Windows 7 Ultimate PC Reboots every Sunday night automatically.

This has been happening every Sunday night, (Monday morning around 2 am). On Monday I see the log-in prompt and all open apps are closed on logging-in. What's happening?
There are no scheduled backups or processes.
VakilsDeveloperAsked:
Who is Participating?
 
Joe Winograd, Fellow&MVEDeveloperCommented:
Yes. It can be complicated, and if you want to learn more there's a lot about it on the Microsoft site, but the quick summary is that GPO order is local, site, domain, organizational units. So domain is performed after local and will, thus, override it. Regards, Joe
0
 
Dan CraciunIT ConsultantCommented:
Automatic updates set to install on Sunday nights?
0
 
Joe Winograd, Fellow&MVEDeveloperCommented:
Perhaps you have anti-virus or anti-malware software that does a scan and/or definitions update weekly at 2am Monday and is configured to shut down after the scan/update. Regards, Joe
0
Cloud Class® Course: MCSA MCSE Windows Server 2012

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

 
Santosh GuptaCommented:
check if you have any task is running under "task Scheduler" at that time.
0
 
Joe Winograd, Fellow&MVEDeveloperCommented:
> check if you have any task is running under "task Scheduler" at that time.

In the original question, @vakils said, "There are no scheduled backups or processes." I think that means we're looking for a piece of software that does its own scheduling, i.e., does not use Task Scheduler. Regards, Joe
0
 
Imtiaz HashamTechnical Director / IT ConsultantCommented:
Check BIOS power settings.
0
 
willcompCommented:
I tend to agree with Joe Winograd. Check your anti-virus/anti-malware program logs and see if they are detecting malware and trying to clean.
0
 
Santosh GuptaCommented:
@ Joe Winograd, Thanks, its my oversight.
0
 
Scott ThomsonCommented:
There are a few things that can trigger a restart
- Virus scanners
- Software updates
- Disk scans
- Defrags
- Windows updates

Have you checked logs to see what has occured just before the restart?
Have you seen it just sitting there and suddenly restarted or do you see something running first?

If you turn your pc off during that time does it restart at a different time?
0
 
VakilsDeveloperAuthor Commented:
Happened again. Windows updates are manual. Is there a way to find exact time it rebooted?
0
 
Santosh GuptaCommented:
Hi,

if possible pls share the Windows "System"  event logs at the time when it reboots. if not then only share 1074 event log.
0
 
Scott ThomsonCommented:
agreed

Windows event logs will tell you exactly when it went down. and application logs should show anything that was going just before that time.

if you go to start > Run > and type "Msconfig" and click the startup tab do you have anything starting up that you aren't sure of..?

also perhaps run a hijackthis app scan on your machine for us and display the logs from that?

anything in processes that you arent too sure of ..?
0
 
VakilsDeveloperAuthor Commented:
Event Attached for 1074, but they are only 5. The last one happened 16th March but it is not in log.1074.txt
0
 
Santosh GuptaCommented:
Hi,

nothing suspicious found, also it is not as per pattern. please share the complete system log, save as it evtx format.
0
 
VakilsDeveloperAuthor Commented:
EE does not allow to post in evtx format, only txt and pics.
0
 
Dan CraciunIT ConsultantCommented:
Then rename the evtx as png.
0
 
VakilsDeveloperAuthor Commented:
All System Events

Open in new window

Change extension to .evtx
system.png
0
 
Santosh GuptaCommented:
:(
unable to open, rename it to .TXT
0
 
Dan CraciunIT ConsultantCommented:
works fine here
0
 
Joe Winograd, Fellow&MVEDeveloperCommented:
Opens here, too. Santosh, change <system.png> to <system.evtx> and Event Viewer should open it fine. If not, there's something hosed on your machine. Regards, Joe
0
 
Dan CraciunIT ConsultantCommented:
When was the last restart?
Log Name:      System
Source:        EventLog
Date:          3/23/2014 9:00:01 PM
Event ID:      6013
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      ITGRP32.sagph.org
Description:
The system uptime is 2160418 seconds.

Open in new window

That means (if I calculated correctly that a day has 86400s) that the last restart was more than  25 days ago
0
 
VakilsDeveloperAuthor Commented:
Actually, The machine was already restarted during weekend when I logged in today. All my open Windows, Applications of Friday were shut down. The system did reboot for sure.
0
 
Dan CraciunIT ConsultantCommented:
Looking through the log, the only times the server restarted were:
Information      2/26/2014 8:53:40 PM      EventLog      6009      None
Information      2/19/2014 9:03:32 PM      EventLog      6009      None
Information      1/29/2014 8:55:17 PM      EventLog      6009      None
Information      1/28/2014 3:54:40 AM      EventLog      6009      None
Information      1/23/2014 9:05:31 PM      EventLog      6009      None
Information      12/18/2013 9:27:33 PM      EventLog      6009      None
0
 
Dan CraciunIT ConsultantCommented:
Nope, the server did NOT restart. You were logged off :)

Do you connect via RDP to the server? Are there other users that connect via RDP too?
0
 
VakilsDeveloperAuthor Commented:
OK, what caused the log off, since I did not log off. Someone knowing my password, unlocked the computer (which I always lock), and logged me off? How can I find out this trail?
0
 
Santosh GuptaCommented:
you said server reboots every sunday. but it not seems like that.
0
 
Dan CraciunIT ConsultantCommented:
There are some possibilities:
1. you logged off on Friday
2. someone tried to do some work on the server and logged off all logged in accounts
3. someone tried to do some work on the server and there were already 3 people logged in and he had to force log off you to be able to login
4. you have a script/setting that forces log offs on accounts that were inactive for more than x hours.
0
 
VakilsDeveloperAuthor Commented:
There are some possibilities:
Reply to your "possibilities"
1. I never log-off, just lock, so somebody else logged me off?
2. That would be every weekend- remote possibility
3. Can I find the user id's of three?
4. How to find out?
Thanks.
0
 
Dan CraciunIT ConsultantCommented:
Look in the security log. That's where Windows logs logins.
0
 
VakilsDeveloperAuthor Commented:
I inquired further from a colleague, this Friday, some patches were installed  and everyone was logged off.
But this does not explain other week-ends when I am logged off and have on log in on Monday since last 3 months. No one experiences that kind of behavior.
0
 
VakilsDeveloperAuthor Commented:
Security has 37,000 logs, all with today's time stamp. I have increased the size.
0
 
Dan CraciunIT ConsultantCommented:
Filter by event 4776. It should give you all logins.
0
 
VakilsDeveloperAuthor Commented:
No match, possibly because all events logged are of today's only. I increased the log size and attached a task (send me an email) when this event occurs.
0
 
VakilsDeveloperAuthor Commented:
Do you connect via RDP to the server? Are there other users that connect via RDP too?
It is Windows 7 Enterprise I log in via RDP, help desk may log in if I ask them if machine freezes. No one else logs in. It is my personal machine. I have local admin privileges.
Could this be a scheduled task? If so how to find it?
0
 
Joe Winograd, Fellow&MVEDeveloperCommented:
I thought we ruled out the possibility of a scheduled task at the beginning of the thread, but if that's not the case, then run the Task Scheduler via either Start>All Programs> Accessories>System Tools>Task Scheduler or by typing taskschd.msc in the Run box. Then expand all tasks by clicking the triangle in the Task Scheduler Library and all entries underneath it. Look at the Triggers column for all tasks to see if anything runs weekly around 2am on Monday. Regards, Joe
0
 
VakilsDeveloperAuthor Commented:
Look at the Triggers column for all tasks to see if anything runs weekly around 2am on Monday
Nothing around Monday. Below are Task Scheduler files for Sunday. Nothing is scheduled weekly except these.
WinSAT.xml
AutomaticBackup.xml
Scheduled.xml
Microsoft-Windows-DiskDiagnostic.xml
0
 
VakilsDeveloperAuthor Commented:
I think I have found the culprit. It's event 7002:
User Logoff Notification for Customer Experience Improvement Program
How to disable this?
See attached system event log file, change extension to .evtx
system.png
0
 
Dan CraciunIT ConsultantCommented:
Try this:
Disable the Windows Customer Experience Improvement Program

1.  In the Windows 7 guest operating system, start the control panel and click Action Center > Change Action Center settings.

2.  Click Customer Experience Improvement Program settings.

3.  Select No, I don't want to participate in the program and click Save changes.

4.  Start the control panel and click Administrative Tools > Task Scheduler.

5.  In the Task Scheduler (Local) pane of the Task Scheduler dialog box, expand the Task Scheduler Library > Microsoft > Windows nodes and open the Application Experience folder.

6.  Disable the AITAgent and ProgramDataUpdater tasks.

7.  In the Task Scheduler Library > Microsoft > Windows node, open the Customer Experience Improvement Program folder.

8.  Disable the Consolidator, KernelCEIPTask, and Use CEIP tasks.

Taken from here: http://social.technet.microsoft.com/Forums/windows/en-US/0439e00b-f44a-40ac-999c-e574cb575ba9/user-logoff-notification-for-customer-experience-improvement-program?forum=w7itprogeneral
0
 
VakilsDeveloperAuthor Commented:
OK, disabled. Now I need to wait another week to verify.
Thanks!
0
 
VakilsDeveloperAuthor Commented:
Again rebooted this weekend. I rechecked all CEIP tasks were disabled.
0
 
Joe Winograd, Fellow&MVEDeveloperCommented:
Was the reboot this weekend due to Event 7002 — User Logoff Notification for Customer Experience Improvement Program?
0
 
VakilsDeveloperAuthor Commented:
Yes
0
 
Joe Winograd, Fellow&MVEDeveloperCommented:
I expected Dan's excellent instructions on disabling CEIP to solve the problem. He already gave you one link about it and here's another:
http://technet.microsoft.com/en-us/library/ee126127%28v=ws.10%29.aspx

Note the section called, "To view or change the Windows CEIP setting on a computer running Windows 7". Also note that you must be logged on as an administrator to change the CEIP settings. But I didn't see anything on this page that wasn't in Dan's post. Are you sure you were logged on as an admin and that your changes "stuck"? The only way that I can see CEIP causing this weekend's reboot is if the changes you tried to make to it didn't really occur. Regards, Joe
0
 
VakilsDeveloperAuthor Commented:
This is my work machine. I have local admin privileges, but not domain.
Dan's instructions is the most likely solution as I followed the topic on net, I followed both Dan's and your articles from Technet which give detailed steps to disable CEIP.  There is remote chance if it could be anything else. CEIP is not configured in Group Policy, so I configured it (Disabled). (as per MS Technet). But I doubt it will have any effect since it was not configured.
I would then conclude that domain settings are overriding my settings.  I will check with other guys tomorrow and see if they experience similar problem.
I have attached filtered system event log file. Pl change extension to .evtx
system.png
0
 
VakilsDeveloperAuthor Commented:
I checked with other guys at work and they don't have this problem.  I found this interesting article about how to quick check CEIP
http://www.mstechpages.com/2010/10/24/enable-or-disable-microsoft-customer-experience-improvement-program/
Type: Customer Experience Improvement Program,  in Start button.
On running, I found:
 Customer Experience Improvement ProgramOn my machine, I cannot change as selection is grayed out. On other users machines, selection is enabled.
0
 
Joe Winograd, Fellow&MVEDeveloperCommented:
Even though you're an admin on your PC, my guess is that you need to run it in an elevated command prompt. There are numerous ways to open an elevated command prompt. One is Start>All Programs>Accessories and then right-click on Command Prompt and select "Run as administrator". Then in the elevated prompt, enter this command:

C:\windows\system32\rundll32.exe werconcpl.dll,ShowCEIPDialog

My guess/hope is that the selections won't be grayed out in the elevated command prompt. If that still doesn't work, try the other ideas at this page:
http://msdn.microsoft.com/en-us/library/dn195635%28v=winembedded.81%29.aspx

Modifying this registry key looks promising:

HKLM\Software\Microsoft\SQMClient\Windows\CEIPEnable

Set it to 0 (zero) to disable participation. But I suggest trying the elevated command prompt first. Regards, Joe
0
 
VakilsDeveloperAuthor Commented:
I get same grayed out selection within elevated Command Prompt.
No such entry in Registry: see pic
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows
0
 
VakilsDeveloperAuthor Commented:
Hi Joe,
I found that entry under:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows
set it to zero. As soon as I did that, I got, CEIP changed to No. See below:
Customer Experience
0
 
Joe Winograd, Fellow&MVEDeveloperCommented:
Well, it's still grayed out, but the good news is that it's now set to NO! Before when it was grayed out, it was set to YES. I can't explain why it's grayed out, but at least the elevated prompt or the registry change disabled it, so with some luck the reboots that CEIP has been causing will stop. Regards, Joe
0
 
VakilsDeveloperAuthor Commented:
OK. Let's see this weekend. I will reboot also and verify.
MSDN Notes:
This entry can be superseded by a Group Policy setting on systems that support Group Policy. While the Windows Customer Experience Improvement Program CEIP Enable Group Policy setting is enabled, the system ignores this entry. The configuration of this policy setting is stored in the Policies section under HKLM\Software\Policies\Microsoft\SQMClient\Windows\CEIPEnable.
0
 
Joe Winograd, Fellow&MVEDeveloperCommented:
Yes, I noticed that comment at MSDN, but then I remembered that you said yesterday that CEIP is not configured in Group Policy, so hopefully that's not an issue. Fingers crossed for this weekend!
0
 
VakilsDeveloperAuthor Commented:
I was logged out again. May be domain admin supersedes system admin. Why the heck Windows need to log out user for CEIP? the machine needs to run 24/7.
0
 
Joe Winograd, Fellow&MVEDeveloperCommented:
Good question! I don't know why MS decided that CEIP should be able to log out a user. Have you looked in the registry for other occurrences of CEIPEnable? If not, find and disable all of them.
0
 
VakilsDeveloperAuthor Commented:
Done, wherever I could find CEIP or CEIPEnable flag. Interesting thing I found was that CEIPEnable flag in above location (HKLM\Software\Policies\Microsoft\SQMClient\Windows\CEIPEnable.) was set back to 1.
0
 
Joe Winograd, Fellow&MVEDeveloperCommented:
That is very interesting and could easily be the culprit!
0
 
VakilsDeveloperAuthor Commented:
So domain admin policy supersedes local admin policy?
0
 
VakilsDeveloperAuthor Commented:
Anyway, you did find way to disable CEIP, at least on machines where you are the boss (administrator) across domains. Thanks for your knowledge and research.
0
 
Joe Winograd, Fellow&MVEDeveloperCommented:
You're welcome. This was a very interesting thread and I'm happy to have helped. Regards, Joe
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.