bbarac
asked on
The process Explorer.EXE has initiated the shutdown of computer TORBACKUP on behalf of user domainname\user
I have a 2003 server, it's primarily used to run our backups, last night at 5:26pm the server shut itself off on it's own and no backups ran. I never shut the server down and I was nowhere near the machine at the time of the shutdown, nor was anyone else. This morning I was looking at the logs and this is what I got.
First LOG:
The process Explorer.EXE has initiated the shutdown of computer TORBACKUP on behalf of user domain\user for the following reason: Operating System: Reconfiguration (Planned)
Reason Code: 0x84020004
Shutdown Type: shutdown
Comment:
Then
Application popup: Windows : Other people are logged on to this remote computer. Shutting down Windows might cause them to lose data. Also, someone at the remote location will have to restart the computer manually.
Do you want to continue shutting down?
a few more logs here, the last log was,
The process svchost.exe has initiated the power off of computer TORBACKUP on behalf of user NT AUTHORITY\SYSTEM for the following reason: No title for this reason could be found
Reason Code: 0x80070020
Shutdown Type: power off
Comment:
I had this server originally setup for WSUS updates, but in the setup I specified not to reboot after updates, I checked if any updates installed and nothing is listed except SP1 which I installed months ago, so even if somehow the fact that I selected the option not to reboot after updates and it still did this really does not look like the cause since I can't find any updates that were installed.
So anyone have any idea what else to look at?
Thanks.
First LOG:
The process Explorer.EXE has initiated the shutdown of computer TORBACKUP on behalf of user domain\user for the following reason: Operating System: Reconfiguration (Planned)
Reason Code: 0x84020004
Shutdown Type: shutdown
Comment:
Then
Application popup: Windows : Other people are logged on to this remote computer. Shutting down Windows might cause them to lose data. Also, someone at the remote location will have to restart the computer manually.
Do you want to continue shutting down?
a few more logs here, the last log was,
The process svchost.exe has initiated the power off of computer TORBACKUP on behalf of user NT AUTHORITY\SYSTEM for the following reason: No title for this reason could be found
Reason Code: 0x80070020
Shutdown Type: power off
Comment:
I had this server originally setup for WSUS updates, but in the setup I specified not to reboot after updates, I checked if any updates installed and nothing is listed except SP1 which I installed months ago, so even if somehow the fact that I selected the option not to reboot after updates and it still did this really does not look like the cause since I can't find any updates that were installed.
So anyone have any idea what else to look at?
Thanks.
So basically, if I had admin rights to TORBACKUP, I could do this.
L:\>shutdown -f -m -d p \\TORBACKUP
L:\>shutdown -f -m -d p \\TORBACKUP
ASKER
That is possible but unlikely, on myself and two more guys have access to this machine, one guy was gone home way before that time, and the second guy was with me so nobody was close to that machine.
Who was the domain\user? One of your guys?
I'm not sure how you have permissions set up, but someone other than admin may have done it... depending on how you have things.
I'm not sure how you have permissions set up, but someone other than admin may have done it... depending on how you have things.
ASKER
The domain\user that was specified in there was me, as far as admins only 3 of us and nobody would care about that machine other then myself.
Your pasword may have been compromised. I'd change stop reading and change it now.
I agree.
I'd check your task scheduler as well.
I'd check your task scheduler as well.
And make sure no other user accounts have been created locally.
Do you have any services running under your account?
Ohh, good idea, CharliePete00
ASKER
only things that were running are Veritas Backup Exec 10, and Scriptlogin Desktop Authority, but scriptlogic was only installed nothing was configured other then running scripts for mapping shared drives.
Seriously...If you have not changed your password yet you should. The event log shows that someone using your account sent the shutdown command. That shutdown command can be run remotely.
If you did not do this there are 3 main possibilities:
1. A service or a sched task that uses your credentials sent the shutdown command
2. (If you provide any end user support) some user saw you enter your username and password one too many times and is overly curious about some things they have learned or just trying to see what they can get away with
3. Some unknown person has your username/password intends some serious harm
If you did not do this there are 3 main possibilities:
1. A service or a sched task that uses your credentials sent the shutdown command
2. (If you provide any end user support) some user saw you enter your username and password one too many times and is overly curious about some things they have learned or just trying to see what they can get away with
3. Some unknown person has your username/password intends some serious harm
ASKER
Well i just noticed that there is a scheduled task from Veritas to do backups each thursday at 1:45 pm, now not sure if this would create a reboot, but something isnt' right.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Sorry I meant to say Veritas Software updates were scheduled, not the actual jobs within veritas.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the suggestions. Password was changed, I didnt' loose any info the servers were backed up this morning. As far as reporting to somebody I did that, I sent myself a note:)
This error may be contributed to security issue identified, or virus known as W32.Blaster.Worm. The Virus brodcasts from the local machine, and may cause a buffer overrun in RPC, allowing code execution, or RCP may terminate unexpectedly.
See the link to the Symantec Virus information and removal tool, MS03-026 and RPC DCOM WORM (MSBLASTER).
See the link to the Symantec Virus information and removal tool, MS03-026 and RPC DCOM WORM (MSBLASTER).
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
L:\>shutdown /?
Usage: shutdown [-i | -l | -s | -r | -a] [-f] [-m \\computername] [-t xx] [-c "comment"] [-d up:xx:yy]
No args Display this message (same as -?)
-i Display GUI interface, must be the first option
-l Log off (cannot be used with -m option)
-s Shutdown the computer
-r Shutdown and restart the computer
-a Abort a system shutdown
-m \\computername Remote computer to shutdown/restart/abort
-t xx Set timeout for shutdown to xx seconds
-c "comment" Shutdown comment (maximum of 127 characters)
-f Forces running applications to close without warning
-d [u][p]:xx:yy The reason code for the shutdown
u is the user code
p is a planned shutdown code
xx is the major reason code (positive integer less than 256)
yy is the minor reason code (positive integer less than 65536)
L:\>