There are so many ways to shutdown Windows:
# | How to shutdown | What is executed | Wait for HungAppTimeout |
---|---|---|---|
1 | shutdown from Start Menu | RuntimeBroker.exe | Yes |
2 | shutdown from the lock screen | winlogon.exe | No |
3 | execute SlideToShutDown.exe | SlideToShutDown.exe | Yes |
4 | execute shutdown.exe | shutdown.exe | No |
5 | execute Stop-Computer cmdlet | WmiPrvSE.exe | Yes |
6 | execute Restart-Computer cmdlet | WmiPrvSE.exe | Yes |
7 | execute Get-CimInstance -ClassName Win32_OperatingSystem | Invoke-CimMethod -MethodName Shutdown | WmiPrvSE.exe | No |
8 | Alt+F4 on Desktop | Explorer.exe | Yes |
9 | push the power button shortly | winlogon.exe | Yes |
What is executed:
The shutdown is recorded in the Event Viewer (search for events that have the Event ID 1074
in [Windows Log]-[System]). These events have the path of the executed program to shutdown in <EventData>
tag.
Wait for HungAppTimeout
As a typical example, shutdown.exe
doesn't wait for the termination of applications before shutdown the system. This behavior is not suitable for the application triggered by shutdown (for example, attendance management application). On the other hand, Stop-Computer
waits for the termination.
Note that this behavior is difficult to observe outside of the application (You have to intentionally hang up some applications and observe the behavior of shutdown). The result in the table above probably contains some inaccuracies. I need the information to how to observe this behavior accurately.