Solved

What might have caused a win xp machine to reboot at 1AM on Wed 2/19?

Posted on 2014-02-19
8
762 Views
Last Modified: 2014-02-20
A home user that I provide patch management, monitoring and AV with GFI signed up with a backup service (not mine) and asked me to make sure her machine did not reboot last night as it does the initial seeding.

 I went into her machine in GFI dashboard and turned off patch management. In GFI, I have reboot set to 'if needed'.

 Today she says her machine rebooted overnight and is "blaming" me. GFI does show it rebooted at around 1AM.

 I confirmed that in the GFI dashboard, her machine patch management is OFF. I looked under GFI, settings, patch management and don't see any patches that came out yesterday / would have been installed last night.

I guess I'll log in remotely and check the event log to see if there was any indication of what caused the reboot, but would anyone know what might have caused the reboot? Patch Tuesday is usually the 2nd Tuesday of the month, right? This was the 3rd Tuesday.

Thanks!
0
Comment
8 Comments
 
LVL 19

Assisted Solution

by:regmigrant
regmigrant earned 100 total points
ID: 39870377
a critical security update can be released anytime and may require a reboot - I don't see any logged since 16/2 but then again I am not running XP
0
 
LVL 46

Assisted Solution

by:noxcho
noxcho earned 200 total points
ID: 39870379
Check if in C:\Minidumps any file has been created. The automatic reboot could happen if the system recovery settings are set to reboot the machine automatically if any serious problem occurs with Windows.
0
 
LVL 11

Assisted Solution

by:BillBondo
BillBondo earned 100 total points
ID: 39870557
Perhaps she simply lost power... and like my machines restarted
0
 
LVL 12

Assisted Solution

by:Infamus
Infamus earned 100 total points
ID: 39871674
Event log should be able to tell you the cause of the reboot.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:BeGentleWithMe-INeedHelp
ID: 39872112
I happened to check another machine on an entirely different network that I also manage with GFI and it still has patch management enabled.  It also has Shadow Protect on it.  What do you think of this list of messages in the 10 minutes before reboot:  The system has shadow Protect

12:52AM: Event 7036 The Volume Shadow Copy service entered the stopped state.
----
12:58:36 AM: Event 7045: A service was installed in the system.

Service Name:  gfiark
Service File Name:  system32\drivers\gfiark.sys
Service Type:  kernel mode driver
Service Start Type:  demand start
Service Account:  
-----
12:58:37 that same message at 12:58:36
----
12:59:59 Event 7036 The Volume Shadow Copy service entered the running state.
----
1:00:12 Event 1074: The process C:\Windows\system32\shutdown.exe (ANNA-PC) has initiated the restart of computer ANNA-PC on behalf of user NT AUTHORITY\SYSTEM for the following reason: No title for this reason could be found
 Reason Code: 0x800000ff
 Shutdown Type: restart
 Comment:  
-----
1:00:12 Event 7036: The Application Experience service entered the running state.
----
1:07:26 Event 12: The operating system started at system time ¿2014¿-¿02¿-¿19T06:07:25.626398500Z.
----
1:07:27 Event 6: File System Filter 'FileInfo' (6.1, ¿2009¿-¿07¿-¿13T18:34:25.000000000Z) has successfully loaded and registered with Filter Manager.
-----
1:07:27: Event 1 ShadowProtect driver loaded (version 2.2.63.19761).
-----
and then a whole bunch of info events for services that were started.

So again, this machine has shadowProtect, but the first one doesn't.  They both have GFI,

any thoughts?
0
 
LVL 46

Accepted Solution

by:
noxcho earned 200 total points
ID: 39872679
Run of Shadiw Protect backup could cause restart due to the fact that VSS could not take snapshot of the volume and thus required exclusive access rights to the volume. This is possible only with restart.
Another possible reason - the memory leak could happen and the systen has to restart fix this problem. But you do not tell if minidump folder has any file created.
0
 

Author Comment

by:BeGentleWithMe-INeedHelp
ID: 39873092
I'm my own worst enemy (that was a really good TV show) - I had a script in GFI that reboots the machine at 1AM.

Although I rem'ed out the reboot command in the batch in GFI and it should have pushed it to the machines. Now to figure out why the script didn't get updated on the machine.
0
 
LVL 46

Expert Comment

by:noxcho
ID: 39873177
:)
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

You may have discovered the 'Compatibility View Settings' workaround for making your SBS 2008 Remote Web Workplace 'connect to a computer' section stops 'working around' after a Windows 10 client upgrade.  That can be fixed so it 'works around' agai…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now