Diagnose which program initiated a shutdown sequence

[brunoais]

Earlier today, my computer started a forced shutdown sequence.
At certain point, cmd.exe's window flashed in front of me and many programs had their execution killed after a short waiting timeout.
Windows shutdown gracefully, though.

From my limited knowledge, my only information is the contents in the system event logs I accessed using EventViewer.
The relevant event states the following:

The process C:\Windows\SysWOW64\shutdown.exe (NAME) has initiated the restart of computer NAME on behalf of user NAME\ME for the following reason: No title for this reason could be found
Reason Code: 0x800000ff
Shutdown Type: restart
Comment:

How can I know which program initiated this without my consent?

 

[jcgriff2]

Have you checked out Task Scheduler?

Schedule a task - Windows Help

Also, check the Reliability Monitor for any info - https://www.sysnative.com/forums/wi...onitor-windows-8-1-8-7-and-windows-vista.html

Interesting to note that the x86 (32-bit) version of CMD is being used (\windows\syswow64).

Are you connected to a network (domain; work computer)?

 

[brunoais]

Have you checked out Task Scheduler?
Schedule a task - Windows Help

Yep. Nothing there to start cmd with shutdown.exe

Also, check the Reliability Monitor for any info - https://www.sysnative.com/forums/wi...onitor-windows-8-1-8-7-and-windows-vista.html

Oh, I didn't remember that one. Nothing out of ordinary, still.

Interesting to note that the x86 (32-bit) version of CMD is being used (\windows\syswow64).

Yeah. That was the weird puzzle piece. For me it seems to mean that it was a 32-bit program that did that.

Are you connected to a network (domain; work computer)?

No. Just me here.

 

[Deejay100six]

Hi,

My first thought was hardware, eg,. overheating problems, but I'm pretty sure you would have seen some kind of message upon restart. Did you? Do you have any reason to suspect overheating? Particularly in desktop machines, a build up of dust on the CPU cooler fan is a common issue and if your CPU overheated, Windows would shut it down.

Was this a one time occurrence or has it happened again since?

I'm also wondering if it could be malware, do you see anything strange in the startup folder?

Lets have a better look at what you are running.

• Please download Speccy System Information Tool and save it to somewhere convenient such as your desktop.
• Close any programs that may be running including your browser and double click Speccy.exe to run the tool.
• Watch out for any offers to install other programs such as google chrome and untick the box(es) if you don't want them.
• Speccy will very quickly scan your pc and create a report.
• Top left of screen click file and select Publish Snapshot...
• Click Yes to proceed.
• Copy the URL to your clipboard and paste it into your next reply.

 

[brunoais]

Hi,
My first thought was hardware, eg,. overheating problems, but I'm pretty sure you would have seen some kind of message upon restart. Did you? Do you have any reason to suspect overheating? Particularly in desktop machines, a build up of dust on the CPU cooler fan is a common issue and if your CPU overheated, Windows would shut it down.

It is still fine. It can take a 90% work for 1h and still has margin for more while running at around 70ºC.
According to this, my CPU can handle up to 105 ºC, so having it working below 80ºC should be peaceful.

Was this a one time occurrence or has it happened again since?

Until now, 1 time.

I'm also wondering if it could be malware, do you see anything strange in the startup folder?

It is empty.
I also checked the startup registry data. Quite empty and only with MS certified stuff or stuff I decided to put there.

Lets have a better look at what you are running.

• Please download Speccy System Information Tool and save it to somewhere convenient such as your desktop.
• Close any programs that may be running including your browser and double click Speccy.exe to run the tool.
• Watch out for any offers to install other programs such as google chrome and untick the box(es) if you don't want them.
• Speccy will very quickly scan your pc and create a report.
• Top left of screen click file and select Publish Snapshot...
• Click Yes to proceed.
• Copy the URL to your clipboard and paste it into your next reply.

Sorry but it stores too much personal information.
I attached to this post, the XML export version with all personal information censored.

 

[Deejay100six]

Thanks. I have to go out for a while but will have a look later.

 

[brunoais]

Sure. Thanks for your time.

 

[Deejay100six]

The Speccy instructions I posted are a pre written (canned) speech that I have used many times at various support forums. As I understand it, we use the 'Publish Snapshot' method because, unlike the other methods, it doesn't publish any personal information. I don't blame you for being careful but consider the following from a tutorial that I found.

Speccy from Piriform is one of the best, in my subjective opinion the best program to extract and collect complete system specifications of your Windows PC.

Following these instructions you can publish your complete system specifications without revealing any personal information. The information cannot be used in any way to access your computer or network. Publishing the information Speccy extracts is absolutely 100% safe.

Source

If you're not sure then thats your choice, of course but I can't even unzip the XML file.

 

[niemiro]

The Speccy instructions I posted are a pre written (canned) speech that I have used many times at various support forums. As I understand it, we use the 'Publish Snapshot' method because, unlike the other methods, it doesn't publish any personal information. I don't blame you for being careful but consider the following from a tutorial that I found.

Speccy from Piriform is one of the best, in my subjective opinion the best program to extract and collect complete system specifications of your Windows PC.

Following these instructions you can publish your complete system specifications without revealing any personal information. The information cannot be used in any way to access your computer or network. Publishing the information Speccy extracts is absolutely 100% safe.

Source

If you're not sure then thats your choice, of course but I can't even unzip the XML file.

The .zip file can be opened fine in 7-Zip or similar. There are a number of quirky non-standard compression methods which can be used to create a zip file which cannot be opened by explorer.exe. Although I don't have the time right now to examine precisely which one is being used here, it can be opened, it was just recompressed in a very non-standard way.

 

[brunoais]

I had compressed using LZMA. Now I compressed using Deflate. I confirmed that explorer.exe opens it when using Defalte just fine.

 

[brunoais]

Sheesh... This time it happened again!
I believe it was an installer this time.

 

[niemiro]

Have you checked the event logs? I seem to remember that manually initiated shutdowns are logged somewhere, although that could be just my memory.

 

[brunoais]

See my first post for a quote on what is in the event logs.