Solved

Windows 7 Ultimate PC Reboots every Sunday night automatically.

Posted on 2014-03-14
58
1,122 Views
Last Modified: 2014-05-05
This has been happening every Sunday night, (Monday morning around 2 am). On Monday I see the log-in prompt and all open apps are closed on logging-in. What's happening?
There are no scheduled backups or processes.
0
Comment
Question by:vakils
  • 25
  • 13
  • 10
  • +4
58 Comments
 
LVL 34

Expert Comment

by:Dan Craciun
ID: 39930640
Automatic updates set to install on Sunday nights?
0
 
LVL 51

Expert Comment

by:Joe Winograd, EE MVE
ID: 39930648
Perhaps you have anti-virus or anti-malware software that does a scan and/or definitions update weekly at 2am Monday and is configured to shut down after the scan/update. Regards, Joe
0
 
LVL 13

Expert Comment

by:Santosh Gupta
ID: 39930658
check if you have any task is running under "task Scheduler" at that time.
0
 
LVL 51

Expert Comment

by:Joe Winograd, EE MVE
ID: 39930676
> check if you have any task is running under "task Scheduler" at that time.

In the original question, @vakils said, "There are no scheduled backups or processes." I think that means we're looking for a piece of software that does its own scheduling, i.e., does not use Task Scheduler. Regards, Joe
0
 
LVL 12

Expert Comment

by:Imtiaz Hasham
ID: 39930687
Check BIOS power settings.
0
 
LVL 32

Expert Comment

by:willcomp
ID: 39930765
I tend to agree with Joe Winograd. Check your anti-virus/anti-malware program logs and see if they are detecting malware and trying to clean.
0
 
LVL 13

Expert Comment

by:Santosh Gupta
ID: 39931035
@ Joe Winograd, Thanks, its my oversight.
0
 
LVL 10

Expert Comment

by:Scott Thomson
ID: 39933337
There are a few things that can trigger a restart
- Virus scanners
- Software updates
- Disk scans
- Defrags
- Windows updates

Have you checked logs to see what has occured just before the restart?
Have you seen it just sitting there and suddenly restarted or do you see something running first?

If you turn your pc off during that time does it restart at a different time?
0
 

Author Comment

by:vakils
ID: 39944615
Happened again. Windows updates are manual. Is there a way to find exact time it rebooted?
0
 
LVL 13

Expert Comment

by:Santosh Gupta
ID: 39944637
Hi,

if possible pls share the Windows "System"  event logs at the time when it reboots. if not then only share 1074 event log.
0
 
LVL 10

Expert Comment

by:Scott Thomson
ID: 39946553
agreed

Windows event logs will tell you exactly when it went down. and application logs should show anything that was going just before that time.

if you go to start > Run > and type "Msconfig" and click the startup tab do you have anything starting up that you aren't sure of..?

also perhaps run a hijackthis app scan on your machine for us and display the logs from that?

anything in processes that you arent too sure of ..?
0
 

Author Comment

by:vakils
ID: 39946752
Event Attached for 1074, but they are only 5. The last one happened 16th March but it is not in log.1074.txt
0
 
LVL 13

Expert Comment

by:Santosh Gupta
ID: 39947374
Hi,

nothing suspicious found, also it is not as per pattern. please share the complete system log, save as it evtx format.
0
 

Author Comment

by:vakils
ID: 39947834
EE does not allow to post in evtx format, only txt and pics.
0
 
LVL 34

Expert Comment

by:Dan Craciun
ID: 39947837
Then rename the evtx as png.
0
 

Author Comment

by:vakils
ID: 39951161
All System Events

Open in new window

Change extension to .evtx
system.png
0
 
LVL 13

Expert Comment

by:Santosh Gupta
ID: 39951179
:(
unable to open, rename it to .TXT
0
 
LVL 34

Expert Comment

by:Dan Craciun
ID: 39951203
works fine here
0
 
LVL 51

Expert Comment

by:Joe Winograd, EE MVE
ID: 39951213
Opens here, too. Santosh, change <system.png> to <system.evtx> and Event Viewer should open it fine. If not, there's something hosed on your machine. Regards, Joe
0
 
LVL 34

Expert Comment

by:Dan Craciun
ID: 39951216
When was the last restart?
Log Name:      System
Source:        EventLog
Date:          3/23/2014 9:00:01 PM
Event ID:      6013
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      ITGRP32.sagph.org
Description:
The system uptime is 2160418 seconds.

Open in new window

That means (if I calculated correctly that a day has 86400s) that the last restart was more than  25 days ago
0
 

Author Comment

by:vakils
ID: 39951242
Actually, The machine was already restarted during weekend when I logged in today. All my open Windows, Applications of Friday were shut down. The system did reboot for sure.
0
 
LVL 34

Expert Comment

by:Dan Craciun
ID: 39951246
Looking through the log, the only times the server restarted were:
Information      2/26/2014 8:53:40 PM      EventLog      6009      None
Information      2/19/2014 9:03:32 PM      EventLog      6009      None
Information      1/29/2014 8:55:17 PM      EventLog      6009      None
Information      1/28/2014 3:54:40 AM      EventLog      6009      None
Information      1/23/2014 9:05:31 PM      EventLog      6009      None
Information      12/18/2013 9:27:33 PM      EventLog      6009      None
0
 
LVL 34

Expert Comment

by:Dan Craciun
ID: 39951249
Nope, the server did NOT restart. You were logged off :)

Do you connect via RDP to the server? Are there other users that connect via RDP too?
0
 

Author Comment

by:vakils
ID: 39951267
OK, what caused the log off, since I did not log off. Someone knowing my password, unlocked the computer (which I always lock), and logged me off? How can I find out this trail?
0
 
LVL 13

Expert Comment

by:Santosh Gupta
ID: 39951283
you said server reboots every sunday. but it not seems like that.
0
 
LVL 34

Expert Comment

by:Dan Craciun
ID: 39951321
There are some possibilities:
1. you logged off on Friday
2. someone tried to do some work on the server and logged off all logged in accounts
3. someone tried to do some work on the server and there were already 3 people logged in and he had to force log off you to be able to login
4. you have a script/setting that forces log offs on accounts that were inactive for more than x hours.
0
 

Author Comment

by:vakils
ID: 39951518
There are some possibilities:
Reply to your "possibilities"
1. I never log-off, just lock, so somebody else logged me off?
2. That would be every weekend- remote possibility
3. Can I find the user id's of three?
4. How to find out?
Thanks.
0
 
LVL 34

Expert Comment

by:Dan Craciun
ID: 39951537
Look in the security log. That's where Windows logs logins.
0
 

Author Comment

by:vakils
ID: 39951563
I inquired further from a colleague, this Friday, some patches were installed  and everyone was logged off.
But this does not explain other week-ends when I am logged off and have on log in on Monday since last 3 months. No one experiences that kind of behavior.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:vakils
ID: 39951604
Security has 37,000 logs, all with today's time stamp. I have increased the size.
0
 
LVL 34

Expert Comment

by:Dan Craciun
ID: 39951620
Filter by event 4776. It should give you all logins.
0
 

Author Comment

by:vakils
ID: 39951648
No match, possibly because all events logged are of today's only. I increased the log size and attached a task (send me an email) when this event occurs.
0
 

Author Comment

by:vakils
ID: 39951927
Do you connect via RDP to the server? Are there other users that connect via RDP too?
It is Windows 7 Enterprise I log in via RDP, help desk may log in if I ask them if machine freezes. No one else logs in. It is my personal machine. I have local admin privileges.
Could this be a scheduled task? If so how to find it?
0
 
LVL 51

Expert Comment

by:Joe Winograd, EE MVE
ID: 39951980
I thought we ruled out the possibility of a scheduled task at the beginning of the thread, but if that's not the case, then run the Task Scheduler via either Start>All Programs> Accessories>System Tools>Task Scheduler or by typing taskschd.msc in the Run box. Then expand all tasks by clicking the triangle in the Task Scheduler Library and all entries underneath it. Look at the Triggers column for all tasks to see if anything runs weekly around 2am on Monday. Regards, Joe
0
 

Author Comment

by:vakils
ID: 39952082
Look at the Triggers column for all tasks to see if anything runs weekly around 2am on Monday
Nothing around Monday. Below are Task Scheduler files for Sunday. Nothing is scheduled weekly except these.
WinSAT.xml
AutomaticBackup.xml
Scheduled.xml
Microsoft-Windows-DiskDiagnostic.xml
0
 

Author Comment

by:vakils
ID: 39967447
I think I have found the culprit. It's event 7002:
User Logoff Notification for Customer Experience Improvement Program
How to disable this?
See attached system event log file, change extension to .evtx
system.png
0
 
LVL 34

Expert Comment

by:Dan Craciun
ID: 39967516
Try this:
Disable the Windows Customer Experience Improvement Program

1.  In the Windows 7 guest operating system, start the control panel and click Action Center > Change Action Center settings.

2.  Click Customer Experience Improvement Program settings.

3.  Select No, I don't want to participate in the program and click Save changes.

4.  Start the control panel and click Administrative Tools > Task Scheduler.

5.  In the Task Scheduler (Local) pane of the Task Scheduler dialog box, expand the Task Scheduler Library > Microsoft > Windows nodes and open the Application Experience folder.

6.  Disable the AITAgent and ProgramDataUpdater tasks.

7.  In the Task Scheduler Library > Microsoft > Windows node, open the Customer Experience Improvement Program folder.

8.  Disable the Consolidator, KernelCEIPTask, and Use CEIP tasks.

Taken from here: http://social.technet.microsoft.com/Forums/windows/en-US/0439e00b-f44a-40ac-999c-e574cb575ba9/user-logoff-notification-for-customer-experience-improvement-program?forum=w7itprogeneral
0
 

Author Comment

by:vakils
ID: 39967729
OK, disabled. Now I need to wait another week to verify.
Thanks!
0
 

Author Comment

by:vakils
ID: 39985152
Again rebooted this weekend. I rechecked all CEIP tasks were disabled.
0
 
LVL 51

Expert Comment

by:Joe Winograd, EE MVE
ID: 39985186
Was the reboot this weekend due to Event 7002 — User Logoff Notification for Customer Experience Improvement Program?
0
 

Author Comment

by:vakils
ID: 39985391
Yes
0
 
LVL 51

Expert Comment

by:Joe Winograd, EE MVE
ID: 39986330
I expected Dan's excellent instructions on disabling CEIP to solve the problem. He already gave you one link about it and here's another:
http://technet.microsoft.com/en-us/library/ee126127%28v=ws.10%29.aspx

Note the section called, "To view or change the Windows CEIP setting on a computer running Windows 7". Also note that you must be logged on as an administrator to change the CEIP settings. But I didn't see anything on this page that wasn't in Dan's post. Are you sure you were logged on as an admin and that your changes "stuck"? The only way that I can see CEIP causing this weekend's reboot is if the changes you tried to make to it didn't really occur. Regards, Joe
0
 

Author Comment

by:vakils
ID: 39987149
This is my work machine. I have local admin privileges, but not domain.
Dan's instructions is the most likely solution as I followed the topic on net, I followed both Dan's and your articles from Technet which give detailed steps to disable CEIP.  There is remote chance if it could be anything else. CEIP is not configured in Group Policy, so I configured it (Disabled). (as per MS Technet). But I doubt it will have any effect since it was not configured.
I would then conclude that domain settings are overriding my settings.  I will check with other guys tomorrow and see if they experience similar problem.
I have attached filtered system event log file. Pl change extension to .evtx
system.png
0
 

Author Comment

by:vakils
ID: 39990134
I checked with other guys at work and they don't have this problem.  I found this interesting article about how to quick check CEIP
http://www.mstechpages.com/2010/10/24/enable-or-disable-microsoft-customer-experience-improvement-program/
Type: Customer Experience Improvement Program,  in Start button.
On running, I found:
 Customer Experience Improvement ProgramOn my machine, I cannot change as selection is grayed out. On other users machines, selection is enabled.
0
 
LVL 51

Expert Comment

by:Joe Winograd, EE MVE
ID: 39990194
Even though you're an admin on your PC, my guess is that you need to run it in an elevated command prompt. There are numerous ways to open an elevated command prompt. One is Start>All Programs>Accessories and then right-click on Command Prompt and select "Run as administrator". Then in the elevated prompt, enter this command:

C:\windows\system32\rundll32.exe werconcpl.dll,ShowCEIPDialog

My guess/hope is that the selections won't be grayed out in the elevated command prompt. If that still doesn't work, try the other ideas at this page:
http://msdn.microsoft.com/en-us/library/dn195635%28v=winembedded.81%29.aspx

Modifying this registry key looks promising:

HKLM\Software\Microsoft\SQMClient\Windows\CEIPEnable

Set it to 0 (zero) to disable participation. But I suggest trying the elevated command prompt first. Regards, Joe
0
 

Author Comment

by:vakils
ID: 39990288
I get same grayed out selection within elevated Command Prompt.
No such entry in Registry: see pic
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows
0
 

Author Comment

by:vakils
ID: 39990315
Hi Joe,
I found that entry under:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows
set it to zero. As soon as I did that, I got, CEIP changed to No. See below:
Customer Experience
0
 
LVL 51

Expert Comment

by:Joe Winograd, EE MVE
ID: 39990432
Well, it's still grayed out, but the good news is that it's now set to NO! Before when it was grayed out, it was set to YES. I can't explain why it's grayed out, but at least the elevated prompt or the registry change disabled it, so with some luck the reboots that CEIP has been causing will stop. Regards, Joe
0
 

Author Comment

by:vakils
ID: 39990473
OK. Let's see this weekend. I will reboot also and verify.
MSDN Notes:
This entry can be superseded by a Group Policy setting on systems that support Group Policy. While the Windows Customer Experience Improvement Program CEIP Enable Group Policy setting is enabled, the system ignores this entry. The configuration of this policy setting is stored in the Policies section under HKLM\Software\Policies\Microsoft\SQMClient\Windows\CEIPEnable.
0
 
LVL 51

Expert Comment

by:Joe Winograd, EE MVE
ID: 39990494
Yes, I noticed that comment at MSDN, but then I remembered that you said yesterday that CEIP is not configured in Group Policy, so hopefully that's not an issue. Fingers crossed for this weekend!
0
 

Author Comment

by:vakils
ID: 40000837
I was logged out again. May be domain admin supersedes system admin. Why the heck Windows need to log out user for CEIP? the machine needs to run 24/7.
0
 
LVL 51

Expert Comment

by:Joe Winograd, EE MVE
ID: 40040657
Good question! I don't know why MS decided that CEIP should be able to log out a user. Have you looked in the registry for other occurrences of CEIPEnable? If not, find and disable all of them.
0
 

Author Comment

by:vakils
ID: 40043169
Done, wherever I could find CEIP or CEIPEnable flag. Interesting thing I found was that CEIPEnable flag in above location (HKLM\Software\Policies\Microsoft\SQMClient\Windows\CEIPEnable.) was set back to 1.
0
 
LVL 51

Expert Comment

by:Joe Winograd, EE MVE
ID: 40043192
That is very interesting and could easily be the culprit!
0
 

Author Comment

by:vakils
ID: 40043258
So domain admin policy supersedes local admin policy?
0
 
LVL 51

Accepted Solution

by:
Joe Winograd, EE MVE earned 500 total points
ID: 40043278
Yes. It can be complicated, and if you want to learn more there's a lot about it on the Microsoft site, but the quick summary is that GPO order is local, site, domain, organizational units. So domain is performed after local and will, thus, override it. Regards, Joe
0
 

Author Closing Comment

by:vakils
ID: 40043311
Anyway, you did find way to disable CEIP, at least on machines where you are the boss (administrator) across domains. Thanks for your knowledge and research.
0
 
LVL 51

Expert Comment

by:Joe Winograd, EE MVE
ID: 40043318
You're welcome. This was a very interesting thread and I'm happy to have helped. Regards, Joe
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
In this article, I will show you HOW TO: Perform a Physical to Virtual (P2V) Conversion the easy way from a computer backup (image).
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
This Micro Tutorial will teach you how to the overview of Microsoft Security Essentials. This is a free anti-virus software that guards your PC against viruses, spyware, worms, and other malicious software. This will be demonstrated using Windows…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now