How to determine the reason for Windows spontaneous shutdown?

Question

Update 2: Tracking the reasons for a few shutdowns in the past couple of weeks, using the Event Viewer without filtering events, to get to the approximate time of shutdown, it seems like the last few shutdowns were caused by system overheating, and not by some malicious script or process.

I will continue to monitor that and update this question if new findings are observed.

---

Update 1: I used Sysinteranls Autoruns utility as suggested by @Mark, and listed all the (non-Microsoft) startup objects, to look for a script that supposedly calls Shutdown. After exporting and cleaning the list of the known binary file types (.exe, .sys, .dll) I saw two proprietary binary files belonging to a specific application which I installed some time ago. The computer was problematic long before I installed that app, so I do not think those are related to the problem, but I uninstalled it anyway. Other than the binaries and a few File not found entries, there are no other entries in the list.

Is there a way to log what application called the shutdown.exe utility?

---

Original question: My Dell E7450 Win10 laptop regularly shuts itself down spontaneously. Looking online, I found a couple of resources pointing to the Event Viewer application.

Following the instructions, I am able to see the list of shutdown events (codes 1074, 6006, 6008). It seems like no 6006 and 6008 events are recorded. Of the multiple 1074 events, I see a few that are related to the software updates, but many that are related to the spontaneous shutdowns.

Examining the event(s), they all look like the following. The reason code is 0x800000ff and no reason nor comment are provided.

I can normally immediately turn the computer on again, and log into Windows.

Upon these shutdowns, the work is not properly saved, if not by the auto-save features of the various running apps (if they have ones). With Chrome, I sometimes get the "Restore previous session" popup, and sometimes have to go through the History menu to reopen the previous Chrome windows.

How can I determine the reason for those shutdowns?

Answer 1

Tracking the reasons for a few shutdowns in the past couple of weeks, using the Event Viewer without filtering events, to get to the approximate time of shutdown, it seems like the last few shutdowns were caused by system overheating, and not by some malicious script or process.

I will continue to monitor that and update this question if new findings are observed.

Answer 2

The symptoms I witnessed in my Dell E7450, Windows 10:

• Spontaneous shutdowns.
• In the "Reliability Monitor" (easier UI compared to "Event Viewer") I saw not only the shutdowns, but many warnings by Google Updater. I blamed Chrome for that.
• The battery icon (at the taskbar) sometimes showed an icon of a battery crossed out, as if the battery is not recognized. I almost bought a new battery just because of that.

The changes I made about 5 days ago, that seem to have stopped the all symptoms (for now... crossing my fingers):

1. Uninstalled Chrome browser, because of the warnings in the "Reliability Monitor". Computer kept crashing, though, but I'm still with Chrome uninstalled.

2. Uninstalled the "Intel Dynamic Platform and Thermal Framework Driver" that I once got from Dell's site (support.dell.com, where this driver was marked with their blue THIS PC badge, i.e. believed to be most suitable for my PC, I guess). See "p.s." below for more details on the driver.

3. Following some voodoo suggestion from somewhere (I forgot where), I modified the Battery plan settings from "100%" to "98%" in two places as follows: in the computer's power options (Control Panel\Hardware and Sound\Power Options), "Change plan settings", "Change advanced power setting". Then scroll down to "Processor power management > Maximum processor state" and change 100% to 98% for both "> On battery" and "> Plugged in".

I hope that some of this makes sense / will help!

---

p.s. More details on the driver:

Intel Dynamic Platform and Thermal Framework Driver
Version: 8.3.10209.6897, A12
Last Updated Date: 18 Mar 2020
File Name: Intel-Dynamic-Platform-and-Thermal-Framework_74P16_WIN_8.3.10209.6897_A12.EXE
File size: 14.65 MB

Reason for uninstalling it: I suspected that a software might cause the flukes in not recognizing the battery or deal inappropriately (shutdown) with an alleged heating etc.; also, in the "View full driver details" for this driver, it says that it's an "Update Package for MS Windows 32-Bit" while mine is 64-bit (sure, they also say "...designed to run on Microsoft Windows 64bit Operating Systems", but I don't trust programmers).

Answer 3

A while ago I made this long PowerShell one-liner using custom code. It's looking for events in the log around the time of the reboot. It downloads the code for my Get-RebootReport function and executes a few commands. It will give you an idea of what was happening around that time.

The code source is behind the URI if you want to verify it doesn't do anything other than what I claim.

$csvPath="$($env:temp)\temp.csv";$LogNames=@('System','Application');[Net.ServicePointManager]::SecurityProtocol=[enum]::GetNames([Net.SecurityProtocolType])|Foreach-Object{[Net.SecurityProtocolType]::$_};(New-Object Net.WebClient).DownloadString( 'https://raw.githubusercontent.com/tonypags/PsWinAdmin/master/Public/Get-RebootReport.ps1' )| iex;$LastRebootTime = (Get-RebootReport)[0].Date;$Events=@();$LogNames|%{$FilterHashtable = @{LogName=$_;EndTime=($LastRebootTime.AddMinutes(1));StartTime=($LastRebootTime.AddMinutes(-5));};Get-WinEvent -FilterHashtable $FilterHashtable|%{$Events += $_}};$Events| sort TimeCreated |select LogName, TimeCreated, ProviderName, Message | export-csv $csvPath -notype; ii $csvPath