Solved

SERVER shutting down everyday at a specific time

Posted on 2013-11-04
8
1,579 Views
Last Modified: 2014-12-21
Hi all,

I've got a SBS 2008 SERVER which is restarting at 12:13:14am everyday. The problem can be replicated by changing the time forward.

Event viewer log:

The process C:\Windows\system32\shutdown.exe (SERVER) has initiated the restart of computer SERVER on behalf of user NT AUTHORITY\SYSTEM for the following reason: No title for this reason could be found
 Reason Code: 0x800000ff
 Shutdown Type: restart


MBAM, MSERT, ESET Online Scanners have brought no results.

Is there a tool which I can use to monitor what, who and where this process is getting executed from?
0
Comment
Question by:CBM Corporate
  • 2
  • 2
  • 2
  • +1
8 Comments
 
LVL 2

Expert Comment

by:pablito70
ID: 39623472
Did umyou check if the antivirus is configured for restarting after update?

In addition to you can check:

- On scheduled tasks
- If there is a setting to autorestart in case the treshold of trmperature of CPU or similar is configured

Hth
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 39623482
Check through your scheduled tasks.
0
 

Author Comment

by:CBM Corporate
ID: 39623492
Nothing in the scheduled tasks.
Nothing in the SQL scripts

The fact it can be replicated by changing the server time to 12:13:00 and it reboots systematically at 12:13:14 AM clearly indicates it is local, at it is scripted.

My question is around finding who, what, where, is running SHUTDOWN.exe process ? I can't find any way to enable deeper logging or auditing.
Any third party tool ?
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 39623506
There are no other event log entries that seem odd?  A Service could have been configured to reboot the server if it fails.  You won't be able to tell WHO unless there's an account (other than system) associated with it (hopefully, you don't share one admin account amongst all admins) or someone actually noted it was them.
0
 
LVL 2

Expert Comment

by:pablito70
ID: 39623549
Are you configured automatic updates on the server or is part of WSUS system ?

The account claiming shutdown it is local system account so its seems really a win service scheduled.

Try to check on task manager if you see some processes that norma shouldn't be there.

Use systernal psexplorer for details.

Hth
0
 

Accepted Solution

by:
CBM Corporate earned 0 total points
ID: 39689078
Hi guys

I think a malware infected the machine before.
I applied all the windows updates that is possible and it seems to have fixed itself.
0
 
LVL 28

Expert Comment

by:jhyiesla
ID: 40511426
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OfficeMate Freezes on login or does not load after login credentials are input.
An article on effective troubleshooting
As developers, we are not limited to the functions provided by the VBA language. In addition, we can call the functions that are part of the Windows operating system. These functions are part of the Windows API (Application Programming Interface). U…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

774 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question