aerblich asked on
Computer automatically reboots after gpo for automatic reboot is removed
i have a gpo for scheduling a task to automatically restart domain computers at a specific time. I have one executive who works late so I want to disable that gpo for him, and as such, moved him and his computer to new ou's in ad. the scheduled task is now removed from his computer, yet the computer keeps restarting at the scheduled time as if the gpo is still in force. I need help figuring out how to prevent his pc from restarting at 6pm. Below are some logs of interest from the event viewer:
Log Name: System
Source: Service Control Manager
Date: 1/3/2019 6:05:15 PM
Event ID: 7045
Task Category: None
Level: Information
Keywords: Classic
User: CONTOSO\Administrator
Computer: DOMAIN-COMPUTER.CONTOSO.LO
Description:
A service was installed in the system.
Service Name: PsShutdown
Service File Name: %SystemRoot%\PSSDNSVC.EXE
Service Type: user mode service
Service Start Type: demand start
Service Account: LocalSystem
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-
<EventID Qualifiers="16384">7045</E
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80800000000000
<TimeCreated SystemTime="2019-01-04T02:
<EventRecordID>102234</Eve
<Correlation />
<Execution ProcessID="784" ThreadID="904" />
<Channel>System</Channel>
<Computer>DOMAIN-COMPUTER.
<Security UserID="S-1-5-21-245992603
</System>
<EventData>
<Data Name="ServiceName">PsShutd
<Data Name="ImagePath">%SystemRo
<Data Name="ServiceType">user mode service</Data>
<Data Name="StartType">demand start</Data>
<Data Name="AccountName">LocalSy
</EventData>
</Event>
Log Name: System
Source: Service Control Manager
Date: 1/3/2019 6:05:15 PM
Event ID: 7030
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: DOMAIN-COMPUTER.CONTOSO.LO
Description:
The PsShutdown service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-
<EventID Qualifiers="49152">7030</E
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80800000000000
<TimeCreated SystemTime="2019-01-04T02:
<EventRecordID>102235</Eve
<Correlation />
<Execution ProcessID="784" ThreadID="904" />
<Channel>System</Channel>
<Computer>DOMAIN-COMPUTER.
<Security />
</System>
<EventData>
<Data Name="param1">PsShutdown</
</EventData>
</Event>
Log Name: System
Source: USER32
Date: 1/3/2019 6:05:16 PM
Event ID: 1074
Task Category: None
Level: Information
Keywords: Classic
User: SYSTEM
Computer: domain-computer.contoso.LO
Description:
The process wininit.exe (127.0.0.1) has initiated the restart of computer domain-computer on behalf of user NT AUTHORITY\SYSTEM for the following reason: Legacy API shutdown
Reason Code: 0x80070000
Shutdown Type: restart
Comment:
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="USER32" />
<EventID Qualifiers="32768">1074</E
<Level>4</Level>
<Task>0</Task>
<Keywords>0x80000000000000
<TimeCreated SystemTime="2019-01-04T02:
<EventRecordID>102236</Eve
<Channel>System</Channel>
<Computer>domain-computer.
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data>wininit.exe (127.0.0.1)</Data>
<Data>domain-computer</Dat
<Data>Legacy API shutdown</Data>
<Data>0x80070000</Data>
<Data>restart</Data>
<Data>
</Data>
<Data>NT AUTHORITY\SYSTEM</Data>
<Binary>000007800000000000
</EventData>
</Event>
Log Name: System
Source: Service Control Manager
Date: 1/3/2019 6:05:16 PM
Event ID: 7036
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: DOMAIN-COMPUTER.CONTOSO.LO
Description:
The PsShutdown service entered the running state.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-
<EventID Qualifiers="16384">7036</E
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80800000000000
<TimeCreated SystemTime="2019-01-04T02:
<EventRecordID>102238</Eve
<Correlation />
<Execution ProcessID="784" ThreadID="904" />
<Channel>System</Channel>
<Computer>DOMAIN-COMPUTER.
<Security />
</System>
<EventData>
<Data Name="param1">PsShutdown</
<Data Name="param2">running</Dat
<Binary>500073005300680075
</EventData>
</Event>
Log Name: System
Source: Service Control Manager
Date: 1/3/2019 6:05:16 PM
Event ID: 7034
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: DOMAIN-COMPUTER.CONTOSO.LO
Description:
The PsShutdown service terminated unexpectedly. It has done this 1 time(s).
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-
<EventID Qualifiers="49152">7034</E
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80800000000000
<TimeCreated SystemTime="2019-01-04T02:
<EventRecordID>102239</Eve
<Correlation />
<Execution ProcessID="784" ThreadID="924" />
<Channel>System</Channel>
<Computer>DOMAIN-COPMUTER.
<Security />
</System>
<EventData>
<Data Name="param1">PsShutdown</
<Data Name="param2">1</Data>
</EventData>
</Event>
Shortly after these events the OS logs kernel power manager and shutdown followed by the restart.
I need to get this behavior to stop, so any help would be GREATLY appreciated.
Thanks in advance.
Log Name: System
Source: Service Control Manager
Date: 1/3/2019 6:05:15 PM
Event ID: 7045
Task Category: None
Level: Information
Keywords: Classic
User: CONTOSO\Administrator
Computer: DOMAIN-COMPUTER.CONTOSO.LO
Description:
A service was installed in the system.
Service Name: PsShutdown
Service File Name: %SystemRoot%\PSSDNSVC.EXE
Service Type: user mode service
Service Start Type: demand start
Service Account: LocalSystem
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-
<EventID Qualifiers="16384">7045</E
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80800000000000
<TimeCreated SystemTime="2019-01-04T02:
<EventRecordID>102234</Eve
<Correlation />
<Execution ProcessID="784" ThreadID="904" />
<Channel>System</Channel>
<Computer>DOMAIN-COMPUTER.
<Security UserID="S-1-5-21-245992603
</System>
<EventData>
<Data Name="ServiceName">PsShutd
<Data Name="ImagePath">%SystemRo
<Data Name="ServiceType">user mode service</Data>
<Data Name="StartType">demand start</Data>
<Data Name="AccountName">LocalSy
</EventData>
</Event>
Log Name: System
Source: Service Control Manager
Date: 1/3/2019 6:05:15 PM
Event ID: 7030
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: DOMAIN-COMPUTER.CONTOSO.LO
Description:
The PsShutdown service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-
<EventID Qualifiers="49152">7030</E
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80800000000000
<TimeCreated SystemTime="2019-01-04T02:
<EventRecordID>102235</Eve
<Correlation />
<Execution ProcessID="784" ThreadID="904" />
<Channel>System</Channel>
<Computer>DOMAIN-COMPUTER.
<Security />
</System>
<EventData>
<Data Name="param1">PsShutdown</
</EventData>
</Event>
Log Name: System
Source: USER32
Date: 1/3/2019 6:05:16 PM
Event ID: 1074
Task Category: None
Level: Information
Keywords: Classic
User: SYSTEM
Computer: domain-computer.contoso.LO
Description:
The process wininit.exe (127.0.0.1) has initiated the restart of computer domain-computer on behalf of user NT AUTHORITY\SYSTEM for the following reason: Legacy API shutdown
Reason Code: 0x80070000
Shutdown Type: restart
Comment:
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="USER32" />
<EventID Qualifiers="32768">1074</E
<Level>4</Level>
<Task>0</Task>
<Keywords>0x80000000000000
<TimeCreated SystemTime="2019-01-04T02:
<EventRecordID>102236</Eve
<Channel>System</Channel>
<Computer>domain-computer.
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data>wininit.exe (127.0.0.1)</Data>
<Data>domain-computer</Dat
<Data>Legacy API shutdown</Data>
<Data>0x80070000</Data>
<Data>restart</Data>
<Data>
</Data>
<Data>NT AUTHORITY\SYSTEM</Data>
<Binary>000007800000000000
</EventData>
</Event>
Log Name: System
Source: Service Control Manager
Date: 1/3/2019 6:05:16 PM
Event ID: 7036
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: DOMAIN-COMPUTER.CONTOSO.LO
Description:
The PsShutdown service entered the running state.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-
<EventID Qualifiers="16384">7036</E
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80800000000000
<TimeCreated SystemTime="2019-01-04T02:
<EventRecordID>102238</Eve
<Correlation />
<Execution ProcessID="784" ThreadID="904" />
<Channel>System</Channel>
<Computer>DOMAIN-COMPUTER.
<Security />
</System>
<EventData>
<Data Name="param1">PsShutdown</
<Data Name="param2">running</Dat
<Binary>500073005300680075
</EventData>
</Event>
Log Name: System
Source: Service Control Manager
Date: 1/3/2019 6:05:16 PM
Event ID: 7034
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: DOMAIN-COMPUTER.CONTOSO.LO
Description:
The PsShutdown service terminated unexpectedly. It has done this 1 time(s).
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-
<EventID Qualifiers="49152">7034</E
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80800000000000
<TimeCreated SystemTime="2019-01-04T02:
<EventRecordID>102239</Eve
<Correlation />
<Execution ProcessID="784" ThreadID="924" />
<Channel>System</Channel>
<Computer>DOMAIN-COPMUTER.
<Security />
</System>
<EventData>
<Data Name="param1">PsShutdown</
<Data Name="param2">1</Data>
</EventData>
</Event>
Shortly after these events the OS logs kernel power manager and shutdown followed by the restart.
I need to get this behavior to stop, so any help would be GREATLY appreciated.
Thanks in advance.
Operating SystemsWindows OSPC
Last Comment
aerblich
Antzs
Would it help if you remove the "%SystemRoot%\PSSDNSVC.EXE
ASKER
aerblich
was thinking about that, but was unsure if that would negatively impact other functions of the OS. Does that exe need to be there for anything else?
Antzs
The psshutdown.exe utility which you are using for the shutdown/reboot is part of a collection of tools from SysInternals.
https://docs.microsoft.com/en-us/sysinternals/downloads/psshutdown
So it is not in use by the OS itself. It is actually a separate install.
https://docs.microsoft.com/en-us/sysinternals/downloads/psshutdown
So it is not in use by the OS itself. It is actually a separate install.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
ASKER
aerblich
Yes, I see that the file should be in that directory, but I am doing a search and cannot find it anywhere
ASKER
aerblich
Interestingly, it seems that the service is installed daily. I see this in the event viewer daily, when I search for psshutdown or pssdnsvc.exe I cant find anything:
Log Name: System
Source: Service Control Manager
Date: 1/5/2019 6:06:27 PM
Event ID: 7045
Task Category: None
Level: Information
Keywords: Classic
User: Contoso\Administrator
Computer: DOMAIN-COMOUTER.CONTOSO.LO
Description:
A service was installed in the system.
Service Name: PsShutdown
Service File Name: %SystemRoot%\PSSDNSVC.EXE
Service Type: user mode service
Service Start Type: demand start
Service Account: LocalSystem
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-
<EventID Qualifiers="16384">7045</E
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80800000000000
<TimeCreated SystemTime="2019-01-06T02:
<EventRecordID>103475</Eve
<Correlation />
<Execution ProcessID="792" ThreadID="6096" />
<Channel>System</Channel>
<Computer>DOMAIN-COMPTUER.
<Security UserID="S-1-5-21-245992603
</System>
<EventData>
<Data Name="ServiceName">PsShutd
<Data Name="ImagePath">%SystemRo
<Data Name="ServiceType">user mode service</Data>
<Data Name="StartType">demand start</Data>
<Data Name="AccountName">LocalSy
</EventData>
</Event>
Log Name: System
Source: Service Control Manager
Date: 1/5/2019 6:06:27 PM
Event ID: 7045
Task Category: None
Level: Information
Keywords: Classic
User: Contoso\Administrator
Computer: DOMAIN-COMOUTER.CONTOSO.LO
Description:
A service was installed in the system.
Service Name: PsShutdown
Service File Name: %SystemRoot%\PSSDNSVC.EXE
Service Type: user mode service
Service Start Type: demand start
Service Account: LocalSystem
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-
<EventID Qualifiers="16384">7045</E
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80800000000000
<TimeCreated SystemTime="2019-01-06T02:
<EventRecordID>103475</Eve
<Correlation />
<Execution ProcessID="792" ThreadID="6096" />
<Channel>System</Channel>
<Computer>DOMAIN-COMPTUER.
<Security UserID="S-1-5-21-245992603
</System>
<EventData>
<Data Name="ServiceName">PsShutd
<Data Name="ImagePath">%SystemRo
<Data Name="ServiceType">user mode service</Data>
<Data Name="StartType">demand start</Data>
<Data Name="AccountName">LocalSy
</EventData>
</Event>
ASKER
aerblich
also found this in the event viewer's task scheduler filter. this shouldn't be happening. the gpo that generated that task was removed from this pc. furthermore, this task is not even in the task scheduler on the front end. It seems that the policy removed the task from the scheduler, but somehow it is still running.
Log Name: Microsoft-Windows-TaskSche
Source: Microsoft-Windows-TaskSche
Date: 1/5/2019 6:15:00 PM
Event ID: 107
Task Category: Task triggered on scheduler
Level: Information
Keywords:
User: SYSTEM
Computer: DOMAIN-COMPUTER.CONTOSO.LO
Description:
Task Scheduler launched "{b58a9933-b27e-425a-b7d1-
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Ta
<EventID>107</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>107</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000
<TimeCreated SystemTime="2019-01-06T02:
<EventRecordID>504278</Eve
<Correlation ActivityID="{B58A9933-B27E
<Execution ProcessID="1180" ThreadID="1644" />
<Channel>Microsoft-Windows
<Computer>DOMAIN-COMPUTER.
<Security UserID="S-1-5-18" />
</System>
<EventData Name="TimeTriggerEvent">
<Data Name="TaskName">\Afterhour
<Data Name="InstanceId">{B58A993
</EventData>
</Event>
Log Name: Microsoft-Windows-TaskSche
Source: Microsoft-Windows-TaskSche
Date: 1/5/2019 6:15:00 PM
Event ID: 107
Task Category: Task triggered on scheduler
Level: Information
Keywords:
User: SYSTEM
Computer: DOMAIN-COMPUTER.CONTOSO.LO
Description:
Task Scheduler launched "{b58a9933-b27e-425a-b7d1-
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Ta
<EventID>107</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>107</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000
<TimeCreated SystemTime="2019-01-06T02:
<EventRecordID>504278</Eve
<Correlation ActivityID="{B58A9933-B27E
<Execution ProcessID="1180" ThreadID="1644" />
<Channel>Microsoft-Windows
<Computer>DOMAIN-COMPUTER.
<Security UserID="S-1-5-18" />
</System>
<EventData Name="TimeTriggerEvent">
<Data Name="TaskName">\Afterhour
<Data Name="InstanceId">{B58A993
</EventData>
</Event>
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Antzs
Is there another gpo which is installing the reboot utility and then removing it once the task has ran?
ASKER
aerblich
I don't see one anywhere, but it sure seems like it. I will run an rsop and see what is coming in and then update the post
ASKER
aerblich
Ok, I scoured the RSOP and there is nothing coming in that would issue a restart command. I am out of ideas here.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
Antzs
Can you try running "schtasks" on a command prompt. This will list all scheduled tasks on the machine. See if any task which is doing the reboot.
ASKER CERTIFIED SOLUTION
Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question