locked
Unexplained Shutdown of Windows 10 Pro Workstation RRS feed

  • Question

  • So I show up in the morning and my Win 10 Pro computer is off. It is never turned off, but it is. I start it up, which causes updates to be applied and another restart, and then start digging into the event log.

    While this is a laptop, it was connected to AC power, and the battery was fully charged, so it doesn't look like it shut down due to power loss.

    From a brief review of Scheduled Tasks, there doesn't appear to be a task that ran at that time. There were a few that ended around 4:44am, one of which probably explains the VSS service log entry. (btw, it would be a lot easier if we could search/filter the task scheduler so that we could see any task that was scheduled to run during a particular period, or that ran during that particular period,, rather than having to manually go thru 57,000 folders under the Windows heading).

    Anybody have a guess as to what happened to cause this shutdown? What details I was able to discover are below.

    The unexpected shutdown occurred at 5:10:31am. Latest entry in the System log is around 2am. In the Application log, the latest entry (prior to the restart, of course) is VSS shutting down due to being idle at 4:42am. In the security log, there are two events at 5:14:13am (?):

    Event 4624 Logon:

    An account was successfully logged on.

     

    Subject:

    Security ID: SYSTEM

    Account Name: JHTABLET$

    Account Domain: HEYMANN

    Logon ID: 0x3E7

     

    Logon Information:

    Logon Type: 5

    Restricted Admin Mode: -

    Virtual Account: No

    Elevated Token: Yes

     

    Impersonation Level: Impersonation

     

    New Logon:

    Security ID: SYSTEM

    Account Name: SYSTEM

    Account Domain: NT AUTHORITY

    Logon ID: 0x3E7

    Linked Logon ID: 0x0

    Network Account Name: -

    Network Account Domain: -

    Logon GUID: {00000000-0000-0000-0000-000000000000}

     

    Process Information:

    Process ID: 0x350

    Process Name: C:\Windows\System32\services.exe

     

    Network Information:

    Workstation Name: -

    Source Network Address: -

    Source Port: -

    ===============================

    and then event 4672 Special Logon:

    Special privileges assigned to new logon.

     

    Subject:

    Security ID: SYSTEM

    Account Name: SYSTEM

    Account Domain: NT AUTHORITY

    Logon ID: 0x3E7

     

    Privileges: SeAssignPrimaryTokenPrivilege

    SeTcbPrivilege

    SeSecurityPrivilege

    SeTakeOwnershipPrivilege

    SeLoadDriverPrivilege

    SeBackupPrivilege

    SeRestorePrivilege

    SeDebugPrivilege

    SeAuditPrivilege

    SeSystemEnvironmentPrivilege

    SeImpersonatePrivilege

    SeDelegateSessionUserImpersonatePrivilege

    =============================================

    Putting aside the fact that the time logged for these appears to be AFTER the unexpected shutdown in the log, prior to that, at 5:07:19am, there are a bunch of event 4798s, similar to this:

    A user's local group membership was enumerated.

     

    Subject:

    Security ID: SYSTEM

    Account Name: JHTABLET$

    Account Domain: HEYMANN

    Logon ID: 0x3E7

    This cycled thru all 5 accounts on this machine many times.


    Jeremy Heymann Market Mentor Online

    Friday, August 9, 2019 1:36 PM

All replies

  • To evaluate the computer enironment please post logs for troubleshooting.

    Using administrative command prompt copy and paste this whole command.

    Make sure the default language is English so that the logs can be scanned and read.

    https://www.tenforums.com/tutorials/3813-language-add-remove-change-windows-10-a.html

    The command will automatically collect the computer files and place them on the desktop.

    Then use 7zip to organize the files and one drive, drop box, or google drive to place share links into the thread for troubleshooting.

    https://support.office.com/en-us/article/Share-OneDrive-files-and-folders-9fcc2f7d-de0c-4cec-93b0-a82024800c07

    This command will automatically collect these files:  msinfo32, mini dumps, drivers, hosts, install, uninstall, services, startup, event viewer files, etc.

    Open administrative command prompt and copy and paste the whole command:

    copy %SystemRoot%\minidump\*.dmp "%USERPROFILE%\Desktop\"&dxdiag /t %Temp%\dxdiag.txt&copy %Temp%\dxdiag.txt "%USERPROFILE%\Desktop\SFdebugFiles\"&type %SystemRoot%\System32\drivers\etc\hosts >> "%USERPROFILE%\Desktop\hosts.txt"&systeminfo > "%USERPROFILE%\Desktop\systeminfo.txt"&driverquery /v > "%USERPROFILE%\Desktop\drivers.txt" &msinfo32 /nfo "%USERPROFILE%\Desktop\msinfo32.nfo"&wevtutil qe System /f:text > "%USERPROFILE%\Desktop\eventlog.txt"&reg export HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall "%USERPROFILE%\Desktop\uninstall.txt"&reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components" "%USERPROFILE%\Desktop\installed.txt"&net start > "%USERPROFILE%\Desktop\services.txt"&REM wmic startup list full /format:htable >"%USERPROFILE%\Desktop\startup.html"&wmic STARTUP GET Caption, Command, User >"%USERPROFILE%\Desktop\startup.txt"

    There are two files for you to find manually:

    a) C:\Windows\MEMORY.DMP

    Use file explorer > this PC > local C: drive > right upper corner search enter the above to find results.

    b) dxdiag:  

    In the left lower corner search type:  dxdiag > When the DirectX Diagnostic Tool opens click on the next page button so that each tab is opened > click on save all information > save to desktop > post one drive or drop box share link into the thread
    .
    .
    .
    .
    .

    Please remember to vote and to mark the replies as answers if they help.
    .
    .
    .
    .
    .
    Friday, August 9, 2019 2:14 PM
  • https://1drv.ms/u/s!Akn-l9NTXX4A8Bj9hCQp0nNTWlQf?e=2h9f9N

    If I've done it correctly, the above file will contain what you were looking for. There were no dump files, either memory.dmp or anything in c:\windows\minidump\.


    Jeremy Heymann Market Mentor Online

    Friday, August 9, 2019 3:01 PM
  • Hello Jeremy,

    The logs certainly look as though something sudden, like power loss, occurred. There was no time to log/record anything about the circumstances of the "shutdown".

    You say that the laptop is always on - is it also always connected to AC power? In other words, can we be sure that the battery is in good shape and able to power the laptop in the event of an interruption in AC power?

    Gary

    Friday, August 9, 2019 4:27 PM
  • the power is good. I periodically unplug it, and have at least 2-3 hours of battery life. Also, due to certain clocks being correct, I know the power didn't go out last night.

    There are messages about device wudfrd in the event log. if that caused a bsod, could I have this set not to create a memory dump, even the minidump? I've got 5gb of free space on C:, and the system only has 4gb of ram.

    Still scratching my head...


    Jeremy Heymann Market Mentor Online

    Friday, August 9, 2019 4:37 PM
  • Hello Jeremy,

    One unexplained "shutdown" is not necessarily cause for concern, but it would be wise to ensure that a dump of some sort (even a minidump) is created in the event of a bugcheck. Start SystemPropertiesAdvanced and look at the "Start-up and Recovery Settings". In the "System failure" section, "Write an event to the system log" should be enabled and "Write debugging information" can be set to anything other than "(none)".

    If "Automatically restart" is enabled, then this is another sign that the "shutdown" was truly "unexpected"; since the laptop did not automatically restart, that probably indicates that there was not enough time to control/steer the shutdown/restart sequence.

    Gary

    Friday, August 9, 2019 5:02 PM
  • The logs that were posted were for an Acer tablet.

    The title thread is for a workstation.

    "While this is a laptop"

    Please explain.

    Acer
    System Model: Aspire SW5-171P

    1) Msinfo32 was not collected.

    2) In the left lower corner search type:  msinfo32

    Allow it to load for 15 - 20 minutes.

    Save as NFO.  (do not save as txt)

    3) Post a share link into the thread.

    4) The last BSOD was seen in May and others were seen in March, 2019.

    5) There were unexpected shutdowns / restarts on 8/9 and 7/19.

    These can be seen when there is manual power off (hangs or freeze power off) or when there are hardware or driver problems.

    6) Open administrative command prompt and type or copy and paste:
    7) sfc /scannow
    8) dism /online /cleanup-image /restorehealth
    9) chkdsk /scan
    10) wmic recoveros set autoreboot = false
    11) bcdedit /enum {badmemory}

    12) When these have completed > right click on the top bar or title bar of the administrative command prompt box > left click on edit then select all > right click on the top bar again > left click on edit then copy > paste into the thread

    13) In the left lower corner search type: system or system control > open system control panel > on the left pane click advanced system settings 

    a) > on the advanced tab under startup and recovery > click settings > post an image of the startup and recovery window into the thread

    b) > on the advanced tab under performance > click on settings > on the performance options window > click on the advanced tab > under virtual memory > click on change > post an image of the virtual memory window into the thread

    14) Run HD Tune (free version) (all drives)
    https://www.hdtune.com/
    Post images into the thread for results on these tabs:
    a) Health
    b) Benchmark
    c) Full error scan


    15) Run Sea Tools for Windows
    long generic test
    Post an image of the test result into the thread
    http://www.seagate.com/support/downloads/seatools/seatools-win-master/
    http://knowledge.seagate.com/articles/en_US/FAQ/202435en

    16) Windows will automatically delete dump files if free space is < 25 GB.

    For example:

    Event[3165]:
      Log Name: System
      Source: Microsoft-Windows-WER-SystemErrorReporting
      Date: 2019-03-19T01:34:56.259
      Event ID: 1018
      Task: N/A
      Level: Information
      Opcode: N/A
      Keyword: Classic
      User: N/A
      User Name: N/A
      Computer: jhtablet
      Description: 
    The dump file at location: C:\WINDOWS\MEMORY.DMP was deleted because the disk volume had less than 25 GB free space.

    16) Increase the free space on the Windows drive to > 30 GB.

    ------------------------
    Disk & DVD/CD-ROM Drives
    ------------------------
          Drive: C:
     Free Space: 4.9 GB
    Total Space: 120.9 GB
    File System: NTFS
          Model: KINGSTON RBU-SNS8100S3128GD

    .
    .
    .
    .
    .

    Please remember to vote and to mark the replies as answers if they help.
    .
    .
    .
    .
    .




    Friday, August 9, 2019 5:10 PM
  • Here are the screen shots and other information:

    https://1drv.ms/u/s!Akn-l9NTXX4A8BkQL_CcC03SHxBu?e=QGRDZR

    Results of commands:

    Microsoft Windows [Version 10.0.17763.615]
    (c) 2018 Microsoft Corporation. All rights reserved.

    C:\WINDOWS\system32>sfc /scannow

    Beginning system scan.  This process will take some time.

    Beginning verification phase of system scan.
    Verification 100% complete.

    Windows Resource Protection did not find any integrity violations.

    C:\WINDOWS\system32>dism /online /cleanup-image /restorehealth

    Deployment Image Servicing and Management tool
    Version: 10.0.17763.1

    Image Version: 10.0.17763.615

    [==========================100.0%==========================] The restore operation completed successfully.
    The operation completed successfully.

    C:\WINDOWS\system32>chkdsk /scan
    The type of the file system is NTFS.
    Volume label is Acer.

    Stage 1: Examining basic file system structure ...
                                                                                                                                                                      569856 file records processed.                                               
    File verification completed.
                                                                                                                                                                      22146 large file records processed.
                                                                                                                                                                      0 bad file records processed.

    Stage 2: Examining file name linkage ...
                                                                                                                                                                      34091 reparse records processed.
                                                                                                                                                                      741916 index entries processed.                                              
    Index verification completed.
                                                                                                                                                                      0 unindexed files scanned.
                                                                                                                                                                      0 unindexed files recovered to lost and found.
                                                                                                                                                                      34091 reparse records processed.

    Stage 3: Examining security descriptors ...
    Security descriptor verification completed.
                                                                                                                                                                      86031 data files processed.
    CHKDSK is verifying Usn Journal...
                                                                                                                                                                      41253152 USN bytes processed.                                                
    Usn Journal verification completed.

    Windows has scanned the file system and found no problems.
    No further action is required.

     123852329 KB total disk space.
     118455468 KB in 329240 files.
        220632 KB in 86032 indexes.
             0 KB in bad sectors.
        694021 KB in use by the system.
         65536 KB occupied by the log file.
       4482208 KB available on disk.

          4096 bytes in each allocation unit.
      30963082 total allocation units on disk.
       1120552 allocation units available on disk.

    C:\WINDOWS\system32>wmic recoveros set autoreboot = false
    Updating property(s) of '\\JHTABLET\ROOT\CIMV2:Win32_OSRecoveryConfiguration.Name="Microsoft Windows 10 Pro|C:\\WINDOWS|\\Device\\Harddisk0\\Partition3"'
    Property(s) update successful.

    C:\WINDOWS\system32>bcdedit /enum {badmemory}

    RAM Defects
    -----------
    identifier              {badmemory}

    C:\WINDOWS\system32>

    ================================


    Jeremy Heymann Market Mentor Online

    Friday, August 9, 2019 7:50 PM