Solved

winlogon.exe initiated a shutdown

Posted on 2013-06-19
8
2,781 Views
Last Modified: 2013-07-03
All of my desktop computers (all running XP), and my server randomly have the OS shutdown occur without warning.  It starts happening in the early afternoon around 1:30-ish.  I have done malware and virus scans on all of the computers.  The OS is shutting down.  This is not a power loss issue/power supply problem.  

I have also re-installed XP on two of the computers and did not join them back to the domain.  The also performed unprovoked shutdown of the OS.

I modified the Local Policy to not allow Shutdown from any user.  It still happens.
Since the clean computers are doing the same, I assume that this is happening from a remote entity (LAN or WAN).  

I'm looking for suggestions as to where to go from here.
0
Comment
Question by:VMaxDawg05
  • 4
  • 3
8 Comments
 
LVL 11

Expert Comment

by:Pradeep Dubey
ID: 39260096
Enable shutdown tracker to findout the cause of this shutdown:

Click Start, and then click Run.
Type gpedit.msc, and then click OK.
Expand Computer Configuration, expand Administrative Templates, and then expand System.
Double-click Display Shutdown Event Tracker.
Click Enabled.
In the Shutdown Event Tracker should be displayed box, click Always, and then click OK.

http://support.microsoft.com/kb/293814
0
 
LVL 1

Author Comment

by:VMaxDawg05
ID: 39260840
I turned on shutdown tracker on the computers.  One of them shut down anyway.
Log Entry:
Event Type:     Information
Event Source:   USER32
Event Category: None
Event ID:       1074
Date:           06/19/2013
Time:           4:01:34 PM
User:           CLEARVIEW\Julie
Computer:       OPTICAL-DESK
Description:
The process winlogon.exe has initiated the restart of OPTICAL-DESK for the following reason: Other (Unplanned)
 Minor Reason: 0x0
 Shutdown Type: power off
 Comment:

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00               ....  

Interesting.
0
 
LVL 11

Expert Comment

by:Pradeep Dubey
ID: 39262009
So you know who is doing this
User:           CLEARVIEW\Julie

and for why contact her?
0
 
LVL 1

Author Comment

by:VMaxDawg05
ID: 39262107
That is the local user that was logged on and using the computer when the shutdown happened.  It was not physically initiated by the user logged in.  The user was talking on the phone when the OS just shut down on her.  I witnessed it happen.   Also, I notice that the log entry says "initiated a restart", but it was actually a shutdown.  Interesting.
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 
LVL 11

Expert Comment

by:Pradeep Dubey
ID: 39262127
The process winlogon.exe has initiated the restart of OPTICAL-DESK for the following reason: Other (Unplanned)
Shutdown Type: power off

Shutdown type was power off so machine shutdown.

I have a question here:

This type of behavior we have seen when the OS is not activated with the proper license.
OS keep shutting down the machine in specific interval.

Can you find out the interval of these shutdown?
and also check the OS license.
0
 
LVL 1

Author Comment

by:VMaxDawg05
ID: 39262137
I will verify the OS on that machine.  It is happening on seemingly all of their desktops randomly.
0
 
LVL 1

Author Comment

by:VMaxDawg05
ID: 39275747
all operating systems are activated and are xp except for the server which is server 2008 r2. The interval is random. some days by the time you start up one computer another one or two shut down. then for no reason you can keep all computers up. 20 minutes later a computer shuts down.
0
 
LVL 21

Accepted Solution

by:
Jakob Digranes earned 500 total points
ID: 39288049
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Redirected folders in a windows domain can be quite useful for a number of reasons, one of them being that with redirected application data, you can give users more seamless experience when logging into different workstations.  For example, if a use…
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now