Windows 10 Windows 10 and 7 machines suddenly rebooting after installing update, .NET-related?

[Alexander Brüning]

I'm at a loss right now. A bunch of users have reported sudden reboots, without being warned, losing work in the progress. We only have WSUS for patch management at the moment, and domain policies that set an activity window (6:00 - 20:00) and a time to install updates (12:00). This has worked fine for years (except some people never rebooting), and nothing was changed recently on that side.

I'd link a screenshot of our GPO result set for Windows Update, but I'm not allowed yet. Image ID HRT286C on imgur.

It's hard for me to get good information from users at the moment (most are gone for the day), but what I found is that at least one PC had an unscheduled reboot planned by Runtimebroker.exe around 12:00, with no further explanation why.

On two of the machines I checked, this was in the CBS log file

2019-12-18 12:00:51, Info CSI 0000077a 0: RM locking process: [l:37 ml:38]'Lenovo.Modern.ImController.PluginHost', app type: 0, app name: 'Lenovo.Modern.ImController.PluginHost', svc name: '', restartable: false

2019-12-18 12:00:51, Info CSI 0000077b 1: RM locking process: [l:37 ml:38]'Lenovo.Modern.ImController.PluginHost', app type: 0, app name: 'Lenovo.Modern.ImController.PluginHost', svc name: '', restartable: false

2019-12-18 12:00:51, Info CSI 0000077c 2: RM locking process: [l:19 ml:20]'ImControllerService', app type: 3, app name: 'System Interface Foundation Service', svc name: 'ImControllerService', restartable: true

2019-12-18 12:00:51, Info CSI 0000077d Reboot cannot be mitigated. RM_REBOOT_REASON: 2

2019-12-18 12:00:51, Info CSI 0000077e Error STATUS_CANNOT_DELETE while executing operation HardLinkFile on [l:157]'\SystemRoot\WinSxS\x86_netfx4-clr_dll_b03f5f7f11d50a3a_4.0.15788.290_none_7f9d8cabff8e194c\clr.dll, \??\C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\clr.dll'

2019-12-18 12:00:40, Info CSI 00000797 0: RM locking process: [l:39 ml:40]'Intel(R) Management and Security Status', app type: 0, app name: 'Intel(R) Management and Security Status', svc name: '', restartable: false

2019-12-18 12:00:40, Info CSI 00000798 1: RM locking process: [l:16 ml:17]'NetPipeActivator', app type: 3, app name: 'Net.Pipe-Listeneradapter', svc name: 'NetPipeActivator', restartable: true

2019-12-18 12:00:40, Info CSI 00000799 2: RM locking process: [l:15 ml:16]'NetTcpActivator', app type: 3, app name: 'Net.Tcp-Listeneradapter', svc name: 'NetTcpActivator', restartable: true

2019-12-18 12:00:40, Info CSI 0000079a 3: RM locking process: [l:17 ml:18]'NetTcpPortSharing', app type: 3, app name: 'Net.Tcp-Portfreigabedienst', svc name: 'NetTcpPortSharing', restartable: true

2019-12-18 12:00:40, Info CSI 0000079b 4: RM locking process: [l:16 ml:17]'NetMsmqActivator', app type: 3, app name: 'Net.Msmq-Listeneradapter', svc name: 'NetMsmqActivator', restartable: true

2019-12-18 12:00:40, Info CSI 0000079c 5: RM locking process: [l:9 ml:10]'msiserver', app type: 3, app name: 'Windows Installer', svc name: 'msiserver', restartable: true

2019-12-18 12:00:40, Info CSI 0000079d Reboot cannot be mitigated. RM_REBOOT_REASON: 2

2019-12-18 12:00:40, Info CSI 0000079e Error STATUS_CANNOT_DELETE while executing operation HardLinkFile on [l:161]'\SystemRoot\WinSxS\amd64_netfx4-clr_dll_b03f5f7f11d50a3a_4.0.15788.290_none_37f055d4eb11f046\clr.dll, \??\C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\clr.dll'

Trouble is, I can't find anything about this being an issue anywhere. Apparently, RM_REBOOT_REASON 0x2 is RmRebootReasonSessionMismatch "One or more processes are running in another Terminal Services session". Could it be that the update is trying to replace clr.dll, fails to do so because something is using it at the moment and then schedules an uninterruptible, immediate reboot?

RestartManager documentation kinda suggests it: "Critical system services cannot be stopped and restarted by the Restart Manager without a system restart. Updates to any file or resource in use by one of these services requires a system restart."

At least one Windows 7 machine also rebooted, and I found the CBS log pattern on another machine.

2019-12-18 12:00:47, Info CSI 0000077a 0: RM locking process: [l:24 ml:25]'HiDrive Windows Software', app type: 0, app name: 'HiDrive Windows Software', svc name: '', restartable: false

2019-12-18 12:00:47, Info CSI 0000077b 1: RM locking process: [l:10 ml:11]'SmartAudio', app type: 0, app name: 'SmartAudio', svc name: '', restartable: false

2019-12-18 12:00:47, Info CSI 0000077c 2: RM locking process: [l:37 ml:38]'Lenovo.Modern.ImController.PluginHost', app type: 0, app name: 'Lenovo.Modern.ImController.PluginHost', svc name: '', restartable: false

2019-12-18 12:00:47, Info CSI 0000077d 3: RM locking process: [l:37 ml:38]'Lenovo.Modern.ImController.PluginHost', app type: 0, app name: 'Lenovo.Modern.ImController.PluginHost', svc name: '', restartable: false

2019-12-18 12:00:47, Info CSI 0000077e 4: RM locking process: [l:14 ml:15]'Microsoft Word', app type: 0, app name: 'Microsoft Word', svc name: '', restartable: false

2019-12-18 12:00:47, Info CSI 0000077f 5: RM locking process: [l:25 ml:26]'HiDriveMaintenanceService', app type: 3, app name: 'HiDrive Update Service', svc name: 'HiDriveMaintenanceService', restartable: true

2019-12-18 12:00:47, Info CSI 00000780 6: RM locking process: [l:19 ml:20]'ImControllerService', app type: 3, app name: 'System Interface Foundation Service', svc name: 'ImControllerService', restartable: true

2019-12-18 12:00:47, Info CSI 00000781 Reboot cannot be mitigated. RM_REBOOT_REASON: 2

2019-12-18 12:00:47, Info CSI 00000782 Error STATUS_CANNOT_DELETE while executing operation HardLinkFile on [l:157]'\SystemRoot\WinSxS\x86_netfx4-clr_dll_b03f5f7f11d50a3a_4.0.15788.290_none_7f9d8cabff8e194c\clr.dll, \??\C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\clr.dll'

More...