How can I find out what is restarting my PC automatically?

[CWuestefeld]

Do you have the system set to auto-update, (default is 3am everyday)?

-4wd (November 27, 2013, 05:00 AM)

It seems that a couple of months ago, Windows did something that switched both my PC and my wife's to auto-update. That setting had previously been turned off (because it's evil), but it got turned back on somehow. I'm not sure if it's due to something that happened as a result of a previous Windows Update, or maybe because I had recently dropped both machines out of our domain, into a workgroup.

[dr_andus]

It seems that a couple of months ago, Windows did something that switched both my PC and my wife's to auto-update. That setting had previously been turned off (because it's evil), but it got turned back on somehow.

-CWuestefeld (November 27, 2013, 12:44 PM)

Interesting. That would explain why it hasn't bothered me before (I bought this PC 3 yrs ago, which is when I would have set the auto-update settings to "download updates but let me choose") and make me look less of an amateur (which I nonetheless still am).

[MilesAhead]

Pretty soon the way it's going all the settings will be for placebo effect only.  Bill Gates to staff "Let them click on whatever they want!! But we'll still do the right thing."  

[4wd]

Also IIRC it reports in UTC so the disparity should match your time zone offset.

-Stoic Joker (November 26, 2013, 07:02 AM)

Just had another look at uptime and it is reporting in the local timezone, (even though it can't identify it):



But as I was matching up times trying to see the discrepancies I noticed the filter I made wasn't giving system boot events  

NOTE: This is for Windows 7.

Anyway, the new improved filter:
Sources: EventLog, Kernel-Boot, Kernel-BootDiagnostics, Kernel-General, Kernel-Power, Power-Troubleshooter,USER32
Event IDs: 1,12,13,41,42,109,1073,1074,6008
Event Level: Critical, Error, Warning, Information

The Event IDs were picked out of my Event Log from power events, etc - some Event IDs mean more than one thing depending on the source, eg. Event ID 1
Source: Kernel-General = System time has changed
Source: Power-Troubleshooter = The system has resumed from Sleep

You could refine the xml so that certain Event IDs only pertain to specific sources but I didn't see enough clashes to warrant the effort, (on my machine anyway).

Short list of what the Event IDs are, (pertaining to startup/shutdown):

Event ID	Event Type	Event Source	Event
1	INFORMATION	Power-Troubleshooter	The system has resumed from Sleep
12	INFORMATION	Kernel-General	The operating system started at system time
13	INFORMATION	Kernel-General	The operating system is shutting down at system time
41	CRITICAL	Kernel-Power	The system has rebooted without cleanly shutting down first.
42	INFORMATION	Kernel-Power	The system is entering sleep.
109	INFORMATION	Kernel-Power	The kernel power manager has initiated a shutdown transition.
1073	WARNING	USER32	The attempt by user <user> to restart/shutdown computer <computername> failed
1074	INFORMATION	USER32	The process <processname> has initiated the power off of computer <computername> on behalf of user <user> for the following reason: ...
6008	ERROR	EventLog	The previous system shutdown at <time> on ‎<date> was unexpected.

If I find any more I'll add them.

Added: Event ID 6008

Also, over on p0w3rsh3ll there's a PowerShell script to retrieve the reboot history of Win7, (and Win 2008 R2), computers.  Providing you have the same login credentials on other computers on the network, it can get those too.

I've attached it below, you'd need to modify it to accept parameters or edit to add in other computer names, (hey, I'm lazy), as it'll just do the localhost if you currently run it.

[dr_andus]

(see attachment in previous post)
Do you have the system set to auto-update, (default is 3am everyday)?

This isn't going to turn out to be something as simple as this all along is it? 

-4wd (November 27, 2013, 05:00 AM)

Actually it didn't, in the end. I turned off the auto-update a few days ago, but I had a recurrence today. This time however I managed to catch it in the act. I awoke the PC, and as it was coming back to life, I unwisely tried to move one software window from one monitor to the next (using Winsplit Revolution's CTRL+ALT+arrow hotkey) before it fully woke up. At this point all three screens went blank (the grey colour of my desktop) and stayed that way. I unplugged and replugged the  DisplayPort to VGA Video Adapter Converter, but it didn't make a difference. After a while suddenly the Windows login box popped up, which surprised me, as I didn't see any signs of rebooting.

When I checked Reliability History, it said "Windows Logon Application stopped working." The ACEEEvent log was full of all kinds of ATI and CCC.exe errors, as usual.

I think I have figured out two things here:

1) The problem does seem to point to the ATI graphics card (and possibly the adapter for the 3rd monitor); and

2) there doesn't seem to be an actual complete reboot involved!! I don't hear all the usual reboot noises (fan etc.), it just seems to restart Windows somehow and asks me to log back on. Could this be possible?

[Shades]

Have you already tried to disconnect the 3rd monitor and the adapter, and then retrace all the steps you did when you "caught" the culprit?

If the problem still remains, there is something going on with your video card and/or it's drivers (although I still would not completely rule out your power supply, especially if it an older one that only barely delivers the required Watts). Of course, if the problem disappeared you can safely assume that the adapter for the 3rd monitor is responsible for your troubles.

The process of elimination is usually the best way to troubleshoot strange problems and identify bad parts. You normally start with the bare minimum of hardware to run and add each time one piece of hardware until you add the part that gives you the problem.

[Stoic Joker]

Given that there is no real reason to be tweaking with the graphics stuff ("Not a gamer") just uninstall the CCC. ATi used to make it a separate DL so it could be easily ignored...but the newer versions of their driver have it bundled in.

The CCC used to be notorious for many weird assed crashes, which is why I never usually install it.

If nothing else at least that will stop it from constantly flooding the logs with it's nonsense "informational" messages.

[4wd]

+1 with Shades and SJ (who snuck in ahead of me).

Up until this point, the restarts caused by the auto-update have appeared to be masking the real problem - which seems to be the winlogon.exe process crashing.  Once that happens the system restarts the process if it can, (AFAIK).

[dr_andus]

Thanks for all the advice. I admit I haven't done all the elimination tests yet, as I do need my 3rd monitor for my daily work, and this is the machine I need to use all day.

But I didn't realise I can just unistall CCC. I'll do that then, and see if there are any improvements.

As for the power supply, I don't really know how to tell whether it's adequate. I presume you are referring to the power supply inside the PC? It's a 3-year old Acer Aspire M7811.

[Target]

if it was me I'd totally uninstall ALL the video drivers and the associated apps - clean out as much as possible, then shut down and reinstall the bare minimum (have a fish around and you might find an installer for just the video drivers)

[Stoic Joker]

if it was me I'd totally uninstall ALL the video drivers and the associated apps - clean out as much as possible, then shut down and reinstall the bare minimum (have a fish around and you might find an installer for just the video drivers)

-Target (December 04, 2013, 07:09 PM)

+1 - Yes indeed, kill it with fire is always an excellent policy!