J
Jeremy Heymann
Guest
So I show up in the morning and my Win 10 Pro computer is off. It is never turned off, but it is. I start it up, which causes updates to be applied and another restart, and then start digging into the event log.
While this is a laptop, it was connected to AC power, and the battery was fully charged, so it doesn't look like it shut down due to power loss.
From a brief review of Scheduled Tasks, there doesn't appear to be a task that ran at that time. There were a few that ended around 4:44am, one of which probably explains the VSS service log entry. (btw, it would be a lot easier if we could search/filter the task scheduler so that we could see any task that was scheduled to run during a particular period, or that ran during that particular period,, rather than having to manually go thru 57,000 folders under the Windows heading).
Anybody have a guess as to what happened to cause this shutdown? What details I was able to discover are below.
The unexpected shutdown occurred at 5:10:31am. Latest entry in the System log is around 2am. In the Application log, the latest entry (prior to the restart, of course) is VSS shutting down due to being idle at 4:42am. In the security log, there are two events at 5:14:13am (?):
Event 4624 Logon:
An account was successfully logged on.
Subject:
Security ID: SYSTEM
Account Name: JHTABLET$
Account Domain: HEYMANN
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x350
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
===============================
and then event 4672 Special Logon:
Special privileges assigned to new logon.
Subject:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
=============================================
Putting aside the fact that the time logged for these appears to be AFTER the unexpected shutdown in the log, prior to that, at 5:07:19am, there are a bunch of event 4798s, similar to this:
A user's local group membership was enumerated.
Subject:
Security ID: SYSTEM
Account Name: JHTABLET$
Account Domain: HEYMANN
Logon ID: 0x3E7
This cycled thru all 5 accounts on this machine many times.
Jeremy Heymann Market Mentor Online
More...
While this is a laptop, it was connected to AC power, and the battery was fully charged, so it doesn't look like it shut down due to power loss.
From a brief review of Scheduled Tasks, there doesn't appear to be a task that ran at that time. There were a few that ended around 4:44am, one of which probably explains the VSS service log entry. (btw, it would be a lot easier if we could search/filter the task scheduler so that we could see any task that was scheduled to run during a particular period, or that ran during that particular period,, rather than having to manually go thru 57,000 folders under the Windows heading).
Anybody have a guess as to what happened to cause this shutdown? What details I was able to discover are below.
The unexpected shutdown occurred at 5:10:31am. Latest entry in the System log is around 2am. In the Application log, the latest entry (prior to the restart, of course) is VSS shutting down due to being idle at 4:42am. In the security log, there are two events at 5:14:13am (?):
Event 4624 Logon:
An account was successfully logged on.
Subject:
Security ID: SYSTEM
Account Name: JHTABLET$
Account Domain: HEYMANN
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x350
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
===============================
and then event 4672 Special Logon:
Special privileges assigned to new logon.
Subject:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
=============================================
Putting aside the fact that the time logged for these appears to be AFTER the unexpected shutdown in the log, prior to that, at 5:07:19am, there are a bunch of event 4798s, similar to this:
A user's local group membership was enumerated.
Subject:
Security ID: SYSTEM
Account Name: JHTABLET$
Account Domain: HEYMANN
Logon ID: 0x3E7
This cycled thru all 5 accounts on this machine many times.
Jeremy Heymann Market Mentor Online
More...