SBS 2011 - unknown process causing server to restart

Having a problem with an SBS2011 restarting at random times throughout the day (and night).

Looking at the event log, there is an unknown strange process initiating the restart of the computer. Event log reads:

The process D:\e37934ff475ba2724eef35f4\Setup.exe (<servername>) has initiated the restart of computer <servername> on behalf of user NT AUTHORITY\SYSTEM for the following reason: Other (Planned)
 Reason Code: 0x80000000
 Shutdown Type: restart
 Comment:
The server is not a virtual machine.

I have checked the hard drive and there are no records of the file or  

Checked to see if Windows Update is getting involved and there have been no updates for a while.

Can anyone offer any help as to what this may be and what the solution is? We can't have a server restarting during business and it is concerning that we are unable to identify what is causing it.
PlexioUKAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

schima_czCommented:
Looks like some problem with whole instalation? This problem is since You installed the server?
0
PlexioUKAuthor Commented:
Hi, thanks for the response. The server has been in for over 3 years and this issue has only started in the last week.
0
schima_czCommented:
Ok, may be, it colud be some Windows Update. When You have "show hidden and system files" option enabled in Explorer, can you see that folder?
0
Cloud Class® Course: CompTIA Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

PlexioUKAuthor Commented:
According to Windows update there are three available to install, the check was this morning at 3am (2 hours after the last reboot) and install history is showing that updates were last installed a month ago. This issue began a week ago.

Checked Folder and Search options - set to show everything including protected operating system files and the restart instigating folder is not shown.
0
Radhakrishnan RSenior Technical LeadCommented:
Hi,

Worth to run a full virus scan using Malware bytes or MS malicious tool. This looks to me kind of virus.
0
schima_czCommented:
Hmm, Ok. After You make a virus scan, check running process if You will see process setup.exe.
Best fot this is Process Explorer Download Here
0
PlexioUKAuthor Commented:
Yes, I have a MWB scan scheduled for this evening after hours.
0
PlexioUKAuthor Commented:
Sorry, Schima. Didn't see your comment when I replied to Radhakrishnan. That's a good idea.
0
David AtkinTechnical DirectorCommented:
Out of interest, do you have Sage V21.0 installed on the server?
0
PlexioUKAuthor Commented:
Hi David.

Sage accounts Data service V21.0 is installed, but not the actual Sage program as it isn't supported on SBS2011 (according to Sage)
0
David AtkinTechnical DirectorCommented:
I ask because after installing the latest version we noticed a number of our servers restart to install a .NET update.. Sage have denied this but the logs don't lie.

Have a look at the logs prior to the reboot and see if there are any referring to sage.

Depending on how you've installed the software it could just be the Sage Data Service or the entire client.

Are you having multiple restarts on the same machine?
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
PlexioUKAuthor Commented:
Looks like you may be onto something here David, thank you.

Cross-referencing the Application logs with the System logs I can see that approximately 30 seconds before the reboot there was an Application information log "PowerEvent handled successfully by the service." relating to "Event 0, Sage AutoUpdate Manager Service".

I'll still run a MWB scan overnight, but something tells me we've found the culprit...
0
David AtkinTechnical DirectorCommented:
If it is that please do let me know how you get on with Sage.

I've reported it at least twice and they flat out deny that their service would do it.  Although the logs suggest it does.
0
PlexioUKAuthor Commented:
Solved, thanks to everyone involved in the discussion.

David was right, the issues was being caused by Sage Accounts 50 V.21 updating - The Application event log showed that a Sage element update (seen a  few different ones - ID Manager was the last one) was successful less than 30 seconds before the System log showed the Kernel power restart was initiated.

I knew from talking to Sage support previously that the software would not run on SBS2011 as it had with V.20 so we would have to stop using remote access to the server for users. However, their tech support guy told me that the data could live on an SBS2011 without problem.

Spoke to Sage who admitted that there was an issue being caused by their software and that the previous advice was wrong - no elements of Sage accounts 50 V.21 will run on an SBS2011 as they tend to throw up all sorts of errors.....

Thanks again for your help, guys. Much appreciated.
0
David AtkinTechnical DirectorCommented:
Thank you for posting your findings. When I last spoke to them they denied there being a problem.
0
PlexioUKAuthor Commented:
I've requested that this question be closed as follows:

Accepted answer: 0 points for PlexioUK's comment #a40878933

for the following reason:

Suggested that I look at Sage, which I did. Discovered the solution after talking to their Tech Support.
0
David AtkinTechnical DirectorCommented:
I feel as though I should have been given points for isolating the problem.
0
Radhakrishnan RSenior Technical LeadCommented:
Yes, I agree with David as he pointed him to the right direction.
0
PlexioUKAuthor Commented:
Pointed in the right direction. Thanks, David.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SBS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.