logon session of the interactive user (again, not the user who requested a shutdown).
5. If the process is a windows-based one and owns a top-level window, for each process that owns a top-level window, Csrss sends the WM_QUERYENDSESSION
message to each thread in the process that has a Windows message loop. If the thread returns TRUE, the system shutdown can proceed. Csrss then sends the WM_ENDSESSION
Windows message to the thread to request it to exit. Csrss waits for the number of seconds defines in HKCU/Control Panel/Desktop/HungAppTimeout
for the thread to exit. (The default is 5000 milliseconds.)
6. If the thread doesn’t exit before the timeout, Csrss displays the hung-program dialog box shown in below figure.
You can disable this dialog box by changing registry value HKCU/Control Panel/Desktop/AutoEndTasks
to 1.
7. If the thread does exit before the timeout, Csrss continues sending the WM_QUERYENDSESSION/WM_ENDSESSION message pairs to the other threads in the process that own windows.
Once all the threads that own windows in the process have exited, Csrss terminates the process and goes on to the next process in the interactive session.
8. If the process is a console application, Csrss sends the CTRL_LOGOFF_EVENT
event to the console handler.
9. If the console handler returns FALSE, Csrss kills the process.
10. If the console handler returns TRUE or doesn't respond by the number of seconds defined by HKCU/Control
Panel/Desktop/WaitToKillAppTimeout
(the default is 20,000 milliseconds), Csrss displays the hung-program dialog box.
11. At this point, all the processes in the interactive user’s session have been terminated.
"log off" and "system exit" sounds are played at this point.
12. Winlogon calls ExitWindowsEx again, but this time under the "local system" user account.
13. Like what Csrss did under user account context, this time Csrss did most of the same, but it doesn't display any hung-program dialog box and doesn't kill any processes. And the timeout value is defined by HKEY_USERS/.DEFAULT/Control Panel/Desktop/WaitToKillAPPTimeout
(the default value is 20 seconds).
14. This time, SCM console program is informed the system shutdown request. And Csrss waits for it to shutdown the services for a number of seconds defined by HKLM/SYSTEM/CurrentControlSet/Control/WaitToKillServiceTimeout
(the default value is 20 seconds).
15. Winlogon finishes the shutdown process by calling the executive subsystem function NtShutdownSystem.
This function calls the function NtSetSystemPowerState to orchestrate the shutdown of drivers and the rest of the executive subsystems (Plug and Play manager, power manager, executive, I/O manager, configuration manager, and memory manager).
For example,
(1) I/O manager sends shutdown I/O packets to all device drivers that have requested shutdown notification. This action gives device drivers a chance to perform any special processing their device might require before Windows exits.
(2) The configuration manager flushes any modified registry data to disk.
(3) the memory manager writes all modified pages containing file data back to their respective files.
(4) If the option to clear the paging file at shutdown is enabled, the memory manager clears the paging file at this
time. The option is defined by registry value ClearPageFileAtShutdown (DWORD: 0/1)
under HKLM/SYSTEM/CurrentControlSet/Control/Session
Manager/Memory Management.
By default there is no such key, or the value is 0. Caution
: set the option to 1 will make system shutdown quite slow.
16. System shutdown ends in the power manager. The action the power manager takes depends on whether user specified a halt, shutdown or reboot.
Ref:
Windows Internals 4th Edition, Chapter 5: Startup and Shutdown.
Windows Internals 4th Edition, Chapter 4: Management Mechanisms, Service Shutdown.
http://homepage.ntlworld.com./jonathan.deboynepollard/FGA/windows-nt-6-shutdown-process.html