Jump to content

Strange behaviour every night

Fr33m4n

By Fr33m4n
in Windows Vista

 Share

Recommended Posts

Fr33m4n

Fr33m4n

Posted
Posted

There is some kind of automated task that runs every night and I can't figure out what is happening. Nothing is scheduled to run.

Here is what happens:

At around 3:30 AM the computer restarts. It doesn't matter if I have any overnight processes running, it shuts down regardless and ruins any attempt I have at doing stuff at night. The computer then logs in as NULL SID and shortly after as SYSTEM. It starts up the windows firewall service which I normally have turned off.

At around 5:30 AM the computer logs in as SYSTEM, again, with special privileges. There is no record of it ever logging off from the previous thing though. Then, as far as I can tell it starts the VSS service briefly before shutting it down again.

When I arrive at the computer hours later I am greeted by the login screen and login proceeds as if by a cold boot.

The above info is gathered from the Computer Management Console.

Windows Update is set to "Download, but let me choose when to install".

I am on Vista Ultimate x86.

This is really annoying and means that I can't ever run any overnight stuff. Anyone have any ideas?

TIA

Fr33m4n

Link to comment
Share on other sites

cluberti

cluberti

Posted
Posted

Since the system account is supposed to only ever log on to session 0 to run services, if you're actually seeing it LOG ON to a desktop, you've got a serious problem that could very well be malicious. If you run process explorer, can you see anything out of the ordinary running when this occurs?

Also, when exactly did this behavior start?

Link to comment
Share on other sites
  • 2 weeks later...
Fr33m4n

Fr33m4n

Posted
  • Author
Posted (edited)
Since the system account is supposed to only ever log on to session 0 to run services, if you're actually seeing it LOG ON to a desktop, you've got a serious problem that could very well be malicious. If you run process explorer, can you see anything out of the ordinary running when this occurs?

Also, when exactly did this behavior start?

I don't know about "Log on to a desktop" as this all happens when I'm sleeping and I've never watched it happen. I'm just reading what is recorded in the logs in computer management. As far as I can tell there is nothing out if the ordinary listed by process explorer. I'm also running ESET security suite so there should not be a whole lot of things that could have slipped by.

I'm not entirely sure when this all started to happen but it has been happening for a few months now.

Edited by Fr33m4n
Link to comment
Share on other sites
cluberti

cluberti

Posted
Posted

Configure your computer for a complete memory dump, and to not automatically reboot. If it's crashing, you'll see it when you wake up - if it really IS running something, you will have to find a way to do some auditing (if you're running business, enterprise, or ultimate you can use local group policy to enable auditing logon/logoff events and process start/stop events into the event log).

Link to comment
Share on other sites
Fr33m4n

Fr33m4n

Posted
  • Author
Posted
Configure your computer for a complete memory dump, and to not automatically reboot. If it's crashing, you'll see it when you wake up - if it really IS running something, you will have to find a way to do some auditing (if you're running business, enterprise, or ultimate you can use local group policy to enable auditing logon/logoff events and process start/stop events into the event log).

I'm on Vista Ultimate. So after reading your post and realizing the potential power of the Computer Management Console to catch the culprit I started mucking around in there. I eventually found the tool for creating custom views in the event logger and so I thought I'd create one to show me all the events around the time this occurs, and guess what. I did find the culprit.

02:48:56: Application popup: Windows SteadyState : The system will be shut down in 10 minutes for a scheduled update.

I forgot I even had it installed, but as I hinted at earlier, this is not a machine I use a lot. But in order to avoid the crap that the people who do use this machine a lot put on here I installed SteadyState. I had no idea that it would override the default Windows Update settings. I have now turned it off and I'm looking forward to seeing if that did the trick.

Link to comment
Share on other sites
cluberti

cluberti

Posted
Posted
I'm on Vista Ultimate. So after reading your post and realizing the potential power of the Computer Management Console to catch the culprit I started mucking around in there. I eventually found the tool for creating custom views in the event logger and so I thought I'd create one to show me all the events around the time this occurs, and guess what. I did find the culprit.
02:48:56: Application popup: Windows SteadyState : The system will be shut down in 10 minutes for a scheduled update.

I forgot I even had it installed, but as I hinted at earlier, this is not a machine I use a lot. But in order to avoid the crap that the people who do use this machine a lot put on here I installed SteadyState. I had no idea that it would override the default Windows Update settings. I have now turned it off and I'm looking forward to seeing if that did the trick.

:P

Sorry, I had to chuckle. Did this to myself with an XP system a few years ago. Brings back memories.... lol

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...