Recently I was investigating machine waking up from sleep without any user interaction. It was a bit irritating because user was putting his PC to sleep and leaving it for a day just to notice in the evening that the machine woke up and was on for most of the time.
Event viewer showed this:
|
1 2 3 4 5 6 |
The system has returned from a low power state. Sleep Time: ?2019?-?11?-?04T15:51:17.837661000Z Wake Time: ?2019?-?11?-?04T16:09:31.442527100Z Wake Source: Timer - Windows will execute 'NT TASK\Microsoft\Windows\UpdateOrchestrator\Universal Orchestrator Start' scheduled task that requested waking the computer. |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> - <System> <Provider Name="Microsoft-Windows-Power-Troubleshooter" Guid="{cdc05e28-c449-49c6-b9d2-88cf761644df}" /> <EventID>1</EventID> <Version>3</Version> <Level>4</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8000000000000000</Keywords> <TimeCreated SystemTime="2019-11-04T16:09:31.658173400Z" /> <EventRecordID>14127</EventRecordID> <Correlation ActivityID="{0bdacabc-df50-4751-a5a5-8d03debed195}" /> <Execution ProcessID="4416" ThreadID="17628" /> <Channel>System</Channel> <Computer>SEA-1800030347.ant.amazon.com</Computer> <Security UserID="S-1-5-19" /> </System> - <EventData> <Data Name="SleepTime">2019-11-04T15:51:17.837661000Z</Data> <Data Name="WakeTime">2019-11-04T16:09:31.442527100Z</Data> <Data Name="SleepDuration">7800</Data> <Data Name="WakeDuration">2942</Data> <Data Name="DriverInitDuration">1650</Data> <Data Name="BiosInitDuration">628</Data> <Data Name="HiberWriteDuration">0</Data> <Data Name="HiberReadDuration">0</Data> <Data Name="HiberPagesWritten">0</Data> <Data Name="Attributes">1879073024</Data> <Data Name="TargetState">4</Data> <Data Name="EffectiveState">4</Data> <Data Name="WakeSourceType">6</Data> <Data Name="WakeSourceTextLength">147</Data> <Data Name="WakeSourceText">Windows will execute 'NT TASK\Microsoft\Windows\UpdateOrchestrator\Universal Orchestrator Start' scheduled task that requested waking the computer.</Data> <Data Name="WakeTimerOwnerLength">52</Data> <Data Name="WakeTimerContextLength">18</Data> <Data Name="NoMultiStageResumeReason">0</Data> <Data Name="WakeTimerOwner">\Device\HarddiskVolume4\Windows\System32\svchost.exe</Data> <Data Name="WakeTimerContext">SystemEventsBroker</Data> <Data Name="CheckpointDuration">108</Data> </EventData> </Event> |
So it looks like there was some update task waking the computer. After opening the Task Scheduler we could see this:
There are two important things you can see (even though screenshot is in Polish). First, owner of the task is NT SYSTEM. Second, it is scheduled to run at 8:58 AM.
So we know why the machine was waking up. How can we disable the task? Starting Task Scheduler as an administrator didn’t allow us to disable the task.
The thing is: Administrator is not the most powerful account in Windows. SYSTEM account has more privileges and we need to use it to disable the task. How do we run Task Scheduler as NT SYSTEM?
I typically use psexec from Sysinternals. Just run this command:
|
1 |
psexec -s -i mmc.exe |
This opens management console. Add snap-in for Task Scheduler and you are good to go. Now you can disable the task and see that it solves the issue.