This morning I woke up from bed as I had to go to the bathroom before getting back into bed and drifting back off to a nice sleep. As I come back into my bedroom, I notice that my PC is still on. I say to myself 'Huh, I swear I remember shutting down'. With that, I shut down again and got up to walk back to my bed. As I am walking back to my bed, I hear my PC turn on again (fans start spinning, etc). I turn around and rub my eyes a little bit to be sure I'm not going completely insane from recent lack of sleep, but it really did turn itself back on.
Right, so at this point I shift from 'please let me go to sleep' mode, to '...sigh, I am now extremely tired and have shifted into troubleshooting' mode. At first, I thought right away that something (likely driver/device related) was preventing my system from shutting down. I then thought to myself for a moment and said 'Well, if it's a driver, I'd likely be getting an 0x9F bug check', etc. Also, this was a very random/brand new problem that didn't occur/happen the day before, etc. With that, I figured possibly just a bug within a Windows power option, etc. As I am very cautious with my own PC, I wanted to extra sure.
---------------------------
So there are many things I could have done in this situation to find out what was causing my PC to not shut down properly. For example, being the debugger that I am, and having a love for debugging as much as I do, I could have ran an XPERF trace and see if there's anything out of the ordinary, such as high disk write/read usage coming from a particular source, a suspended driver, whatever it may be.
However, given the fact that my #1 goal was to go back to bed as fast as humanly possible, I settled for another extremely useful command using the following steps:
1. Get an Elevated CMD running by running Command Prompt as Administrator.
2. Once Elevated CMD is open, type powercfg -energy.
This command will go ahead and perform a 60 second analysis of the computer’s energy consumption and provide you with a report at the following directory: %systemroot%\Windows\System32\energy-report.html
Once I had done that, I navigated to the appropriate directory and viewed the .html. Side note on this, for what it's worth, I couldn't view the .html within Firefox or Internet Explorer. I've read users having similar issues. Given this was the fact in my case, I simply shrugged and settled for sifting through lots of garble in Notepad (because again, I really just wanted to go back to bed).
---------------------------
First off, perusing through the log I saw the following:
<div class="log-entry-header">System Availability Requests:System Required Request</div>This wasn't the actual problem, and instead this was due to the fact that a Malwarebytes scan was running, therefore it requested that the system halt going to sleep, shutting down, etc, until the scan was complete. Again, if/when the scan completed, the system still wouldn't shut down as this was not the true problem. This is merely an example of how detailed this log can actually be.
<div class="log-entry-content">
<div class="log-entry-description">The program has made a request to prevent the system from automatically entering sleep.</div>
<table>
<tr>
<td><span class="detail-name">Requesting Process</span></td>
<td>\Device\HarddiskVolume2\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe</td>
Reading further, we see what we're really looking for:
<div class="log-entry-header">USB Suspend:USB Device not Entering Selective Suspend</div>From this, we can see that a USB-based device is not entering selective suspend. Normally, this does not stop the system from sleeping/shutting down (AFAIK), however, in this case it surely was. The USB selective suspend feature allows the hub driver to suspend an individual port without affecting the operation of the other ports on the hub. In my case, I have a USB hub on my Das keyboard which houses two devices (Logitech Webcam and a YubiKey).
<div class="log-entry-content">
<div class="log-entry-description">This device did not enter the USB Selective Suspend state. Processor power management may be prevented when this USB device is not in the Selective Suspend state.</div>
<table>
<tr>
<td><span class="detail-name">Device Name</span></td>
<td>USB Input Device</td>
</tr>
<tr>
<td><span class="detail-name">Host Controller ID</span></td>
<td>PCI\VEN_8086&DEV_1C26</td>
We can see that we have a Vendor/Device ID. With this,we'll head over to our trusty PCI database - http://www.pcidatabase.com/ and see what device this is.
To make a long story short, the USB-based device in my case was my Logitech USB Camera (HD Webcam C510). I don't exactly have an answer as to why it wouldn't enter the selective suspend state, but I can imagine it's either:
1. Webcam software didn't properly terminate from prior usage.
2. The hub on my Das keyboard itself isn't exactly 'great', therefore it may have just been a small hub bug/issue.
3. Fast Startup not cooperating with my USB hub devices (and their drivers). This was my issue.
---------------------------
Alternatively, another way to solve it (permanently in case yours happens frequently... like mine) is to disable Fast Startup. If you're on a desktop with decent hardware, then disabling Fast Startup really won't make too much of a noticeable difference. Besides, in my case when I wake up in the morning, I turn on my PC and walk away to complete my morning routine before getting on the PC. With that said, in my case, it's not entirely necessary.
To expand on what exactly Fast Startup is, fast startup is a hybrid combination of a cold startup and a wake-from-hibernation startup. Frequently, kernel-mode device drivers need to distinguish fast startups from wake-from-hibernation so that that their devices behave as users expect. This is exactly where my issue stemmed from, because my webcam drivers evidently couldn't distinguish properly.
During a cold startup, the boot loader constructs a kernel memory image by loading the sections of the Windows kernel file into memory and linking them. Next, the kernel configures core system functions, enumerates the devices attached to the computer, and loads drivers for them.
In contrast, a fast startup simply loads the hibernation file (Hiberfil.sys) into memory to restore the previously saved image of the Windows kernel and loaded drivers. A fast startup tends to take significantly less time than a cold startup.
More information (and much more in-depth) here.
1. Navigate to Start by either clicking the Start icon or hitting the Windows key.
2. In the Search bar, type Power to bring up various Power Options.
3. Select Change what the power buttons do.
4.
If you have UAC enabled (enabled by default unless you disable it manually), before un-checking Turn on fast startup, you'll need to select Change settings that are currently unavailable. Once you do that, you will be able to successfully un-check Turn on fast startup.
After you've unchecked Turn on fast startup, your next shut down will this time actually shut down the system if you're having the issues described above.
Hope you enjoyed reading!
Thanks for sharing, very informative blog.
ReplyDeleteReverseEngineering
Nice blog!!!!!!!.
ReplyDeleteReverse Engineering in USA