Learn to build secure applications from the mindset of the hacker and avoid being exploited.
Computer automatically reboots after gpo for automatic reboot is removed
i have a gpo for scheduling a task to automatically restart domain computers at a specific time. I have one executive who works late so I want to disable that gpo for him, and as such, moved him and his computer to new ou's in ad. the scheduled task is now removed from his computer, yet the computer keeps restarting at the scheduled time as if the gpo is still in force. I need help figuring out how to prevent his pc from restarting at 6pm. Below are some logs of interest from the event viewer:
Log Name: System
Source: Service Control Manager
Date: 1/3/2019 6:05:15 PM
Event ID: 7045
Task Category: None
Level: Information
Keywords: Classic
User: CONTOSO\Administrator
Computer: DOMAIN-COMPUTER.CONTOSO.LO
Description:
A service was installed in the system.
Service Name: PsShutdown
Service File Name: %SystemRoot%\PSSDNSVC.EXE
Service Type: user mode service
Service Start Type: demand start
Service Account: LocalSystem
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-
<EventID Qualifiers="16384">7045</E
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80800000000000
<TimeCreated SystemTime="2019-01-04T02:
<EventRecordID>102234</Eve
<Correlation />
<Execution ProcessID="784" ThreadID="904" />
<Channel>System</Channel>
<Computer>DOMAIN-COMPUTER.
<Security UserID="S-1-5-21-245992603
</System>
<EventData>
<Data Name="ServiceName">PsShutd
<Data Name="ImagePath">%SystemRo
<Data Name="ServiceType">user mode service</Data>
<Data Name="StartType">demand start</Data>
<Data Name="AccountName">LocalSy
</EventData>
</Event>
Log Name: System
Source: Service Control Manager
Date: 1/3/2019 6:05:15 PM
Event ID: 7030
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: DOMAIN-COMPUTER.CONTOSO.LO
Description:
The PsShutdown service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-
<EventID Qualifiers="49152">7030</E
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80800000000000
<TimeCreated SystemTime="2019-01-04T02:
<EventRecordID>102235</Eve
<Correlation />
<Execution ProcessID="784" ThreadID="904" />
<Channel>System</Channel>
<Computer>DOMAIN-COMPUTER.
<Security />
</System>
<EventData>
<Data Name="param1">PsShutdown</
</EventData>
</Event>
Log Name: System
Source: USER32
Date: 1/3/2019 6:05:16 PM
Event ID: 1074
Task Category: None
Level: Information
Keywords: Classic
User: SYSTEM
Computer: domain-computer.contoso.LO
Description:
The process wininit.exe (127.0.0.1) has initiated the restart of computer domain-computer on behalf of user NT AUTHORITY\SYSTEM for the following reason: Legacy API shutdown
Reason Code: 0x80070000
Shutdown Type: restart
Comment:
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="USER32" />
<EventID Qualifiers="32768">1074</E
<Level>4</Level>
<Task>0</Task>
<Keywords>0x80000000000000
<TimeCreated SystemTime="2019-01-04T02:
<EventRecordID>102236</Eve
<Channel>System</Channel>
<Computer>domain-computer.
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data>wininit.exe (127.0.0.1)</Data>
<Data>domain-computer</Dat
<Data>Legacy API shutdown</Data>
<Data>0x80070000</Data>
<Data>restart</Data>
<Data>
</Data>
<Data>NT AUTHORITY\SYSTEM</Data>
<Binary>000007800000000000
</EventData>
</Event>
Log Name: System
Source: Service Control Manager
Date: 1/3/2019 6:05:16 PM
Event ID: 7036
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: DOMAIN-COMPUTER.CONTOSO.LO
Description:
The PsShutdown service entered the running state.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-
<EventID Qualifiers="16384">7036</E
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80800000000000
<TimeCreated SystemTime="2019-01-04T02:
<EventRecordID>102238</Eve
<Correlation />
<Execution ProcessID="784" ThreadID="904" />
<Channel>System</Channel>
<Computer>DOMAIN-COMPUTER.
<Security />
</System>
<EventData>
<Data Name="param1">PsShutdown</
<Data Name="param2">running</Dat
<Binary>500073005300680075
</EventData>
</Event>
Log Name: System
Source: Service Control Manager
Date: 1/3/2019 6:05:16 PM
Event ID: 7034
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: DOMAIN-COMPUTER.CONTOSO.LO
Description:
The PsShutdown service terminated unexpectedly. It has done this 1 time(s).
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-
<EventID Qualifiers="49152">7034</E
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80800000000000
<TimeCreated SystemTime="2019-01-04T02:
<EventRecordID>102239</Eve
<Correlation />
<Execution ProcessID="784" ThreadID="924" />
<Channel>System</Channel>
<Computer>DOMAIN-COPMUTER.
<Security />
</System>
<EventData>
<Data Name="param1">PsShutdown</
<Data Name="param2">1</Data>
</EventData>
</Event>
Shortly after these events the OS logs kernel power manager and shutdown followed by the restart.
I need to get this behavior to stop, so any help would be GREATLY appreciated.
Thanks in advance.
Log Name: System
Source: Service Control Manager
Date: 1/3/2019 6:05:15 PM
Event ID: 7045
Task Category: None
Level: Information
Keywords: Classic
User: CONTOSO\Administrator
Computer: DOMAIN-COMPUTER.CONTOSO.LO
Description:
A service was installed in the system.
Service Name: PsShutdown
Service File Name: %SystemRoot%\PSSDNSVC.EXE
Service Type: user mode service
Service Start Type: demand start
Service Account: LocalSystem
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-
<EventID Qualifiers="16384">7045</E
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80800000000000
<TimeCreated SystemTime="2019-01-04T02:
<EventRecordID>102234</Eve
<Correlation />
<Execution ProcessID="784" ThreadID="904" />
<Channel>System</Channel>
<Computer>DOMAIN-COMPUTER.
<Security UserID="S-1-5-21-245992603
</System>
<EventData>
<Data Name="ServiceName">PsShutd
<Data Name="ImagePath">%SystemRo
<Data Name="ServiceType">user mode service</Data>
<Data Name="StartType">demand start</Data>
<Data Name="AccountName">LocalSy
</EventData>
</Event>
Log Name: System
Source: Service Control Manager
Date: 1/3/2019 6:05:15 PM
Event ID: 7030
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: DOMAIN-COMPUTER.CONTOSO.LO
Description:
The PsShutdown service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-
<EventID Qualifiers="49152">7030</E
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80800000000000
<TimeCreated SystemTime="2019-01-04T02:
<EventRecordID>102235</Eve
<Correlation />
<Execution ProcessID="784" ThreadID="904" />
<Channel>System</Channel>
<Computer>DOMAIN-COMPUTER.
<Security />
</System>
<EventData>
<Data Name="param1">PsShutdown</
</EventData>
</Event>
Log Name: System
Source: USER32
Date: 1/3/2019 6:05:16 PM
Event ID: 1074
Task Category: None
Level: Information
Keywords: Classic
User: SYSTEM
Computer: domain-computer.contoso.LO
Description:
The process wininit.exe (127.0.0.1) has initiated the restart of computer domain-computer on behalf of user NT AUTHORITY\SYSTEM for the following reason: Legacy API shutdown
Reason Code: 0x80070000
Shutdown Type: restart
Comment:
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="USER32" />
<EventID Qualifiers="32768">1074</E
<Level>4</Level>
<Task>0</Task>
<Keywords>0x80000000000000
<TimeCreated SystemTime="2019-01-04T02:
<EventRecordID>102236</Eve
<Channel>System</Channel>
<Computer>domain-computer.
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data>wininit.exe (127.0.0.1)</Data>
<Data>domain-computer</Dat
<Data>Legacy API shutdown</Data>
<Data>0x80070000</Data>
<Data>restart</Data>
<Data>
</Data>
<Data>NT AUTHORITY\SYSTEM</Data>
<Binary>000007800000000000
</EventData>
</Event>
Log Name: System
Source: Service Control Manager
Date: 1/3/2019 6:05:16 PM
Event ID: 7036
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: DOMAIN-COMPUTER.CONTOSO.LO
Description:
The PsShutdown service entered the running state.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-
<EventID Qualifiers="16384">7036</E
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80800000000000
<TimeCreated SystemTime="2019-01-04T02:
<EventRecordID>102238</Eve
<Correlation />
<Execution ProcessID="784" ThreadID="904" />
<Channel>System</Channel>
<Computer>DOMAIN-COMPUTER.
<Security />
</System>
<EventData>
<Data Name="param1">PsShutdown</
<Data Name="param2">running</Dat
<Binary>500073005300680075
</EventData>
</Event>
Log Name: System
Source: Service Control Manager
Date: 1/3/2019 6:05:16 PM
Event ID: 7034
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: DOMAIN-COMPUTER.CONTOSO.LO
Description:
The PsShutdown service terminated unexpectedly. It has done this 1 time(s).
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-
<EventID Qualifiers="49152">7034</E
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80800000000000
<TimeCreated SystemTime="2019-01-04T02:
<EventRecordID>102239</Eve
<Correlation />
<Execution ProcessID="784" ThreadID="924" />
<Channel>System</Channel>
<Computer>DOMAIN-COPMUTER.
<Security />
</System>
<EventData>
<Data Name="param1">PsShutdown</
<Data Name="param2">1</Data>
</EventData>
</Event>
Shortly after these events the OS logs kernel power manager and shutdown followed by the restart.
I need to get this behavior to stop, so any help would be GREATLY appreciated.
Thanks in advance.
Asked:
Who is Participating?
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get this solution by purchasing an Individual license!
Start your 7-day free trial.
I wear a lot of hats...
"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.
was thinking about that, but was unsure if that would negatively impact other functions of the OS. Does that exe need to be there for anything else?
The psshutdown.exe utility which you are using for the shutdown/reboot is part of a collection of tools from SysInternals.
https://docs.microsoft.com/en-us/sysinternals/downloads/psshutdown
So it is not in use by the OS itself. It is actually a separate install.
https://docs.microsoft.com/en-us/sysinternals/downloads/psshutdown
So it is not in use by the OS itself. It is actually a separate install.
Yes, I see that the file should be in that directory, but I am doing a search and cannot find it anywhere
Interestingly, it seems that the service is installed daily. I see this in the event viewer daily, when I search for psshutdown or pssdnsvc.exe I cant find anything:
Log Name: System
Source: Service Control Manager
Date: 1/5/2019 6:06:27 PM
Event ID: 7045
Task Category: None
Level: Information
Keywords: Classic
User: Contoso\Administrator
Computer: DOMAIN-COMOUTER.CONTOSO.LO
Description:
A service was installed in the system.
Service Name: PsShutdown
Service File Name: %SystemRoot%\PSSDNSVC.EXE
Service Type: user mode service
Service Start Type: demand start
Service Account: LocalSystem
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-
<EventID Qualifiers="16384">7045</E
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80800000000000
<TimeCreated SystemTime="2019-01-06T02:
<EventRecordID>103475</Eve
<Correlation />
<Execution ProcessID="792" ThreadID="6096" />
<Channel>System</Channel>
<Computer>DOMAIN-COMPTUER.
<Security UserID="S-1-5-21-245992603
</System>
<EventData>
<Data Name="ServiceName">PsShutd
<Data Name="ImagePath">%SystemRo
<Data Name="ServiceType">user mode service</Data>
<Data Name="StartType">demand start</Data>
<Data Name="AccountName">LocalSy
</EventData>
</Event>
Log Name: System
Source: Service Control Manager
Date: 1/5/2019 6:06:27 PM
Event ID: 7045
Task Category: None
Level: Information
Keywords: Classic
User: Contoso\Administrator
Computer: DOMAIN-COMOUTER.CONTOSO.LO
Description:
A service was installed in the system.
Service Name: PsShutdown
Service File Name: %SystemRoot%\PSSDNSVC.EXE
Service Type: user mode service
Service Start Type: demand start
Service Account: LocalSystem
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-
<EventID Qualifiers="16384">7045</E
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80800000000000
<TimeCreated SystemTime="2019-01-06T02:
<EventRecordID>103475</Eve
<Correlation />
<Execution ProcessID="792" ThreadID="6096" />
<Channel>System</Channel>
<Computer>DOMAIN-COMPTUER.
<Security UserID="S-1-5-21-245992603
</System>
<EventData>
<Data Name="ServiceName">PsShutd
<Data Name="ImagePath">%SystemRo
<Data Name="ServiceType">user mode service</Data>
<Data Name="StartType">demand start</Data>
<Data Name="AccountName">LocalSy
</EventData>
</Event>
also found this in the event viewer's task scheduler filter. this shouldn't be happening. the gpo that generated that task was removed from this pc. furthermore, this task is not even in the task scheduler on the front end. It seems that the policy removed the task from the scheduler, but somehow it is still running.
Log Name: Microsoft-Windows-TaskSche
Source: Microsoft-Windows-TaskSche
Date: 1/5/2019 6:15:00 PM
Event ID: 107
Task Category: Task triggered on scheduler
Level: Information
Keywords:
User: SYSTEM
Computer: DOMAIN-COMPUTER.CONTOSO.LO
Description:
Task Scheduler launched "{b58a9933-b27e-425a-b7d1-
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Ta
<EventID>107</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>107</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000
<TimeCreated SystemTime="2019-01-06T02:
<EventRecordID>504278</Eve
<Correlation ActivityID="{B58A9933-B27E
<Execution ProcessID="1180" ThreadID="1644" />
<Channel>Microsoft-Windows
<Computer>DOMAIN-COMPUTER.
<Security UserID="S-1-5-18" />
</System>
<EventData Name="TimeTriggerEvent">
<Data Name="TaskName">\Afterhour
<Data Name="InstanceId">{B58A993
</EventData>
</Event>
Log Name: Microsoft-Windows-TaskSche
Source: Microsoft-Windows-TaskSche
Date: 1/5/2019 6:15:00 PM
Event ID: 107
Task Category: Task triggered on scheduler
Level: Information
Keywords:
User: SYSTEM
Computer: DOMAIN-COMPUTER.CONTOSO.LO
Description:
Task Scheduler launched "{b58a9933-b27e-425a-b7d1-
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Ta
<EventID>107</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>107</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000
<TimeCreated SystemTime="2019-01-06T02:
<EventRecordID>504278</Eve
<Correlation ActivityID="{B58A9933-B27E
<Execution ProcessID="1180" ThreadID="1644" />
<Channel>Microsoft-Windows
<Computer>DOMAIN-COMPUTER.
<Security UserID="S-1-5-18" />
</System>
<EventData Name="TimeTriggerEvent">
<Data Name="TaskName">\Afterhour
<Data Name="InstanceId">{B58A993
</EventData>
</Event>
Is there another gpo which is installing the reboot utility and then removing it once the task has ran?
I don't see one anywhere, but it sure seems like it. I will run an rsop and see what is coming in and then update the post
Ok, I scoured the RSOP and there is nothing coming in that would issue a restart command. I am out of ideas here.
Can you try running "schtasks" on a command prompt. This will list all scheduled tasks on the machine. See if any task which is doing the reboot.
It turns out that there was in fact a gpo to automate logoff that was failing, however that was not was causing the automated restart. Turns out, packet capture showed that sysinternals psshutdown was being run remotely from an unexpected server. That server used to be a dc that was subsequently demoted and repurposed---with the task still scheduled. The sysadmin should have removed that task and re-assigned it to an appropriate server. The remote psshutdown was being run from its task scheduler against a pre-prepared list of computers. removing the affected workstation from that list remedied the problem. this would explain why the pssdnsvc.exe was being installed and removed.
Experts Exchange Solution brought to you by
Your issues matter to us.
Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.
Start your 7-day free trialIt's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Operating Systems
From novice to tech pro — start learning today.
-
Microsoft ApplicationsCertification: IC3 GS4 Internet Core Competency Global Standard 4… 135 lessons
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get this solution by purchasing an Individual license!
Start your 7-day free trial.