Solved

SERVER shutting down everyday at a specific time

Posted on 2013-11-04
8
1,463 Views
Last Modified: 2014-12-21
Hi all,

I've got a SBS 2008 SERVER which is restarting at 12:13:14am everyday. The problem can be replicated by changing the time forward.

Event viewer log:

The process C:\Windows\system32\shutdown.exe (SERVER) has initiated the restart of computer SERVER on behalf of user NT AUTHORITY\SYSTEM for the following reason: No title for this reason could be found
 Reason Code: 0x800000ff
 Shutdown Type: restart


MBAM, MSERT, ESET Online Scanners have brought no results.

Is there a tool which I can use to monitor what, who and where this process is getting executed from?
0
Comment
Question by:CBM Corporate
  • 2
  • 2
  • 2
  • +1
8 Comments
 
LVL 2

Expert Comment

by:pablito70
Comment Utility
Did umyou check if the antivirus is configured for restarting after update?

In addition to you can check:

- On scheduled tasks
- If there is a setting to autorestart in case the treshold of trmperature of CPU or similar is configured

Hth
0
 
LVL 95

Expert Comment

by:Lee W, MVP
Comment Utility
Check through your scheduled tasks.
0
 

Author Comment

by:CBM Corporate
Comment Utility
Nothing in the scheduled tasks.
Nothing in the SQL scripts

The fact it can be replicated by changing the server time to 12:13:00 and it reboots systematically at 12:13:14 AM clearly indicates it is local, at it is scripted.

My question is around finding who, what, where, is running SHUTDOWN.exe process ? I can't find any way to enable deeper logging or auditing.
Any third party tool ?
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 95

Expert Comment

by:Lee W, MVP
Comment Utility
There are no other event log entries that seem odd?  A Service could have been configured to reboot the server if it fails.  You won't be able to tell WHO unless there's an account (other than system) associated with it (hopefully, you don't share one admin account amongst all admins) or someone actually noted it was them.
0
 
LVL 2

Expert Comment

by:pablito70
Comment Utility
Are you configured automatic updates on the server or is part of WSUS system ?

The account claiming shutdown it is local system account so its seems really a win service scheduled.

Try to check on task manager if you see some processes that norma shouldn't be there.

Use systernal psexplorer for details.

Hth
0
 

Accepted Solution

by:
CBM Corporate earned 0 total points
Comment Utility
Hi guys

I think a malware infected the machine before.
I applied all the windows updates that is possible and it seems to have fixed itself.
0
 
LVL 28

Expert Comment

by:jhyiesla
Comment Utility
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now