Computer automatically reboots after gpo for automatic reboot is removed

aerblich asked

on 2019-01-03

11 Comments

1 Solution

243 Views

Last Modified: 2019-01-18

i have a gpo for scheduling a task to automatically restart domain computers at a specific time. I have one executive who works late so I want to disable that gpo for him, and as such, moved him and his computer to new ou's in ad. the scheduled task is now removed from his computer, yet the computer keeps restarting at the scheduled time as if the gpo is still in force. I need help figuring out how to prevent his pc from restarting at 6pm. Below are some logs of interest from the event viewer:

Log Name: System
Source: Service Control Manager
Date: 1/3/2019 6:05:15 PM
Event ID: 7045
Task Category: None
Level: Information
Keywords: Classic
User: CONTOSO\Administrator
Computer: DOMAIN-COMPUTER.CONTOSO.LOCAL
Description:
A service was installed in the system.

Service Name: PsShutdown
Service File Name: %SystemRoot%\PSSDNSVC.EXE
Service Type: user mode service
Service Start Type: demand start
Service Account: LocalSystem
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
<EventID Qualifiers="16384">7045</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2019-01-04T02:05:15.225800600Z" />
<EventRecordID>102234</EventRecordID>
<Correlation />
<Execution ProcessID="784" ThreadID="904" />
<Channel>System</Channel>
<Computer>DOMAIN-COMPUTER.CONTOSO.LOCAL</Computer>
<Security UserID="S-1-5-21-2459926031-2343248686-2500913731-500" />
</System>
<EventData>
<Data Name="ServiceName">PsShutdown</Data>
<Data Name="ImagePath">%SystemRoot%\PSSDNSVC.EXE</Data>
<Data Name="ServiceType">user mode service</Data>
<Data Name="StartType">demand start</Data>
<Data Name="AccountName">LocalSystem</Data>
</EventData>
</Event>

Log Name: System
Source: Service Control Manager
Date: 1/3/2019 6:05:15 PM
Event ID: 7030
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: DOMAIN-COMPUTER.CONTOSO.LOCAL
Description:
The PsShutdown service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
<EventID Qualifiers="49152">7030</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2019-01-04T02:05:15.225800600Z" />
<EventRecordID>102235</EventRecordID>
<Correlation />
<Execution ProcessID="784" ThreadID="904" />
<Channel>System</Channel>
<Computer>DOMAIN-COMPUTER.CONTOSO.LOCAL</Computer>
<Security />
</System>
<EventData>
<Data Name="param1">PsShutdown</Data>
</EventData>
</Event>

Log Name: System
Source: USER32
Date: 1/3/2019 6:05:16 PM
Event ID: 1074
Task Category: None
Level: Information
Keywords: Classic
User: SYSTEM
Computer: domain-computer.contoso.LOCAL
Description:
The process wininit.exe (127.0.0.1) has initiated the restart of computer domain-computer on behalf of user NT AUTHORITY\SYSTEM for the following reason: Legacy API shutdown
Reason Code: 0x80070000
Shutdown Type: restart
Comment:
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="USER32" />
<EventID Qualifiers="32768">1074</EventID>
<Level>4</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2019-01-04T02:05:16.000000000Z" />
<EventRecordID>102236</EventRecordID>
<Channel>System</Channel>
<Computer>domain-computer.contoso.LOCAL</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data>wininit.exe (127.0.0.1)</Data>
<Data>domain-computer</Data>
<Data>Legacy API shutdown</Data>
<Data>0x80070000</Data>
<Data>restart</Data>
<Data>
</Data>
<Data>NT AUTHORITY\SYSTEM</Data>
<Binary>00000780000000000000000000000000000000000000000000000000000000000000000000000000</Binary>
</EventData>
</Event>

Log Name: System
Source: Service Control Manager
Date: 1/3/2019 6:05:16 PM
Event ID: 7036
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: DOMAIN-COMPUTER.CONTOSO.LOCAL
Description:
The PsShutdown service entered the running state.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>

<Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
<EventID Qualifiers="16384">7036</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2019-01-04T02:05:16.239800600Z" />
<EventRecordID>102238</EventRecordID>
<Correlation />
<Execution ProcessID="784" ThreadID="904" />
<Channel>System</Channel>
<Computer>DOMAIN-COMPUTER.CONTOSO.LOCAL</Computer>
<Security />
</System>
<EventData>
<Data Name="param1">PsShutdown</Data>
<Data Name="param2">running</Data>
<Binary>50007300530068007500740064006F0077006E005300760063002F0034000000</Binary>
</EventData>
</Event>

Log Name: System
Source: Service Control Manager
Date: 1/3/2019 6:05:16 PM
Event ID: 7034
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: DOMAIN-COMPUTER.CONTOSO.LOCAL
Description:
The PsShutdown service terminated unexpectedly. It has done this 1 time(s).
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
<EventID Qualifiers="49152">7034</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2019-01-04T02:05:16.255400600Z" />
<EventRecordID>102239</EventRecordID>
<Correlation />
<Execution ProcessID="784" ThreadID="924" />
<Channel>System</Channel>
<Computer>DOMAIN-COPMUTER.CONTOSO.LOCAL</Computer>
<Security />
</System>
<EventData>
<Data Name="param1">PsShutdown</Data>
<Data Name="param2">1</Data>
</EventData>
</Event>

Shortly after these events the OS logs kernel power manager and shutdown followed by the restart.

I need to get this behavior to stop, so any help would be GREATLY appreciated.
Thanks in advance.

Comment

Watch Question

View Solution Only

AntzsInfrastructure Services

CERTIFIED EXPERT

Commented: 2019-01-03

Would it help if you remove the "%SystemRoot%\PSSDNSVC.EXE" file from his PC?

aerblich

Author

Commented: 2019-01-03

was thinking about that, but was unsure if that would negatively impact other functions of the OS. Does that exe need to be there for anything else?

AntzsInfrastructure Services

CERTIFIED EXPERT

Commented: 2019-01-03

The psshutdown.exe utility which you are using for the shutdown/reboot is part of a collection of tools from SysInternals.

https://docs.microsoft.com/en-us/sysinternals/downloads/psshutdown

So it is not in use by the OS itself. It is actually a separate install.

aerblich

Author

Commented: 2019-01-04

Yes, I see that the file should be in that directory, but I am doing a search and cannot find it anywhere

aerblich

Author

Commented: 2019-01-06

Interestingly, it seems that the service is installed daily. I see this in the event viewer daily, when I search for psshutdown or pssdnsvc.exe I cant find anything:

Log Name: System
Source: Service Control Manager
Date: 1/5/2019 6:06:27 PM
Event ID: 7045
Task Category: None
Level: Information
Keywords: Classic
User: Contoso\Administrator
Computer: DOMAIN-COMOUTER.CONTOSO.LOCAL
Description:
A service was installed in the system.

Service Name: PsShutdown
Service File Name: %SystemRoot%\PSSDNSVC.EXE
Service Type: user mode service
Service Start Type: demand start
Service Account: LocalSystem
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
<EventID Qualifiers="16384">7045</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2019-01-06T02:06:27.474443400Z" />
<EventRecordID>103475</EventRecordID>
<Correlation />
<Execution ProcessID="792" ThreadID="6096" />
<Channel>System</Channel>
<Computer>DOMAIN-COMPTUER.CONTOSO.LOCAL</Computer>
<Security UserID="S-1-5-21-2459926031-2343248686-2500913731-500" />
</System>
<EventData>
<Data Name="ServiceName">PsShutdown</Data>
<Data Name="ImagePath">%SystemRoot%\PSSDNSVC.EXE</Data>
<Data Name="ServiceType">user mode service</Data>
<Data Name="StartType">demand start</Data>
<Data Name="AccountName">LocalSystem</Data>
</EventData>
</Event>

aerblich

Author

Commented: 2019-01-06

also found this in the event viewer's task scheduler filter. this shouldn't be happening. the gpo that generated that task was removed from this pc. furthermore, this task is not even in the task scheduler on the front end. It seems that the policy removed the task from the scheduler, but somehow it is still running.

Log Name: Microsoft-Windows-TaskScheduler/Operational
Source: Microsoft-Windows-TaskScheduler
Date: 1/5/2019 6:15:00 PM
Event ID: 107
Task Category: Task triggered on scheduler
Level: Information
Keywords:
User: SYSTEM
Computer: DOMAIN-COMPUTER.CONTOSO.LOCAL
Description:
Task Scheduler launched "{b58a9933-b27e-425a-b7d1-23aeaaa71705}" instance of task "\Afterhours_Logoff" due to a time trigger condition.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-TaskScheduler" Guid="{DE7B24EA-73C8-4A09-985D-5BDADCFA9017}" />
<EventID>107</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>107</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-01-06T02:15:00.008664700Z" />
<EventRecordID>504278</EventRecordID>
<Correlation ActivityID="{B58A9933-B27E-425A-B7D1-23AEAAA71705}" />
<Execution ProcessID="1180" ThreadID="1644" />
<Channel>Microsoft-Windows-TaskScheduler/Operational</Channel>
<Computer>DOMAIN-COMPUTER.CONTOSO.LOCAL</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData Name="TimeTriggerEvent">
<Data Name="TaskName">\Afterhours_Logoff</Data>
<Data Name="InstanceId">{B58A9933-B27E-425A-B7D1-23AEAAA71705}</Data>
</EventData>
</Event>

AntzsInfrastructure Services

CERTIFIED EXPERT

Commented: 2019-01-06

Is there another gpo which is installing the reboot utility and then removing it once the task has ran?

aerblich

Author

Commented: 2019-01-07

I don't see one anywhere, but it sure seems like it. I will run an rsop and see what is coming in and then update the post

aerblich

Author

Commented: 2019-01-08

Ok, I scoured the RSOP and there is nothing coming in that would issue a restart command. I am out of ideas here.

AntzsInfrastructure Services

CERTIFIED EXPERT

Commented: 2019-01-15

Can you try running "schtasks" on a command prompt. This will list all scheduled tasks on the machine. See if any task which is doing the reboot.

aerblich

Commented: 2019-01-18

This one is on us!

(Get your first solution completely free - no credit card required)

UNLOCK SOLUTION

Computer automatically reboots after gpo for automatic reboot is removed

Premium Content

Premium Content

View Solution Only

Join our community and discover your potential