This is the twentieth second part of the Availability Anywhere series. For your convenience you can find other parts in the table of contents in Part 1 – Connecting to SSH tunnel automatically in Windows
I was recently investigating a case of a computer restarting every Sunday at 3AM UTC. I couldn’t figure out what was going on and I suspected Customer Experience Improvement Program as I found the following event in event viewer:
|
1 |
User Logoff Notification for Customer Experience Improvement Program |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> - <System> <Provider Name="User32" Guid="{b0aa8734-56f7-41cc-b2f4-de228e98b946}" EventSourceName="User32" /> <EventID Qualifiers="32768">1074</EventID> <Version>0</Version> <Level>4</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8080000000000000</Keywords> <TimeCreated SystemTime="2024-02-04T03:00:01.2906001Z" /> <EventRecordID>404828</EventRecordID> <Correlation /> <Execution ProcessID="896" ThreadID="804" /> <Channel>System</Channel> <Computer>computerName</Computer> <Security UserID="S-1-5-18" /> </System> - <EventData> <Data Name="param1">C:\Windows\system32\shutdown.EXE (computerName)</Data> <Data Name="param2">computerName</Data> <Data Name="param3">No title for this reason could be found</Data> <Data Name="param4">0x800000ff</Data> <Data Name="param5">restart</Data> <Data Name="param6">System is scheduled to reboot in 10 minutes. Please save your work.</Data> <Data Name="param7">NT AUTHORITY\SYSTEM</Data> </EventData> </Event> |
I checked many solutions on the Internet and none of them helped. However, later I realized it was not due to Customer Experience Improvement Program. After carefully checking the event viewer, I found the following:
|
1 2 3 4 |
The process C:\Windows\system32\shutdown.EXE (computerName) has initiated the restart of computer computerName on behalf of user NT AUTHORITY\SYSTEM for the following reason: No title for this reason could be found Reason Code: 0x800000ff Shutdown Type: restart Comment: System is scheduled to reboot in 10 minutes. Please save your work. |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> - <System> <Provider Name="Microsoft-Windows-Winlogon" Guid="{dbe9b383-7cf3-4331-91cc-a3cb16a3b538}" /> <EventID>7002</EventID> <Version>0</Version> <Level>4</Level> <Task>1102</Task> <Opcode>0</Opcode> <Keywords>0x2000200000000000</Keywords> <TimeCreated SystemTime="2024-02-04T03:10:41.0539456Z" /> <EventRecordID>404868</EventRecordID> <Correlation /> <Execution ProcessID="6028" ThreadID="6892" /> <Channel>System</Channel> <Computer>computerName</Computer> <Security UserID="S-1-5-18" /> </System> - <EventData> <Data Name="TSId">2</Data> <Data Name="UserSid">S-1-5-21-1801674531-515967899-839522115-19733726</Data> </EventData> </Event> |
So it seems that something triggered the restart. I wasn’t sure what that was and I just solved it by cancelling the restart. Just run this batch script to cancel any shutdowns every 30 seconds:
|
1 2 3 4 |
:start shutdown /a timeout 30 goto start |
It worked good enough.