Some ideas of what to look into here Event ID: 1074 Source: USER32
It's started this week, a couple of our admin staff reported that their machines, without warning, shut down. They didn't give any opportunity to save any work or cancel the shutdown, just closed all open applications and restarted...
That's from the client event log. No real help there.Code:The process C:\Windows\system32\wbem\wmiprvse.exe (ADM-CMA-001) has initiated the restart of computer ADM-CMA-001 on behalf of user NT AUTHORITY\SYSTEM for the following reason: No title for this reason could be found Reason Code: 0x80070015 Shutdown Type: restart
We're using SCCM 2012, FEP 2012, Fog to shut down the machines (turned off today to see what happened this evening, 4 shutdowns...)
Any ideas where to start looking for an answer? I'm guessing it's SCCM, but why would it start just this week, nothing's changed..? It seems to happen around 3.30pm - 5.30pm, within a 2 hour ish window, but I can't see anything relating to those times in SCCM.
I'd do full scans in case it's something malicious.
Is it the same machines affected?
Might be worth a repair of WMI in case something is corrupt.
Or repair windows..
I work with Ben.
For a quick fix while we look into this could there be a way we disable wmiprvse.exe so if it tries to do it's normal reboot it fails? I don't know how wmiprvse.exe is calling these reboots?
It's part of the whole WMI so you'd have to disable that I guess which means you'd lose all management features. Worth a try if its just admin machines
We don't want to disable forever but would be nice to see if we can stop it happening in the first instance then work out what is going on!
Could be a compromised administrative account you need to enable auditing to see this in detail.
Windows 7: What is Account Auditing And How To Enable It
Especially if you have provided local elevated rights to Domain Users to overcome certain software inadequacies.. hope this doesnt spread to your servers you will have a problem.
wmiprvse.exe is a host service for Devs to plug in monitoring modules. You might be closing down any one of a number of features by disabling it. Make sure you have a good backup, or image before tinkering.
With that said it also makes it an ideal candiate for viruses and malware use Security Task Manager - Windows 8, 7, XP process viewer to check it out.
I started experiencing this problem on my network when we upgraded our clients from XP to Win7. Turns out in my case it was due to our FOG server. We had it configured to auto restart/log off people after 3 hours of inactivity. Unfortunately FOG does not seem to correctly detect inactivity on Windows 7 and so it would restart our client PC's exactly 3 hours after they had logged into the machine.
I disabled FOG's Auto Log off feature and I decided to chose a screensaver based auto log off program called Screensaver Operations from GrimAdmin. It works very well for us and I am happy it is available.
There are currently 1 users browsing this thread. (0 members and 1 guests)