winlogon.exe initiated a shutdown

Posted on 2013-06-19
Last Modified: 2013-07-03
All of my desktop computers (all running XP), and my server randomly have the OS shutdown occur without warning.  It starts happening in the early afternoon around 1:30-ish.  I have done malware and virus scans on all of the computers.  The OS is shutting down.  This is not a power loss issue/power supply problem.  

I have also re-installed XP on two of the computers and did not join them back to the domain.  The also performed unprovoked shutdown of the OS.

I modified the Local Policy to not allow Shutdown from any user.  It still happens.
Since the clean computers are doing the same, I assume that this is happening from a remote entity (LAN or WAN).  

I'm looking for suggestions as to where to go from here.
Question by:VMaxDawg05
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
LVL 11

Expert Comment

by:Pradeep Dubey
ID: 39260096
Enable shutdown tracker to findout the cause of this shutdown:

Click Start, and then click Run.
Type gpedit.msc, and then click OK.
Expand Computer Configuration, expand Administrative Templates, and then expand System.
Double-click Display Shutdown Event Tracker.
Click Enabled.
In the Shutdown Event Tracker should be displayed box, click Always, and then click OK.

Author Comment

ID: 39260840
I turned on shutdown tracker on the computers.  One of them shut down anyway.
Log Entry:
Event Type:     Information
Event Source:   USER32
Event Category: None
Event ID:       1074
Date:           06/19/2013
Time:           4:01:34 PM
User:           CLEARVIEW\Julie
Computer:       OPTICAL-DESK
The process winlogon.exe has initiated the restart of OPTICAL-DESK for the following reason: Other (Unplanned)
 Minor Reason: 0x0
 Shutdown Type: power off

For more information, see Help and Support Center at
0000: 00 00 00 00               ....  

LVL 11

Expert Comment

by:Pradeep Dubey
ID: 39262009
So you know who is doing this
User:           CLEARVIEW\Julie

and for why contact her?
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.


Author Comment

ID: 39262107
That is the local user that was logged on and using the computer when the shutdown happened.  It was not physically initiated by the user logged in.  The user was talking on the phone when the OS just shut down on her.  I witnessed it happen.   Also, I notice that the log entry says "initiated a restart", but it was actually a shutdown.  Interesting.
LVL 11

Expert Comment

by:Pradeep Dubey
ID: 39262127
The process winlogon.exe has initiated the restart of OPTICAL-DESK for the following reason: Other (Unplanned)
Shutdown Type: power off

Shutdown type was power off so machine shutdown.

I have a question here:

This type of behavior we have seen when the OS is not activated with the proper license.
OS keep shutting down the machine in specific interval.

Can you find out the interval of these shutdown?
and also check the OS license.

Author Comment

ID: 39262137
I will verify the OS on that machine.  It is happening on seemingly all of their desktops randomly.

Author Comment

ID: 39275747
all operating systems are activated and are xp except for the server which is server 2008 r2. The interval is random. some days by the time you start up one computer another one or two shut down. then for no reason you can keep all computers up. 20 minutes later a computer shuts down.
LVL 22

Accepted Solution

Jakob Digranes earned 500 total points
ID: 39288049

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A safe way to clean winsxs folder from your windows server 2008 R2 editions
This article explains how to install and use the NTBackup utility that comes with Windows Server.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question