Long Shutdown Time if either Protected Reg Keys or Process Execution [M436]

I am running Comodo Firewall version 6.1.276867.2813 under vanilla 64-bit Windows 7 with no third party startup programs. Clean and successful install of Comodo Firewall.


  1. Moved: https://forums.comodo.com/bug-reports-cis/random-bsod-at-system-bootup-v6-t95461.0.html
  2. When monitoring either “Protected Registry Keys” or “Process Execution” is enabled for HIPS, windows takes forever (4-5 minutes) to shutdown. “Logging off…” is shown when “Process Execution” is enabled, “Shutting Down…” is shown when “Protected Registry Keys” is enabled, and both stay at that screen forever.

I’ve done exhaustive tests trying to narrow down the specific settings, and am pretty sure the causes stated above are correct. Issues disappeared when those settings were disabled.

Please fix in next version. Thanks.

I can reproduce 2. There’s an OS process for which there is not standard HIPS rule I think. Could you manage two bug reports please?

Do you have ‘block all unknown requests’ ticked?

(Guidance below)

Thank you very much for your issue report.

We would very much appreciate it if you would be kind enough to edit your report to put it in the standard format and add any additional information requested, as this will make it much easier for the developers to diagnose and fix the problem.

The reasons we need all the information in the format, though they may not seem directly relevant to the issue are explained here.

If you are able to do this we will forward this post to the format verified board, where it is more likely to get looked at by developers. You can find assistance using red links in the format and here. If you need further help please ask a mod. If you do not add the information after a day or two we will forward this post to the non-format board. If this happens we will tell you how to rectify this if you wish to.

In the current process we will normally leave it up to you whether you want to make a report in standard format or not. However we may remind you if we think a bug of particular importance.

Many thanks again


A. THE BUG/ISSUE (Varies from issue to issue)
[ol]- Summary - Give a clear summary in the topic subject, NOT here.

  • Can U reproduce the problem & if so how reliably?: Yes, every time.
  • If U can, exact steps to reproduce. If not, exactly what U did & what happened:
    When monitoring either “Protected Registry Keys” or “Process Execution” is enabled for HIPS, windows takes forever (4-5 minutes) to shutdown. “Logging off…” is shown when “Process Execution” is enabled, “Shutting Down…” is shown when “Protected Registry Keys” is enabled, and both stay at that screen forever.
  • If not obvious, what U expected to happen: quick shutdown.
  • If a software compatibility problem have U tried the conflict FAQ?: N/A
  • Any software except CIS/OS involved? If so - name, & exact version: No.
  • Any other information, eg your guess at the cause, how U tried to fix it etc: see above on how to reproduce.
  • Always attach - Diagnostics file, Watch Activity process list, dump if freeze/crash. (If complex - CIS logs & config, screenshots, video, zipped program - not m’ware)

B. YOUR SETUP (Likely the same for each issue, so you can copy forward)
[ol]- Exact CIS version & configuration:
Version 6.1.276867.2813; see screenshot attachments.

  • Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV: see screenshot attachments.
  • Have U made any other changes to the default config? (egs here.): see screenshot attachments.
  • Have U updated (without uninstall) from a CIS 5?: no, clean install.
    [li]if so, have U tried a a clean reinstall - if not please do?: yes, clean install.
    [/li]- Have U imported a config from a previous version of CIS: no, clean empty config.
    [li]if so, have U tried a standard config - if not please do: N/A.
    [/li]- OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used: Windows 7 64 bit, UAC On, Admin account, not virtual machine.
  • Other security/s’box software a) currently installed b) installed since OS: a=No b=No.

Just tested ‘block all unknown requests’ has no effect on this issue, ticked or not.

[attachment deleted by admin]

Deleted posts related to Issue #1 to avoid confusion.

#1 split out into a new topic.

Would it be possible to catch a full memory dump from such a BSOD, that will make fixing much more easy

I just caught a full memory dump, but it’s 8 GB in size. I know it’d be nice to have everything, but do you really need a full memory dump? more details of the dump provided in the split off thread (link above).

try compressing it with an archiving software (7zip is a great free option) with the best compression. It should be able to reduce the size greatly


Am having the exact same problem, except with Win 7 32bit instead of 64bit. Have been hunting for ages to find the reason for my system hanging at shutdown.

I first thought it was a driver issue, but it wasnt, then I thought about having a look at the support forums of the programmes I use all the time, and what do you know.

Once I unticked the boxes cmd15792 mentioned, hey, no more problem. Awesome :slight_smile:

Thanks so much.

@cmd15792. Please add the attachments for the Diagnostics file and the Watch Activity process list to your post which contains the bug report. These are needed in order for it to be forwarded to the devs.

Thank you.

Chiron, for the long shutdown issue, there is no process list or diagnostics file to attach, it’s a very reproducible problem, as confirmed by others in this thread. I’ve also done another confirmation via a virtual machine install, same issue. When those two settings are checked, Windows 7 will take forever to shut down. I believe that is enough information for your dev’s to look into and fix. Let’s handle the BSOD issue in the other thread. thanks

Please attach the two files anyway (as they are very easy to create). I do understand your reasons, and do not entirely disagree, but I don’t want this bug to be held up because of some technicality in the way they process bugs. Thus, as they have asked for these attachments to be included for all bug reports, I ask that you please attach these to your bug report.

As soon as you attach those I can forward this to the devs.

Thank you.

Thanks to mouse1’s initial assessment, I’ve found a more proper manual fix for this:

Make sure at least the following windows system files are made/set to “Windows System Application” in HIPS Rules:

There may be other system files you’ll need to “allow” depending on your system, but I’ve found allowing the above has worked for me. Now I can enable monitoring for “Process Execution” and “Protected Registry Keys” without inducing the slow shutdown.

Since this is a manual fix, Comodo might want to look into making this a permanent/preset fix in the next version. Chiron, I believe you or mouse1 can also generate those files you requested, since it should be a reproducible issue on any machine, as long as HIPS rules haven’t been properly set for the above system files.

As you a running in Paranoid Mode just post the Defense logs after you have had a Long Shutdown time this will show the two processes being blocked, and what they require access too.

wininit.exe which requires access to this key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ShutdownFlags and this COM Interface
LocalSecurityAuthority.Shutdown and also it requires to start this process C:\Windows\System32\LogonUI.exe

LogonUI.exe which requires access to this key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked

One other way to go with this is the following:

  1. Export your config.
  2. Set system to training-mode.
  3. Reboot twice + logon + let disk calm down etc
  4. Export your config.

Open de logviewer and go to config changes, and filter on auto-learn.
These are the rules the system added automatically, you can tweak them but make sure to re-run the procedure after you narrow rules down.

PM sent.


[attachment deleted by admin]

Thank you very much for your report in standard format, with all information supplied. The care you have taken is much appreciated by Comodo, and will increase the likelihood that this bug can be fixed.

Developers may or may not communicate with you in the forum or by PM/IM, depending on time availability and need. Because you have supplied complete information they may be able to replicate and fix the bug without doing so.

Many thanks again

Can you please check and see if this is fixed with the newest version (6.2.282872.2847)? Please let us know whether it is fixed or you are still experiencing the problem.

Thank you.

PM sent.