+ Post New Thread
Results 1 to 10 of 10
Windows 7 Thread, Something is shutting down our W7 workstations randomly, without warning :( help...! in Technical; It's started this week, a couple of our admin staff reported that their machines, without warning, shut down. They didn't ...
  1. #1
    ben604's Avatar
    Join Date
    Jan 2010
    Posts
    314
    Thank Post
    81
    Thanked 29 Times in 24 Posts
    Rep Power
    22

    Something is shutting down our W7 workstations randomly, without warning :( help...!

    It's started this week, a couple of our admin staff reported that their machines, without warning, shut down. They didn't give any opportunity to save any work or cancel the shutdown, just closed all open applications and restarted...

    Code:
    The process C:\Windows\system32\wbem\wmiprvse.exe (ADM-CMA-001) has initiated the restart of computer ADM-CMA-001 on behalf of user NT AUTHORITY\SYSTEM for the following reason: No title for this reason could be found
     Reason Code: 0x80070015
     Shutdown Type: restart
    That's from the client event log. No real help there.

    We're using SCCM 2012, FEP 2012, Fog to shut down the machines (turned off today to see what happened this evening, 4 shutdowns...)

    Any ideas where to start looking for an answer? I'm guessing it's SCCM, but why would it start just this week, nothing's changed..? It seems to happen around 3.30pm - 5.30pm, within a 2 hour ish window, but I can't see anything relating to those times in SCCM.

    Please help!

  2. #2
    Netman's Avatar
    Join Date
    Jul 2005
    Location
    56.343515, -2.804118
    Posts
    911
    Thank Post
    367
    Thanked 190 Times in 143 Posts
    Rep Power
    54
    Some ideas of what to look into here Event ID: 1074 Source: USER32

  3. #3

    Join Date
    Mar 2011
    Location
    Bournemouth
    Posts
    280
    Thank Post
    16
    Thanked 74 Times in 64 Posts
    Rep Power
    22
    Quote Originally Posted by ben604 View Post
    It's started this week, a couple of our admin staff reported that their machines, without warning, shut down. They didn't give any opportunity to save any work or cancel the shutdown, just closed all open applications and restarted...

    Code:
    The process C:\Windows\system32\wbem\wmiprvse.exe (ADM-CMA-001) has initiated the restart of computer ADM-CMA-001 on behalf of user NT AUTHORITY\SYSTEM for the following reason: No title for this reason could be found
     Reason Code: 0x80070015
     Shutdown Type: restart
    That's from the client event log. No real help there.

    We're using SCCM 2012, FEP 2012, Fog to shut down the machines (turned off today to see what happened this evening, 4 shutdowns...)

    Any ideas where to start looking for an answer? I'm guessing it's SCCM, but why would it start just this week, nothing's changed..? It seems to happen around 3.30pm - 5.30pm, within a 2 hour ish window, but I can't see anything relating to those times in SCCM.

    Please help!
    The event log indicates that a service running under the SYSTEM account is forcing a shutdown. From what you said, its probably SCCM rebooting for update/software installation.

  4. #4

    vikpaw's Avatar
    Join Date
    Sep 2006
    Location
    Saudi Arabia
    Posts
    6,009
    Thank Post
    680
    Thanked 1,398 Times in 1,158 Posts
    Rep Power
    353
    I'd do full scans in case it's something malicious.
    Is it the same machines affected?
    Might be worth a repair of WMI in case something is corrupt.
    Or repair windows..

  5. #5
    reggiep's Avatar
    Join Date
    Apr 2008
    Location
    In the vast area of space and time
    Posts
    1,550
    Thank Post
    518
    Thanked 56 Times in 50 Posts
    Rep Power
    30
    I work with Ben.
    For a quick fix while we look into this could there be a way we disable wmiprvse.exe so if it tries to do it's normal reboot it fails? I don't know how wmiprvse.exe is calling these reboots?

  6. #6

    vikpaw's Avatar
    Join Date
    Sep 2006
    Location
    Saudi Arabia
    Posts
    6,009
    Thank Post
    680
    Thanked 1,398 Times in 1,158 Posts
    Rep Power
    353
    It's part of the whole WMI so you'd have to disable that I guess which means you'd lose all management features. Worth a try if its just admin machines

  7. #7
    reggiep's Avatar
    Join Date
    Apr 2008
    Location
    In the vast area of space and time
    Posts
    1,550
    Thank Post
    518
    Thanked 56 Times in 50 Posts
    Rep Power
    30
    We don't want to disable forever but would be nice to see if we can stop it happening in the first instance then work out what is going on!

  8. #8

    m25man's Avatar
    Join Date
    Oct 2005
    Location
    Romford, Essex
    Posts
    1,632
    Thank Post
    49
    Thanked 462 Times in 337 Posts
    Rep Power
    140
    Could be a compromised administrative account you need to enable auditing to see this in detail.
    Windows 7: What is Account Auditing And How To Enable It

    Especially if you have provided local elevated rights to Domain Users to overcome certain software inadequacies.. hope this doesnt spread to your servers you will have a problem.

  9. #9
    GeekyPete's Avatar
    Join Date
    Mar 2013
    Location
    In a cold dark server room.
    Posts
    339
    Thank Post
    23
    Thanked 78 Times in 59 Posts
    Rep Power
    27
    wmiprvse.exe is a host service for Devs to plug in monitoring modules. You might be closing down any one of a number of features by disabling it. Make sure you have a good backup, or image before tinkering.

    With that said it also makes it an ideal candiate for viruses and malware use Security Task Manager - Windows 8, 7, XP process viewer to check it out.

  10. #10

    Join Date
    Aug 2011
    Location
    Michigan
    Posts
    1
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    I started experiencing this problem on my network when we upgraded our clients from XP to Win7. Turns out in my case it was due to our FOG server. We had it configured to auto restart/log off people after 3 hours of inactivity. Unfortunately FOG does not seem to correctly detect inactivity on Windows 7 and so it would restart our client PC's exactly 3 hours after they had logged into the machine.

    I disabled FOG's Auto Log off feature and I decided to chose a screensaver based auto log off program called Screensaver Operations from GrimAdmin. It works very well for us and I am happy it is available.

SHARE:
+ Post New Thread

Similar Threads

  1. Windows 7 logging off when "shut down" is pressed
    By cmanders159 in forum Windows 7
    Replies: 27
    Last Post: 3rd October 2013, 08:34 AM
  2. Random Shut downs...
    By DaveMurphy in forum Windows Vista
    Replies: 8
    Last Post: 15th October 2010, 11:07 PM
  3. Randomly shutting down
    By Lesley_tech in forum Windows
    Replies: 20
    Last Post: 20th June 2008, 12:40 PM
  4. Shutdown batch script stalls if 1 PC is shut down
    By PrimaryTech in forum Scripts
    Replies: 8
    Last Post: 7th July 2007, 06:04 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •