{"id":17501,"date":"2010-08-07T00:01:00","date_gmt":"2010-08-07T00:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2010\/08\/07\/weekend-scripter-boot-tracing-with-windows-powershell\/"},"modified":"2010-08-07T00:01:00","modified_gmt":"2010-08-07T00:01:00","slug":"weekend-scripter-boot-tracing-with-windows-powershell","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/weekend-scripter-boot-tracing-with-windows-powershell\/","title":{"rendered":"Weekend Scripter: Boot Tracing with Windows PowerShell"},"content":{"rendered":"<p class=\"MsoNormal\"><span style=\"font-size: 10pt\">Microsoft Scripting Guy Ed Wilson here. There used to be a really cool tool available in the <a href=\"http:\/\/www.microsoft.com\/whdc\/devtools\/wdk\/default.mspx\"><span style=\"font-family: arial,helvetica,sans-serif\"><span style=\"font-size: small\">Windows Driver Development Kit (DDK)<\/span><\/span><\/a> that was called bootvis.exe. I used to use it to create a boot trace for my Windows XP computer. This tool was useful because it would let you know which drivers were taking a long time to load. Unfortunately, there is no such tool (that I know of) for Windows 7. <\/p>\n<p><\/span><\/p>\n<p class=\"MsoNormal\"><span style=\"font-size: 10pt\">I was reflecting on the absence of such a tool this morning when I turned on the laptop that belongs to the female who inhabits my humble abode in Charlotte. I waited for a seemingly interminable amount of time to log on to the machine. I decided to open a Windows PowerShell prompt, list all of the processes, and sort by start time. When doing this, I had to open the Windows PowerShell prompt as an administrator because the <b>starttime<\/b> of some processes is protected from non-elevated users. Even with running the Windows PowerShell console as an administrator, several &ldquo;Access Denied&rdquo; errors are raised. These are for system processes such as <b>system<\/b>, <b>idle<\/b>, and the <b>audiodg<\/b> process. If the errors bother you, you can hide them by specifying an error action of <b>silentlycontinue<\/b>. The alias for this property is <b>EA<\/b>, and it must be supplied to the <b>Sort-Object<\/b> cmdlet as shown here. I use the <b>sort<\/b> alias for the <b>Sort-Object<\/b> cmdlet, and the <b>ft<\/b> alias for <b>Format-Table<\/b> cmdlet. <\/p>\n<p><\/span><\/p>\n<p class=\"CodeBlock\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\"><span style=\"background-color: #f0f0f0\">PS C:Windowssystem32&gt; Get-Process | sort startTime -ea silentlycontinue | ft name,<br \/>starttime &ndash;AutoSize<\/span><\/span><\/span><\/p>\n<p class=\"CodeBlock\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\"><span style=\"background-color: #f0f0f0\"><\/p>\n<p><\/span><\/span><\/span><\/p>\n<p class=\"MsoNormal\"><span style=\"font-size: 10pt\">Here is the complete output (with the errors that arise):<\/p>\n<p><\/span><\/p>\n<p class=\"CodeBlock\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\"><span style=\"background-color: #f0f0f0\">PS C:Windowssystem32&gt; Get-Process | sort startTime | ft name, starttime -AutoSize<br \/>Sort-Object : Exception getting &#8220;StartTime&#8221;: &#8220;Access is denied&#8221;<br \/>At line:1 char:19<br \/>+ Get-Process | sort &lt;&lt;&lt;&lt;<span>&nbsp; <\/span>startTime | ft name, starttime -AutoSize<br \/><span>&nbsp;&nbsp;&nbsp; <\/span>+ CategoryInfo<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>: InvalidResult: (System.Diagnostics.Process (audiodg):<br \/><span>&nbsp;&nbsp; <\/span>PSObject) [Sort-Object], GetValueInvocationException<br \/><span>&nbsp;&nbsp;&nbsp; <\/span>+ FullyQualifiedErrorId : ExpressionEvaluation,Microsoft.PowerShell.Commands.So<br \/><span>&nbsp;&nbsp; <\/span>rtObjectCommand<\/p>\n<p>Sort-Object : Exception getting &#8220;StartTime&#8221;: &#8220;Access is denied&#8221;<br \/>At line:1 char:19<br \/>+ Get-Process | sort &lt;&lt;&lt;&lt;<span>&nbsp; <\/span>startTime | ft name, starttime -AutoSize<br \/><span>&nbsp;&nbsp;&nbsp; <\/span>+ CategoryInfo<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>: InvalidResult: (System.Diagnostics.Process (Idle):PSO<br \/><span>&nbsp;&nbsp; <\/span>bject) [Sort-Object], GetValueInvocationException<br \/><span>&nbsp;&nbsp;&nbsp; <\/span>+ FullyQualifiedErrorId : ExpressionEvaluation,Microsoft.PowerShell.Commands.So<br \/><span>&nbsp;&nbsp; <\/span>rtObjectCommand<\/p>\n<p>Sort-Object : Exception getting &#8220;StartTime&#8221;: &#8220;Access is denied&#8221;<br \/>At line:1 char:19<br \/>+ Get-Process | sort &lt;&lt;&lt;&lt;<span>&nbsp; <\/span>startTime | ft name, starttime -AutoSize<br \/><span>&nbsp;&nbsp;&nbsp; <\/span>+ CategoryInfo<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>: InvalidResult: (System.Diagnostics.Process (System):P<br \/><span>&nbsp;&nbsp; <\/span>SObject) [Sort-Object], GetValueInvocationException<br \/><span>&nbsp;&nbsp;&nbsp; <\/span>+ FullyQualifiedErrorId : ExpressionEvaluation,Microsoft.PowerShell.Commands.So<br \/><span>&nbsp;&nbsp; <\/span>rtObjectCommand<\/p>\n<p>Name<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>StartTime<br \/>&#8212;-<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>&#8212;&#8212;&#8212;<br \/>audiodg<br \/>Idle<br \/>System<br \/>smss<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>8\/2\/2010 8:48:57 AM<br \/>csrss<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>8\/2\/2010 8:49:01 AM<br \/>wininit<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>8\/2\/2010 8:49:02 AM<br \/>csrss<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>8\/2\/2010 8:49:02 AM<br \/>services<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>8\/2\/2010 8:49:02 AM<br \/>lsm<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>8\/2\/2010 8:49:02 AM<br \/>lsass<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>8\/2\/2010 8:49:02 AM<br \/>winlogon<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span>8\/2\/2010 8:49:03 AM<br \/>svchost<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>8\/2\/2010 8:49:03 AM<br \/>svchost<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>8\/2\/2010 8:49:03 AM<br \/>MsMpEng<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>8\/2\/2010 8:49:03 AM<br \/>atiesrxx<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>8\/2\/2010 8:49:03 AM<br \/>svchost<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>8\/2\/2010 8:49:03 AM<br \/>svchost<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>8\/2\/2010 8:49:03 AM<br \/>svchost<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>8\/2\/2010 8:49:03 AM<br \/>svchost<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>8\/2\/2010 8:49:05 AM<br \/>svchost<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>8\/2\/2010 8:49:05 AM<br \/>atieclxx<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>8\/2\/2010 8:49:05 AM<br \/>spoolsv<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span>8\/2\/2010 8:49:05 AM<br \/>svchost<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>8\/2\/2010 8:49:05 AM<br \/>PhotoshopElementsFileAgent 8\/2\/2010 8:49:06 AM<br \/>svchost<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>8\/2\/2010 8:49:06 AM<br \/>Iap<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>8\/2\/2010 8:49:06 AM<br \/>inetinfo<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>8\/2\/2010 8:49:06 AM<br \/>LMS<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>8\/2\/2010 8:49:06 AM<br \/>mdm<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>8\/2\/2010 8:49:06 AM<br \/>MSCamS64<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>8\/2\/2010 8:49:06 AM<br \/>svchost<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>8\/2\/2010 8:49:06 AM<br \/>svchost<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>8\/2\/2010 8:49:06 AM<br \/>UNS<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span>8\/2\/2010 8:49:06 AM<br \/>WLIDSVC<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>8\/2\/2010 8:49:07 AM<br \/>DCPSysMgrSvc<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>8\/2\/2010 8:49:07 AM<br \/>IAANTmon<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>8\/2\/2010 8:49:07 AM<br \/>WmiPrvSE<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>8\/2\/2010 8:49:07 AM<br \/>SearchIndexer<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>8\/2\/2010 8:49:08 AM<br \/>svchost<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>8\/2\/2010 8:49:08 AM<br \/>WmiPrvSE<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>8\/2\/2010 8:49:09 AM<br \/>WLIDSVCM<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>8\/2\/2010 8:49:09 AM<br \/>taskhost<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>8\/2\/2010 8:50:05 AM<br \/>dwm<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>8\/2\/2010 8:50:05 AM<br \/>explorer<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>8\/2\/2010 8:50:05 AM<br \/>ipoint<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>8\/2\/2010 8:50:06 AM<br \/>IAAnotif<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>8\/2\/2010 8:50:06 AM<br \/>Dell.ControlPoint<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>8\/2\/2010 8:50:07 AM<br \/>msseces<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>8\/2\/2010 8:50:07 AM<br \/>ZuneLauncher<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span>&nbsp;&nbsp;<\/span>8\/2\/2010 8:50:07 AM<br \/>DCPSysMgr<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>8\/2\/2010 8:50:07 AM<br \/>dpupdchk<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>8\/2\/2010 8:50:07 AM<br \/>smax4pnp<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>8\/2\/2010 8:50:07 AM<br \/>MOM<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>8\/2\/2010 8:50:08 AM<br \/>CCC<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>8\/2\/2010 8:50:09 AM<\/span><\/span><\/span><\/p>\n<p class=\"CodeBlock\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\"><span style=\"background-color: #f0f0f0\"><\/p>\n<p><\/span><\/span><\/span><\/p>\n<p class=\"MsoNormal\"><span style=\"font-size: 10pt\">The thing I was looking for in the sorted list is the first process to start up. That is the <b>smss<\/b> process. <b>Taskhost<\/b> seems to be the first process that runs after you press Ctrl+Alt+Delete to log on. Next the <b>dwm<\/b> (dynamic windows manager) process runs, and finally the <b>explorer<\/b> process runs, which displays the desktop. Depending on the computer, either the <b>SearchIndexer<\/b>, <b>svchost<\/b>, <b>WmiPrvSE<\/b>, or some other program may be the last process that starts up before you attempt to log on to the computer. Using this information, you can characterize the startup of the computer. <\/p>\n<p><\/span><\/p>\n<p class=\"MsoNormal\"><span style=\"font-size: 10pt\">For comparison purposes, you should not use the <b>explorer<\/b> process because that runs after you have logged onto the computer, which means that speed of typing, network latency, and processor utilization on the domain controller can all play a part in the presentation of the desktop. Because different computers may have different drivers, using the <b>SearchIndexer<\/b> as the last boot process seems to be a relatively safe point. <\/p>\n<p><\/span><\/p>\n<p class=\"MsoNormal\"><span style=\"font-size: 10pt\">Wait just a few minutes. It seems I am going to be awhile, and Teresa has a tendency to get grumpy if I am using her computer when she comes down in the morning. She always says something like, &ldquo;You have a dozen computers upstairs. Why can&rsquo;t you leave mine alone?&rdquo; <\/p>\n<p><\/span><\/p>\n<p class=\"MsoNormal\"><span style=\"font-size: 10pt\">Okay, I am upstairs now on my computer. Here is the bootup time from my desktop machine:<\/p>\n<p><\/span><\/p>\n<p class=\"CodeBlock\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\"><span style=\"background-color: #f0f0f0\">PS C:Windowssystem32&gt; $smss = $proc | ? {$_.name -eq &#8220;smss&#8221;}<br \/>PS C:Windowssystem32&gt; $search = $proc | ? {$_.name -eq &#8220;SearchIndexer&#8221;}<br \/>PS C:Windowssystem32&gt; $search.StartTime &#8211; $smss.StartTime<\/p>\n<p>Days<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>: 0<br \/>Hours<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>: 0<br \/>Minutes<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>: 0<br \/>Seconds<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>: 10<br \/>Milliseconds<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>: 940<br \/>Ticks<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>: 109400189<br \/>TotalDays<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>: 0.00012662058912037<br \/>TotalHours<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>: 0.00303889413888889<br \/>TotalMinutes<span>&nbsp;&nbsp;&nbsp; <\/span><span>&nbsp;&nbsp;<\/span>: 0.182333648333333<br \/>TotalSeconds<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>: 10.9400189<br \/>TotalMilliseconds : 10940.0189<\/p>\n<p>PS C:Windowssystem32&gt;<\/span><\/span><\/span><\/p>\n<p class=\"CodeBlock\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\"><span style=\"background-color: #f0f0f0\"><\/p>\n<p><\/span><\/span><\/span><\/p>\n<p class=\"MsoNormal\"><span style=\"font-size: 10pt\">One of the things that is fun to do is to reboot the computer, and after logging on, start the Windows PowerShell console as an administrator and store the processes every minute or so for a few minutes. Do not start any processes other than Windows PowerShell. The results can be pretty interesting. After you have four samples, compare the number of processes that are running. The results from my computer are seen here:<\/p>\n<p><\/span><\/p>\n<p class=\"CodeBlock\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\"><span style=\"background-color: #f0f0f0\">PS C:Windowssystem32&gt; $proc = gps<br \/>PS C:Windowssystem32&gt; $proc1 = gps<br \/>PS C:Windowssystem32&gt; $proc2 = gps<br \/>PS C:Windowssystem32&gt; $proc3 = gps<br \/>PS C:Windowssystem32&gt; $proc4 = gps<br \/>PS C:Windowssystem32&gt; $proc.Count<br \/>64<br \/>PS C:Windowssystem32&gt; $proc1.Count<br \/>64<br \/>PS C:Windowssystem32&gt; $proc2.Count<br \/>60<br \/>PS C:Windowssystem32&gt; $proc3.Count<br \/>59<br \/>PS C:Windowssystem32&gt; $proc4.Count<br \/>58<br \/>PS C:Windowssystem32&gt;<\/span><\/span><\/span><\/p>\n<p class=\"CodeBlock\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\"><span style=\"background-color: #f0f0f0\"><\/p>\n<p><\/span><\/span><\/span><\/p>\n<p class=\"MsoNormal\"><span style=\"font-size: 10pt\">On my computer 6 processes went away between the initial logon and logon + 4 minutes. To find the names of the processes, use the compare-object cmdlet as seen here.<\/p>\n<p><\/span><\/p>\n<p class=\"CodeBlock\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\"><span style=\"background-color: #f0f0f0\">PS C:Windowssystem32&gt; Compare-Object -ReferenceObject $proc -DifferenceObject $proc<br \/>4<\/p>\n<p>InputObject<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>SideIndicator<br \/>&#8212;&#8212;&#8212;&#8211;<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span>&#8212;&#8212;&#8212;&#8212;-<br \/>System.Diagnostics.Process (PIconStartup)<span>&nbsp; <\/span>&lt;=<br \/>System.Diagnostics.Process (SearchFilte&#8230; &lt;=<br \/>System.Diagnostics.Process (SearchProto&#8230; &lt;=<br \/>System.Diagnostics.Process (SearchProto&#8230; &lt;=<br \/>System.Diagnostics.Process (sppsvc)<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span>&nbsp;&nbsp;<\/span>&lt;=<br \/>System.Diagnostics.Process (userinit)<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>&lt;=<\/p>\n<p>PS C:Windowssystem32&gt;<\/span><\/span><\/span><\/p>\n<p class=\"CodeBlock\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\"><span style=\"background-color: #f0f0f0\"><\/p>\n<p><\/span><\/span><\/span><\/p>\n<p class=\"MsoNormal\"><span style=\"font-size: 10pt\">If you are interested in which processes start after logon, you can store the <b>taskhost<\/b> process in a variable, and then pipe the results of the last process snapshot. Use the <b>Where-Object<\/b> cmdlet (<b>?<\/b> Is the alias) to look for processes that start after the <b>taskhost<\/b> process. Sort by company name, and then print a table (<b>ft<\/b> is alias for <b>Format-Table<\/b>) that includes the name of the process, the company name, and the product description. This command is shown here: <\/p>\n<p><\/span><\/p>\n<p class=\"CodeBlock\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\"><span style=\"background-color: #f0f0f0\">PS C:Windowssystem32&gt; $task = $proc | ? { $_.name -eq &#8216;taskhost&#8217;}<br \/>PS C:Windowssystem32&gt; $proc4 | ? { $_.startTime -gt $task.starttime} | sort company<br \/>| ft name, company, product -auto<\/p>\n<p>Name<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>Company<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span>Product<br \/>&#8212;-<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>&#8212;&#8212;-<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>&#8212;&#8212;-<br \/>apdproxy<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>Adobe Systems Incorporated<span>&nbsp; <\/span>Adobe Photo Downloader 4.0 component<br \/>MOM<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>Advanced Micro Devices Inc. Catalyst Control Centre<br \/>smax4pnp<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>Analog Devices, Inc.<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>SMax4PNP Application<br \/>CCC<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>ATI Technologies Inc.<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>Catalyst Control Centre<br \/>DCPSysMgr<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>Dell Inc.<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>Dell ControlPoint System Manager<br \/>Dell.ControlPoint Dell Inc.<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>Dell ControlPoint<br \/>IAAnotif<span>&nbsp; <\/span><span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span>Intel Corporation<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>RAID Event Monitor<br \/>WmiPrvSE<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>Microsoft Corporation<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>Microsoftr Windowsr Operating System<br \/>msseces<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>Microsoft Corporation<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>Microsoft Security Essentials<br \/>ZuneLauncher<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>Microsoft Corporation<span>&nbsp;&nbsp; <\/span><span>&nbsp;&nbsp;&nbsp;&nbsp;<\/span>Zuner<br \/>powershell<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>Microsoft Corporation<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>Microsoftr Windowsr Operating System<br \/>dpupdchk<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>Microsoft Corporation<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>Microsoft IntelliPoint<br \/>conhost<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>Microsoft Corporation<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>Microsoftr Windowsr Operating System<br \/>dwm<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span>Microsoft Corporation<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>Microsoftr Windowsr Operating System<br \/>ipoint<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>Microsoft Corporation<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>Microsoft IntelliPoint<br \/>explorer<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>Microsoft Corporation<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>Microsoftr Windowsr Operating System<\/p>\n<p>PS C:Windowssystem32&gt;<\/span><\/span><\/span><\/p>\n<p class=\"CodeBlock\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\"><span style=\"background-color: #f0f0f0\"><\/p>\n<p><\/span><\/span><\/span><\/p>\n<p class=\"Fig-Graphic\"><span style=\"font-size: 10pt\">This output is shown in the following image.<\/p>\n<p><\/span><\/p>\n<p class=\"MsoNormal\"><span style=\"font-family: 'Arial','sans-serif';font-size: 10pt\"><img decoding=\"async\" src=\"http:\/\/img.microsoft.com\/library\/media\/1033\/technet\/images\/scriptcenter\/qanda\/hsg\/2010\/august\/hey0807\/wes-08-07-10-01.jpg\" border=\"0\" style=\"max-width: 550px\"><\/span><\/p>\n<p class=\"MsoNormal\"><span style=\"font-size: 10pt\">&nbsp;<\/p>\n<p><\/span><\/p>\n<p class=\"MsoNormal\"><span style=\"font-size: 10pt\">Tomorrow I will expand on this concept and perhaps write a script to automate some of the manual computations. We invite you to follow us on <a target=\"_blank\" href=\"http:\/\/bit.ly\/scriptingguystwitter\"><span style=\"font-size: small\"><span style=\"font-family: arial,helvetica,sans-serif\">Twitter<\/span><\/span><\/a> or <\/span><span style=\"font-size: 10pt\"><a href=\"http:\/\/bit.ly\/scriptingguysfacebook\"><span style=\"font-family: arial,helvetica,sans-serif\"><span style=\"font-size: small\">Facebook<\/span><\/span><\/a><\/span><span style=\"font-size: 10pt\">. If you have any questions, send email to us at <a target=\"_blank\" href=\"http:\/\/blogs.technet.commailto:scripter@microsoft.com\"><span style=\"font-family: arial,helvetica,sans-serif\"><span style=\"font-size: small\">scripter@microsoft.com<\/span><\/span><\/a>, or post your questions on the <a target=\"_blank\" href=\"http:\/\/bit.ly\/scriptingforum\"><span style=\"font-family: arial,helvetica,sans-serif\"><span style=\"font-size: small\">Official Scripting Guys Forum<\/span><\/span><\/a>. See you tomorrow. Until then, peace.<\/p>\n<p><\/span><\/p>\n<p class=\"MsoNormal\"><span style=\"font-family: 'Segoe UI','sans-serif';font-size: 10pt\">&nbsp;<\/p>\n<p><\/span>\n<b><span style=\"font-family: 'Segoe UI','sans-serif';font-size: 10pt\">Ed Wilson and Craig Liebendorfer, Scripting Guys<\/p>\n<p><\/span><\/b><\/p>\n<p><b><span style=\"font-family: 'Segoe UI','sans-serif';font-size: 10pt\"><\/span><\/b><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Microsoft Scripting Guy Ed Wilson here. There used to be a really cool tool available in the Windows Driver Development Kit (DDK) that was called bootvis.exe. I used to use it to create a boot trace for my Windows XP computer. This tool was useful because it would let you know which drivers were taking [&hellip;]<\/p>\n","protected":false},"author":595,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[31,87,3,61,45],"class_list":["post-17501","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-operating-system","tag-processes","tag-scripting-guy","tag-weekend-scripter","tag-windows-powershell"],"acf":[],"blog_post_summary":"<p>Microsoft Scripting Guy Ed Wilson here. There used to be a really cool tool available in the Windows Driver Development Kit (DDK) that was called bootvis.exe. I used to use it to create a boot trace for my Windows XP computer. This tool was useful because it would let you know which drivers were taking [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/17501","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/595"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=17501"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/17501\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=17501"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=17501"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=17501"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}