SERVER shutting down everyday at a specific time

Hi all,

I've got a SBS 2008 SERVER which is restarting at 12:13:14am everyday. The problem can be replicated by changing the time forward.

Event viewer log:

The process C:\Windows\system32\shutdown.exe (SERVER) has initiated the restart of computer SERVER on behalf of user NT AUTHORITY\SYSTEM for the following reason: No title for this reason could be found
 Reason Code: 0x800000ff
 Shutdown Type: restart


MBAM, MSERT, ESET Online Scanners have brought no results.

Is there a tool which I can use to monitor what, who and where this process is getting executed from?
CBM CorporateAsked:
Who is Participating?
 
CBM CorporateConnect With a Mentor Author Commented:
Hi guys

I think a malware infected the machine before.
I applied all the windows updates that is possible and it seems to have fixed itself.
0
 
pablito70Commented:
Did umyou check if the antivirus is configured for restarting after update?

In addition to you can check:

- On scheduled tasks
- If there is a setting to autorestart in case the treshold of trmperature of CPU or similar is configured

Hth
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
Check through your scheduled tasks.
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
CBM CorporateAuthor Commented:
Nothing in the scheduled tasks.
Nothing in the SQL scripts

The fact it can be replicated by changing the server time to 12:13:00 and it reboots systematically at 12:13:14 AM clearly indicates it is local, at it is scripted.

My question is around finding who, what, where, is running SHUTDOWN.exe process ? I can't find any way to enable deeper logging or auditing.
Any third party tool ?
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
There are no other event log entries that seem odd?  A Service could have been configured to reboot the server if it fails.  You won't be able to tell WHO unless there's an account (other than system) associated with it (hopefully, you don't share one admin account amongst all admins) or someone actually noted it was them.
0
 
pablito70Commented:
Are you configured automatic updates on the server or is part of WSUS system ?

The account claiming shutdown it is local system account so its seems really a win service scheduled.

Try to check on task manager if you see some processes that norma shouldn't be there.

Use systernal psexplorer for details.

Hth
0
 
jhyieslaCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.