Free ‘Process Explorer’ helps end shutdown woes

Fred langa By Fred Langa

A free tool from Microsoft’s Sysinternals can show you exactly what’s preventing smooth system shutdowns.

Process Explorer works on XP, Vista, and Windows 7 and is available in either a self-contained or a live, Web-based version.

Fixing a slow or hung Windows shutdown

Reader Jim Swearingen reports on another glitch that can hinder smooth shutdowns. He’s using an XP system, but the diagnosis and solution can apply to any Windows version.
  • “Fred’s Feb. 3 item, ‘User Profile Hive Cleanup speeds XP shutdowns,’ was good, but it didn’t address the specific problem I’m having.

    Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!

    PC Drive Maintenance (Excerpt)

    Subscribe and get our monthly bonuses - free!

    Your hard drives store photos, books, music and film libraries, letters, financial documents and so on. This ebook is aimed at helping you understand your hard drives, expand their capacities and length of life, and recover what you can from them when they fail. We're offering you a FREE Excerpt! Get this excerpt and other 4 bonuses if you subscribe FREE now!



    “My shutdown (or reboot) lingers only a second or two at the ‘Saving your settings …’ screen but hangs at the ‘Windows is shutting down …’ screen.

    “Sometimes shutdown (or reboot) continues to completion, but at least 50% of the time it’s necessary to force a manual shutdown or reboot. Adding the -f parameter to my shutdown command (shutdown -s -t 0) has made no difference.

    “My OS (XP Pro SP3) is completely up-to-date, the Registry is clean, and the hard-drive partitions are defragged on a continuing basis.”
It sounds as if a low-level software process, or maybe a driver, isn’t responding to the operating system’s shutdown command. XP is sitting there, waiting for an acknowledgment that comes either slowly or not at all.

If you noticed the problem after installing new software or hardware, roll back your system by uninstalling that software or by removing that hardware and uninstalling any drivers associated with it. See whether that solves the problem. If so, the permanent solution may be as simple as switching software or using different drivers for the hardware.

You said your OS was current. Make sure everything else — all drivers and software — is also up-to-date. If the problem persists, it’s time for some more serious troubleshooting.

All the usual cautions apply — make a backup, etc.

The first step is to see what software is still running after you’ve closed all your apps and your PC is otherwise ready to shut down.

I think the best tool for the job is Microsoft Sysinternals’ free Process Explorer. You’ll find info about it on a TechNet page. You can either download Process Explorer as a standalone file or access it as a live, Web-based, run-on-demand tool (see Figure 1). The versions function identically.

Process explorer
Figure 1. A serious troubleshooting and learning tool, the free Process Explorer utility lets you explore your running software in great detail.

When your system is seemingly quiet (no apparent system activity) and ready for shutdown (no open apps, no open files, etc.), launch Process Explorer and see what low-level software is still active. Right-click on any process shown in Process Explorer, select Properties, and you’ll be presented with a wealth of information about that item. (See Figure 2.)

enhanced properties dialog
Figure 2. Process Explorer displays an enhanced Properties dialog for any process you select.

Now comes the fun part. Starting with third-party software, select and kill one process, and then shut down. Note whether Windows closes as it should.

If it doesn’t, restart and repeat, killing one process per cycle until you see a normal shutdown. In this way, you’ll eventually uncover the software that is causing the hang.

The next steps depend on exactly what the malfunctioning software is, but the general idea is simply to remove, update, or otherwise alter that software — and your shutdown delays should be gone!

More about problem laptop batteries

Petri Laubert writes from Finland:
  • “I must admit I’m a little behind in reading Windows Secrets, but after reading ‘Extend the life of a laptop’s battery’ [an Oct. 14 LangaList Plus item], I feel I have to share some information.

    “You said: ‘Battery condition usually has no effect whatsoever on a notebook when it’s running on AC. In fact, many portable systems will run just fine on AC even with the battery pack removed.’

    “But there’s evidence that a dead battery can severely affect the functionality of certain laptops. My Acer lost all networking facilities when the battery died — no taskbar icon, no networking in Control Panel, no network cards in Device Manager. Removing the battery put it all back; reinstalling the dead battery took them away again.

    “When I told this to a tech-savvy friend, he said he had witnessed many kinds of strange behavior when a battery died. So if a laptop doesn’t work as it’s supposed to, taking the battery away and running on AC might just do the trick, if portability isn’t needed.”
Thanks, Petri!

Because a truly dead battery would be the same as no battery, I suspect that the effects you saw were caused either by a damaged battery or by a malfunctioning charging system. In the cases you describe, the battery was still active enough to cause trouble.

Perhaps the battery circuits demanded too much current and caused an under-volt or under-amp condition for the rest of the system. Or perhaps the battery reported itself as fully charged when it was actually nearly dead — or vice versa. It’s difficult to diagnose the problem, but clearly something was seriously wrong.

In any case, as you say, most portable computer gear works fine on AC with the battery removed. So, when in doubt, take it (the battery) out!

The LangaList Plus Jan. 21, 2010, article, “The care and feeding of laptop batteries,” contains numerous additional tips and tricks you can employ to get the absolute maximum life from your batteries.

Recovering attachments from lost e-mails

Joe Titone is salvaging files off a hard drive:
  • “I’m using a text editor to help a friend recover his e-mails. This works and goes pretty fast. However, Thunderbird puts the attachment into the e-mail and I’m confronted with code that looks like this:

    “0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7/CQAGAAAAAAAAAAAAAAAKAAAA5
    EAAA6QQAAAEAAAD+////AAAAANsEAADcBAAA3QQAAN4EAADfBAAA4AQAAOEEAADiBAAA4
    Rh3wIMsAAJvjvvANICUp4ttSaWwvf07//9j/4AAQSkZJRgABAQEASABIAAD/2wBDAAgGBgcGBQgHB
    etc.

    “This is the start of a PowerPoint presentation, but there are other formats as well. Is there any way to convert this block of code to the original attachment?”
Perhaps.

That block of seemingly random letters is MIME code. MIME stands for “Multipurpose Internet Mail Extensions” and is a way of encoding almost any kind of binary information as plain-vanilla, easy-to-transmit, easy-to-code and -decode, universally recognized ASCII text characters.

(If you’d like more MIME info, see the Wikipedia MIME entry. Wikipedia items are sometimes dodgy, but this one is generally excellent.)

Normally, an e-mail client handles the conversion of MIME attachments and you never see the unprocessed ASCII. But if you view the files as plain text, you’ll see the MIME encoding in its raw form.

The very simplest method of recovering a MIME e-mail is to save the source e-mail as a standalone file and present that file to your e-mail client as described below. It doesn’t always work (there are myriad variables), but it’s so easy it’s surely worth a try.

Use your text editor to isolate an entire e-mail message, from the start of its headers to the very end of the message (including any MIME attachment). First, paste the entire message into a new, blank text file and give the file a name with an .eml file extension (that’s the default e-mail file extension used by Thunderbird).

Double-click on the newly created .eml file, and — with luck — it will open in Thunderbird with the attachment displayed normally.

If that doesn’t work, you can try a MIME decoder utility. Most are intended for use on mail and Web servers, but some may do the trick on a regular PC. For example, Portable Mime DeEnCode 1.2.0 is free and available from Softpedia.

Corel’s WinZip ($29.95, site) also claims to be able to decode MIME.

Good luck!

‘Security Shield’ scareware digs in, won’t go

Manuel Tayao picked up a particularly nasty bit of malware.
  • “Just got infected with this annoying program marked ‘Security Shield.’ It warned me I had 20 or more Trojan malwares. [It said that] to remove these, you have to buy the program. I went to a tech forum, and there were a lot of answers on how to remove it. All of these referred to a free program, Malwarebytes. But the free version does not download.

    “So, I paid $25.95 for the Pro version. Still downloading, the installation is stuck at 43%.

    “Would you know what this is all about? And how to remove Security Shield?”
“Security Shield” (also known as “My Security Shield”) is another of those scareware apps that try to frighten you into buying by displaying fake “Malware found!” messages. But Security Shield itself is the malware.

It’s sophisticated, and it tries to watch for — and block — the actions of real security tools. That’s most likely what’s blocking your download of Malwarebytes.

Security Shield can be removed, but it’s a multistep process. First, you have to terminate Security Shield’s own software processes. Only after that’s done can you download and run malware removal tools such as Malwarebytes — and get Security Shield completely off your PC.

If you’re a do-it-yourselfer, spywareremove.com’s article, “Security Shield removal guide,” has the info you need.

But an easier, more automated method is to use RKill, a free tool from bleepingcomputer.com. RKill is custom software designed to terminate Security Shield’s processes and restore the Registry entries that Security Shield alters.

You can find an explanation of RKill, usage instructions, and download links on the bleepingcomputer.com “Am I infected? What do I do?” page.

Once RKill has disabled Security Shield, you should then be able to complete your download of Malwarebytes and finish cleaning your PC.

If you’d like detailed instructions on using RKill and Malwarebytes together, you’ll find them on the bleepingcomputer.com “Destroy Spyware” page; scroll down to the section labeled “Automated Removal Instructions for Security Shield using Malwarebytes’ Anti-Malware.”

If all goes well, your PC will be clean in about 15 minutes!

Feedback welcome: Have a question or comment about this story? Post your thoughts, praises, or constructive criticisms in the WS Columns forum.

Reader Petri Laubert will receive a gift certificate for a book, CD, or DVD of his choice for sending the tip we printed above. Send us your tips via the Windows Secrets contact page.

Fred Langa is a senior editor of the Windows Secrets Newsletter. He was formerly editor of Byte Magazine (1987–91), editorial director of CMP Media (1991–97), and editor of the LangaList e-mail newsletter from its origin in 1997 until its merger with Windows Secrets in November 2006.
= Paid content

All Windows Secrets articles posted on 2011-02-24:

Fred Langa

About Fred Langa

Fred Langa is senior editor. His LangaList Newsletter merged with Windows Secrets on Nov. 16, 2006. Prior to that, Fred was editor of Byte Magazine (1987 to 1991) and editorial director of CMP Media (1991 to 1996), overseeing Windows Magazine and others.