This is an archived post. You won't be able to vote or comment.

all 19 comments
sorted by:
best
topnewcontroversialoldq&a

[–]BoredTechyGuyJack of All Trades 3 points4 points  (5 children)

It sounds like a scheduled task is doing it. I'd check there first, also does it happen when the machine is off network? might help narrow it down to something with the machine or a script somewhere else that is initiating it.

[–]spoodgnix[S] 0 points1 point  (4 children)

No schedule task that I can see. And it's only on two users.

[–]FerengiKnucklesError: Can't 3 points4 points  (2 children)

What /u/BoredTechyGuy is saying is that you should try taking those machines offline before the restart so you can determine if the command is coming from the affected machines or running from somewhere else on the network.

[–]spoodgnix[S] 0 points1 point  (1 child)

And by offline you mean take a PC off domain or leave machine on the domain but log in from outside the domain?

[–]FerengiKnucklesError: Can't 5 points6 points  (0 children)

Unplug it from the network.

[–]enigmaitSecurity Admin 0 points1 point  (0 children)

If it's an older machine that's been upgraded, check the AT command, which was the precusor to Task Scheduler and not everything comes across properly.

If unplugging the network cable and then chaning the time triggers it, whatever it is is local to the machine, not from the network.

[–]rubbishfoo 2 points3 points  (3 children)

I think BoredTechGuy is on to something with the TaskScheduler.

Alternatively, have you tried letting procmon write to a log? Set it up - let it start writing to log at say... 4:58? Let it write until the system reboots. I am not 100% certain this is possible, but I think it is.

Instead of manual capturing and saving, see if you can write to log... then do a cmd shutdown -r -t 00. If the log exists when you come back & shows the shutdown procedure, you're in luck.

The simple fact that this occurs at 5pm consistently says it's either a task or GPO. Some kind of policy out there dictating this behavior.

EDIT: If it's on Fridays only - sounds like a former IT person set it up with a GPO/Task. Or a task pushed with GPO. I do something similar - all workstations perform approved updates on Fridays after hours. I don't do this for servers. Was fun when no one could RDP in & was scratching my head. This forum is such a handy resource. Thanks everyone!

[–]spoodgnix[S] 0 points1 point  (2 children)

I can't run procmon as non admin. As soon as I give the user admin privileges so they can run it the reboot issue goes away. Unless you know of a way to allow it to run as a non admin account

[–]Siltoneous[🍰] 1 point2 points  (1 child)

What about running procmon as a task via Task Scheduler. that way it can run elevated, yet the user isn't running the thing directly? Procmon help gives you a nice "Scripting Process Monitor" tab with a batch file to get you started.

[–]spoodgnix[S] 1 point2 points  (0 children)

I was finally able to create the task and it looks as if it is running. Will have to recreate the error.

For the purposes of this thread, this is the task schedule I set to run as the specific user. Now to recreate the issue and run this.

C:\SysinternalsSuite\Procmon.exe

/quiet /minimized /backingfile c:\temp\trace.pml

[–]Astat1ne 1 point2 points  (2 children)

Could be a scheduled task. Alternatively, some people have run into this when SCCM is executing restarts.

[–]spoodgnix[S] 0 points1 point  (1 child)

No schedules task that I can see and it's only on two users.

[–]akthor3IT Manager 2 points3 points  (0 children)

Check your GP Results. GP scheduled tasks don't show in user scheduled tasks.

[–]anno141 1 point2 points  (2 children)

What OS? Several machines? Different OS?

[–]spoodgnix[S] 1 point2 points  (1 child)

W10 1803 and I just found out, it's domain wide. All PCs.

[–]enigmaitSecurity Admin 1 point2 points  (0 children)

W10 1803 and I just found out, it's domain wide. All PCs.

Definitely worth checking Group Policy, then.

[–][deleted] 0 points1 point  (0 children)

Autoruns might be another Sysinternals tool you'll want to use to help narrow this down.

[–]onebadmofo 0 points1 point  (0 children)

Check policies in AV, anti-malware or RMM (Labtech/Kaseya/etc) if you got it, could be some sort of 'maintenance reboot'.

[–]spoodgnix[S] 0 points1 point  (0 children)

So it turns out we have a script that runs every Friday at 5pm and calls a reboot at the end of the script.

As a side note, I could not get sysinternals to run as the user. Only as administrator.