Prepare for the PMI Agile Certified Practitioner (PMI-ACP)® exam, which formally recognizes your knowledge of agile principles and your skill with agile techniques.
Computer automatically reboots after gpo for automatic reboot is removed
i have a gpo for scheduling a task to automatically restart domain computers at a specific time. I have one executive who works late so I want to disable that gpo for him, and as such, moved him and his computer to new ou's in ad. the scheduled task is now removed from his computer, yet the computer keeps restarting at the scheduled time as if the gpo is still in force. I need help figuring out how to prevent his pc from restarting at 6pm. Below are some logs of interest from the event viewer:
Log Name: System
Source: Service Control Manager
Date: 1/3/2019 6:05:15 PM
Event ID: 7045
Task Category: None
Level: Information
Keywords: Classic
User: CONTOSO\Administrator
Computer: DOMAIN-COMPUTER.CONTOSO.LO
Description:
A service was installed in the system.
Service Name: PsShutdown
Service File Name: %SystemRoot%\PSSDNSVC.EXE
Service Type: user mode service
Service Start Type: demand start
Service Account: LocalSystem
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-
<EventID Qualifiers="16384">7045</E
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80800000000000
<TimeCreated SystemTime="2019-01-04T02:
<EventRecordID>102234</Eve
<Correlation />
<Execution ProcessID="784" ThreadID="904" />
<Channel>System</Channel>
<Computer>DOMAIN-COMPUTER.
<Security UserID="S-1-5-21-245992603
</System>
<EventData>
<Data Name="ServiceName">PsShutd
<Data Name="ImagePath">%SystemRo
<Data Name="ServiceType">user mode service</Data>
<Data Name="StartType">demand start</Data>
<Data Name="AccountName">LocalSy
</EventData>
</Event>
Log Name: System
Source: Service Control Manager
Date: 1/3/2019 6:05:15 PM
Event ID: 7030
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: DOMAIN-COMPUTER.CONTOSO.LO
Description:
The PsShutdown service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-
<EventID Qualifiers="49152">7030</E
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80800000000000
<TimeCreated SystemTime="2019-01-04T02:
<EventRecordID>102235</Eve
<Correlation />
<Execution ProcessID="784" ThreadID="904" />
<Channel>System</Channel>
<Computer>DOMAIN-COMPUTER.
<Security />
</System>
<EventData>
<Data Name="param1">PsShutdown</
</EventData>
</Event>
Log Name: System
Source: USER32
Date: 1/3/2019 6:05:16 PM
Event ID: 1074
Task Category: None
Level: Information
Keywords: Classic
User: SYSTEM
Computer: domain-computer.contoso.LO
Description:
The process wininit.exe (127.0.0.1) has initiated the restart of computer domain-computer on behalf of user NT AUTHORITY\SYSTEM for the following reason: Legacy API shutdown
Reason Code: 0x80070000
Shutdown Type: restart
Comment:
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="USER32" />
<EventID Qualifiers="32768">1074</E
<Level>4</Level>
<Task>0</Task>
<Keywords>0x80000000000000
<TimeCreated SystemTime="2019-01-04T02:
<EventRecordID>102236</Eve
<Channel>System</Channel>
<Computer>domain-computer.
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data>wininit.exe (127.0.0.1)</Data>
<Data>domain-computer</Dat
<Data>Legacy API shutdown</Data>
<Data>0x80070000</Data>
<Data>restart</Data>
<Data>
</Data>
<Data>NT AUTHORITY\SYSTEM</Data>
<Binary>000007800000000000
</EventData>
</Event>
Log Name: System
Source: Service Control Manager
Date: 1/3/2019 6:05:16 PM
Event ID: 7036
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: DOMAIN-COMPUTER.CONTOSO.LO
Description:
The PsShutdown service entered the running state.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-
<EventID Qualifiers="16384">7036</E
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80800000000000
<TimeCreated SystemTime="2019-01-04T02:
<EventRecordID>102238</Eve
<Correlation />
<Execution ProcessID="784" ThreadID="904" />
<Channel>System</Channel>
<Computer>DOMAIN-COMPUTER.
<Security />
</System>
<EventData>
<Data Name="param1">PsShutdown</
<Data Name="param2">running</Dat
<Binary>500073005300680075
</EventData>
</Event>
Log Name: System
Source: Service Control Manager
Date: 1/3/2019 6:05:16 PM
Event ID: 7034
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: DOMAIN-COMPUTER.CONTOSO.LO
Description:
The PsShutdown service terminated unexpectedly. It has done this 1 time(s).
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-
<EventID Qualifiers="49152">7034</E
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80800000000000
<TimeCreated SystemTime="2019-01-04T02:
<EventRecordID>102239</Eve
<Correlation />
<Execution ProcessID="784" ThreadID="924" />
<Channel>System</Channel>
<Computer>DOMAIN-COPMUTER.
<Security />
</System>
<EventData>
<Data Name="param1">PsShutdown</
<Data Name="param2">1</Data>
</EventData>
</Event>
Shortly after these events the OS logs kernel power manager and shutdown followed by the restart.
I need to get this behavior to stop, so any help would be GREATLY appreciated.
Thanks in advance.
Log Name: System
Source: Service Control Manager
Date: 1/3/2019 6:05:15 PM
Event ID: 7045
Task Category: None
Level: Information
Keywords: Classic
User: CONTOSO\Administrator
Computer: DOMAIN-COMPUTER.CONTOSO.LO
Description:
A service was installed in the system.
Service Name: PsShutdown
Service File Name: %SystemRoot%\PSSDNSVC.EXE
Service Type: user mode service
Service Start Type: demand start
Service Account: LocalSystem
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-
<EventID Qualifiers="16384">7045</E
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80800000000000
<TimeCreated SystemTime="2019-01-04T02:
<EventRecordID>102234</Eve
<Correlation />
<Execution ProcessID="784" ThreadID="904" />
<Channel>System</Channel>
<Computer>DOMAIN-COMPUTER.
<Security UserID="S-1-5-21-245992603
</System>
<EventData>
<Data Name="ServiceName">PsShutd
<Data Name="ImagePath">%SystemRo
<Data Name="ServiceType">user mode service</Data>
<Data Name="StartType">demand start</Data>
<Data Name="AccountName">LocalSy
</EventData>
</Event>
Log Name: System
Source: Service Control Manager
Date: 1/3/2019 6:05:15 PM
Event ID: 7030
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: DOMAIN-COMPUTER.CONTOSO.LO
Description:
The PsShutdown service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-
<EventID Qualifiers="49152">7030</E
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80800000000000
<TimeCreated SystemTime="2019-01-04T02:
<EventRecordID>102235</Eve
<Correlation />
<Execution ProcessID="784" ThreadID="904" />
<Channel>System</Channel>
<Computer>DOMAIN-COMPUTER.
<Security />
</System>
<EventData>
<Data Name="param1">PsShutdown</
</EventData>
</Event>
Log Name: System
Source: USER32
Date: 1/3/2019 6:05:16 PM
Event ID: 1074
Task Category: None
Level: Information
Keywords: Classic
User: SYSTEM
Computer: domain-computer.contoso.LO
Description:
The process wininit.exe (127.0.0.1) has initiated the restart of computer domain-computer on behalf of user NT AUTHORITY\SYSTEM for the following reason: Legacy API shutdown
Reason Code: 0x80070000
Shutdown Type: restart
Comment:
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="USER32" />
<EventID Qualifiers="32768">1074</E
<Level>4</Level>
<Task>0</Task>
<Keywords>0x80000000000000
<TimeCreated SystemTime="2019-01-04T02:
<EventRecordID>102236</Eve
<Channel>System</Channel>
<Computer>domain-computer.
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data>wininit.exe (127.0.0.1)</Data>
<Data>domain-computer</Dat
<Data>Legacy API shutdown</Data>
<Data>0x80070000</Data>
<Data>restart</Data>
<Data>
</Data>
<Data>NT AUTHORITY\SYSTEM</Data>
<Binary>000007800000000000
</EventData>
</Event>
Log Name: System
Source: Service Control Manager
Date: 1/3/2019 6:05:16 PM
Event ID: 7036
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: DOMAIN-COMPUTER.CONTOSO.LO
Description:
The PsShutdown service entered the running state.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-
<EventID Qualifiers="16384">7036</E
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80800000000000
<TimeCreated SystemTime="2019-01-04T02:
<EventRecordID>102238</Eve
<Correlation />
<Execution ProcessID="784" ThreadID="904" />
<Channel>System</Channel>
<Computer>DOMAIN-COMPUTER.
<Security />
</System>
<EventData>
<Data Name="param1">PsShutdown</
<Data Name="param2">running</Dat
<Binary>500073005300680075
</EventData>
</Event>
Log Name: System
Source: Service Control Manager
Date: 1/3/2019 6:05:16 PM
Event ID: 7034
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: DOMAIN-COMPUTER.CONTOSO.LO
Description:
The PsShutdown service terminated unexpectedly. It has done this 1 time(s).
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-
<EventID Qualifiers="49152">7034</E
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80800000000000
<TimeCreated SystemTime="2019-01-04T02:
<EventRecordID>102239</Eve
<Correlation />
<Execution ProcessID="784" ThreadID="924" />
<Channel>System</Channel>
<Computer>DOMAIN-COPMUTER.
<Security />
</System>
<EventData>
<Data Name="param1">PsShutdown</
<Data Name="param2">1</Data>
</EventData>
</Event>
Shortly after these events the OS logs kernel power manager and shutdown followed by the restart.
I need to get this behavior to stop, so any help would be GREATLY appreciated.
Thanks in advance.
Do more with
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
was thinking about that, but was unsure if that would negatively impact other functions of the OS. Does that exe need to be there for anything else?
The psshutdown.exe utility which you are using for the shutdown/reboot is part of a collection of tools from SysInternals.
https://docs.microsoft.com/en-us/sysinternals/downloads/psshutdown
So it is not in use by the OS itself. It is actually a separate install.
https://docs.microsoft.com/en-us/sysinternals/downloads/psshutdown
So it is not in use by the OS itself. It is actually a separate install.
Yes, I see that the file should be in that directory, but I am doing a search and cannot find it anywhere
Interestingly, it seems that the service is installed daily. I see this in the event viewer daily, when I search for psshutdown or pssdnsvc.exe I cant find anything:
Log Name: System
Source: Service Control Manager
Date: 1/5/2019 6:06:27 PM
Event ID: 7045
Task Category: None
Level: Information
Keywords: Classic
User: Contoso\Administrator
Computer: DOMAIN-COMOUTER.CONTOSO.LO
Description:
A service was installed in the system.
Service Name: PsShutdown
Service File Name: %SystemRoot%\PSSDNSVC.EXE
Service Type: user mode service
Service Start Type: demand start
Service Account: LocalSystem
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-
<EventID Qualifiers="16384">7045</E
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80800000000000
<TimeCreated SystemTime="2019-01-06T02:
<EventRecordID>103475</Eve
<Correlation />
<Execution ProcessID="792" ThreadID="6096" />
<Channel>System</Channel>
<Computer>DOMAIN-COMPTUER.
<Security UserID="S-1-5-21-245992603
</System>
<EventData>
<Data Name="ServiceName">PsShutd
<Data Name="ImagePath">%SystemRo
<Data Name="ServiceType">user mode service</Data>
<Data Name="StartType">demand start</Data>
<Data Name="AccountName">LocalSy
</EventData>
</Event>
Log Name: System
Source: Service Control Manager
Date: 1/5/2019 6:06:27 PM
Event ID: 7045
Task Category: None
Level: Information
Keywords: Classic
User: Contoso\Administrator
Computer: DOMAIN-COMOUTER.CONTOSO.LO
Description:
A service was installed in the system.
Service Name: PsShutdown
Service File Name: %SystemRoot%\PSSDNSVC.EXE
Service Type: user mode service
Service Start Type: demand start
Service Account: LocalSystem
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-
<EventID Qualifiers="16384">7045</E
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80800000000000
<TimeCreated SystemTime="2019-01-06T02:
<EventRecordID>103475</Eve
<Correlation />
<Execution ProcessID="792" ThreadID="6096" />
<Channel>System</Channel>
<Computer>DOMAIN-COMPTUER.
<Security UserID="S-1-5-21-245992603
</System>
<EventData>
<Data Name="ServiceName">PsShutd
<Data Name="ImagePath">%SystemRo
<Data Name="ServiceType">user mode service</Data>
<Data Name="StartType">demand start</Data>
<Data Name="AccountName">LocalSy
</EventData>
</Event>
also found this in the event viewer's task scheduler filter. this shouldn't be happening. the gpo that generated that task was removed from this pc. furthermore, this task is not even in the task scheduler on the front end. It seems that the policy removed the task from the scheduler, but somehow it is still running.
Log Name: Microsoft-Windows-TaskSche
Source: Microsoft-Windows-TaskSche
Date: 1/5/2019 6:15:00 PM
Event ID: 107
Task Category: Task triggered on scheduler
Level: Information
Keywords:
User: SYSTEM
Computer: DOMAIN-COMPUTER.CONTOSO.LO
Description:
Task Scheduler launched "{b58a9933-b27e-425a-b7d1-
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Ta
<EventID>107</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>107</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000
<TimeCreated SystemTime="2019-01-06T02:
<EventRecordID>504278</Eve
<Correlation ActivityID="{B58A9933-B27E
<Execution ProcessID="1180" ThreadID="1644" />
<Channel>Microsoft-Windows
<Computer>DOMAIN-COMPUTER.
<Security UserID="S-1-5-18" />
</System>
<EventData Name="TimeTriggerEvent">
<Data Name="TaskName">\Afterhour
<Data Name="InstanceId">{B58A993
</EventData>
</Event>
Log Name: Microsoft-Windows-TaskSche
Source: Microsoft-Windows-TaskSche
Date: 1/5/2019 6:15:00 PM
Event ID: 107
Task Category: Task triggered on scheduler
Level: Information
Keywords:
User: SYSTEM
Computer: DOMAIN-COMPUTER.CONTOSO.LO
Description:
Task Scheduler launched "{b58a9933-b27e-425a-b7d1-
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Ta
<EventID>107</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>107</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000
<TimeCreated SystemTime="2019-01-06T02:
<EventRecordID>504278</Eve
<Correlation ActivityID="{B58A9933-B27E
<Execution ProcessID="1180" ThreadID="1644" />
<Channel>Microsoft-Windows
<Computer>DOMAIN-COMPUTER.
<Security UserID="S-1-5-18" />
</System>
<EventData Name="TimeTriggerEvent">
<Data Name="TaskName">\Afterhour
<Data Name="InstanceId">{B58A993
</EventData>
</Event>
Is there another gpo which is installing the reboot utility and then removing it once the task has ran?
I don't see one anywhere, but it sure seems like it. I will run an rsop and see what is coming in and then update the post
Ok, I scoured the RSOP and there is nothing coming in that would issue a restart command. I am out of ideas here.
Can you try running "schtasks" on a command prompt. This will list all scheduled tasks on the machine. See if any task which is doing the reboot.
It turns out that there was in fact a gpo to automate logoff that was failing, however that was not was causing the automated restart. Turns out, packet capture showed that sysinternals psshutdown was being run remotely from an unexpected server. That server used to be a dc that was subsequently demoted and repurposed---with the task still scheduled. The sysadmin should have removed that task and re-assigned it to an appropriate server. The remote psshutdown was being run from its task scheduler against a pre-prepared list of computers. removing the affected workstation from that list remedied the problem. this would explain why the pssdnsvc.exe was being installed and removed.
Premium Content
You need an Expert Office subscription to comment.Start Free Trial