3

A Windows 2008 R2 machine reboots automatically every now and then, typically on Fridays afternoons. The reboots are "announced" in the event log as follows:

Event ID: 1074
process:  svchost.exe,  
user:     NT-AUTHORITY/System, 
reason:   OS:restore(planned), 
code:     0x80020002

I guess this is precisely the event one can expect if a Windows update from our WSUS server requires a reboot. However, as far as I can see, such reboots should happen at most at about 3 a.m. This has happened repeatedly this year, namely

  1. 2013-01-10 03:15:12 - Probably due to an update
  2. 2013-01-20 03:04:37 - Probably due to an update
  3. 2013-02-14 16:35:27 - What's that??
  4. 2013-03-06 16:23:07 - What's that??
  5. 2013-03-15 13:49:12 - What's that??
  6. 2013-04-14 21:18:36 - What's that??
  7. 2013-04-26 14:58:54 - What's that??
  8. 2013-05-17 15:51:41 - What's that??

If I check updates after today's reboot, it says

Last time checked for updates: Today, 15:47
Updates installed: Yesterday, 20:57

So, while the last check is suspiciuously short before the reboot, the last actual update took place yesterday (Forefront virus definition update, no reboot required).

What can be the cause? What can be done to prevent?

Please feel free to ask for more details.

Update: The nearest event log entries around the shutdown with source WindowsUpdateClient were:

  • immediately after the event#1074 above: Event#27 "Automatic Updates" has been stopped
  • at 13:00 (almost 3 hours before shutdown): Event#19: Installation successful (Forefront definition update)
  • at 15:55 (quite shortly after reboot): Several events #19: Installation successful (several OS updates, security updates and cumulative security updates)

It is plausible tha the updates in the last point were waiting for a reboot. In fact, I found an event #22 ("Reboot necessary, computer will reboot in 15 minutes) on 2013-05-16 03:14:28 mentioning precisely the updates mentioned in the post-reboot events. However, why didn't it reboot at 3:30 a.m. yesterday as the event mmessage suggests instead of 4 p.m today?

By popular demand, the relevant policy settings under Computer configuration\Administratove templates\Windows components\Windows update according to the GPO modeling wizard:

  • Configure automatic updates: Enabled with "4 - Download and install by schedule", "daily", "at 03:00 a.m."
  • Automatic updates immeditae installation: Enabled
  • Enable client-dide targeting: Enabled with "MyGroup"
  • Specify intranet Microsoft update location: Enabled with updates and stats = "http://my-wsus-server"
  • No auto-restart for scheduled updates with logged on users: Enabled
  • Allow signed updates from an intranet Microsoft update service: Enabled
  • Automatic Updates detection frequency: 22 hours

I don't have a bad feeling with these settings. The only suspect is No auto-restart for scheduled updates with logged on users. However, for the observed behaviour, a user must have been logged on at yestreday 3 a.m. until today 4 p.m. (or possibly several overlapping sessions). Sifting through the ocean of Security Event Log, I did indeed find: Three events #4634 (logoff), two for Administrator RDP sessions (type 10), one for Administrator console session (type 2), all in the very same second as the event #1074 above! But what is cause and what is effect? Or how come three sessions got killed simultanuously?

Hagen von Eitzen
  • 816
  • 3
  • 15
  • 41
  • It's for Windows 7 but can also apply in this situation: http://superuser.com/questions/15165/windows-7-is-shutting-down-unexpectedly-according-to-the-logs – Travis May 17 '13 at 17:39
  • Anything relevant at the same time in `%windir%\WindowsUpdate.log`? Also, any Scheduled Tasks running at that time? Can you try disabling the Windows Update service for a few weeks to see if that stops it? – charleswj81 May 18 '13 at 00:29
  • This is one of those times when some of us will override Microsoft's suggestion and set it to download only and not apply the updates until a human reviews it. Usually one reason is to prevent exactly what you are experiencing. Unless this is a machine that can randomly reboot, I would probably suggest using the Enabled with "3 - Auto Download and notify for install" instead. – MikeAWood May 18 '13 at 00:39
  • For the moment, I added a skript to log all active RDP sessions at 2 a.m. and kill them - just to observe the effect. Otherwise, @MikeAWood's suggestion might be the most useful, though I still wonder why all other boxes are happy with "4". – Hagen von Eitzen May 18 '13 at 08:03
  • I just prefer to supervise updates like this. Nothing worse than Exchange patching in the middle of the night on all 4 of my servers only to discover that Unified Messaging no longer works in the morning. Only have to go through one time of no Voicemail all day to never do that again. :) – MikeAWood May 21 '13 at 19:50
  • 2
    We just disable the 'no restart with logged on users' policy, but we've been bitten by enough Exchange rollups were services didn't start after the server comes up to where @MikeAWood's answer makes a lot of sense, more so the bigger you are. But for as small as an environment as us and our customers are it's not as big a deal. – David V May 21 '13 at 20:47

1 Answers1

4

Given this is pulling updates from a WSUS server, check the WSUS GPO for your appropriate OU. You can change this for updates to go off when you'd prefer. But the most likely answer to your question is this is a WSUS policy applying updates to your machine.

David V
  • 840
  • 1
  • 8
  • 15