0

the server is a 2019 standard vm. It rebooted in the middle of the day, so i went digging through the logs and found this:

The process C:\WINDOWS\system32\shutdown.exe (servername) has initiated the restart of computer servername on behalf of user servername\www for the following reason: No title for this reason could be found Reason Code: 0x800000ff Shutdown Type: restart Comment:

there is no WWW user or service account that I can find on the server. What could cause this?

I have already restricted shut downs to admin users using group policy, but I'm not sure that applies to shutdown.exe

Improve this question
5
  • What is the function of the server in question?
    – Ramhound
    Commented Jan 5, 2022 at 23:09
  • It hosts a translation managment web app that runs in tomcat. We updated to patch log4j vulnerabilities about a week and a half ago, but it seems there was just another update released that also mentions log4j patches. We applied that and will monitor things a bit more closely.
    – Ethan Byrne
    Commented Jan 7, 2022 at 0:12
  • So isn’t www a directory used by Tomcat?
    – Ramhound
    Commented Jan 7, 2022 at 0:29
  • Probably. I'm not sure how that would get into an event log about a user named www rebooting the server. Maybe I'm just missing something.
    – Ethan Byrne
    Commented Jan 10, 2022 at 19:43
  • Can you determine if that is or isn't a directory used by Tomcat? "Probably" isn't anything I can work with when writing my answer.
    – Ramhound
    Commented Jan 10, 2022 at 20:38

0

Reset to default

You must log in to answer this question.

Browse other questions tagged .