[dba-Tech] Windows Event Log help

Jim Lawrence accessd at shaw.ca
Wed Sep 25 13:04:15 CDT 2013


Hi John:

Any break throughs yet?

Removed a supposed virus protection program that a client had installed yesterday. The client of course denied it and the program was actually a black-mail routine. 

When I arrived, email was inaccessible, warnings were popping up continuously, the task-manager was blocked as well as access to the command prompt and the only functioning browser lead straight to their payment site and the Microsoft essentials security was disabled. As you would guess the malware was everywhere in the system...in the paths, superseding legitimate apps, every start up spot, all through the registry and so on. It took over three hours to remove and there are still fixes needed but at least the client can now do her work. The best method would have been to re-format and start again but that process would probably have taken eight to ten hours.

Jim

----- Original Message -----
From: "John R Bartow" <jbartow at winhaven.net>
To: "Discussion of Hardware and Software issues" <dba-tech at databaseadvisors.com>
Sent: Monday, September 23, 2013 6:48:55 PM
Subject: Re: [dba-Tech] Windows Event Log help

Thanks, first thing I did. Nothing new. There are software vendors with
remote support so I always suspect them ;-)

-----Original Message-----
From: dba-tech-bounces at databaseadvisors.com
[mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of Jim Lawrence
Sent: Monday, September 23, 2013 3:15 PM
To: Discussion of Hardware and Software issues
Subject: Re: [dba-Tech] Windows Event Log help

Hi John:

Other than by using observation and/or running the MS event logging there is
no obvious way to absolutely identify the culprit. That said, as programs
that enact a periodic forced reboot are rare, I would suspect a new
application has been loaded on the system recently and I would check the
"Add and Remove programs" section and check the Services section and try to
spot some app that is unfamiliar and either remove it of turn it off.

Jim 

----- Original Message -----
From: "John R Bartow" <jbartow at winhaven.net>
To: "Discussion of Hardware and Software issues"
<dba-tech at databaseadvisors.com>
Sent: Sunday, September 22, 2013 8:04:25 PM
Subject: Re: [dba-Tech] Windows Event Log help

Jim,
It wasn't a crash. I don't have windows automatic updates enabled. I do that
via my RMM via WSUS. I've also run into the Windows 7 Home issue but all of
these stations are Windows 7 Pro. 
Oracle's Java updated to 7.4 but I didn't authorize it and I can't find any
options for how it upgrades now. (I can also do that via RMM but I need to
be able to figure out how to turn it off on the workstations too.)

So I'm trying to do the detective work of which program caused this; WSUS,
Java, or something else. Question is how? I thought the event log would be
the way to go but it seems to only tell me it shutdown - but not why.
John B

-----Original Message-----
From: dba-tech-bounces at databaseadvisors.com
[mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of Jim Lawrence
Sent: Sunday, September 22, 2013 12:44 PM
To: Discussion of Hardware and Software issues
Subject: Re: [dba-Tech] Windows Event Log help

Hi John:

You seem to have a problem with your updates.

I (try to) never have automatic updates...they are just too dangerous. The
last thing needed is a client's site crashing during a work day. That said,
do you have a the full event log or just the dump file?  

Windows does have events that will over-ride any settings. This happens when
an update has been installed and then the immediate reboot cycle has been
postponed.

The Home edition of Window7 is just such a beast. At one point it will
decide, regardless of the settings that some process must be handled...it
first prompts how long before boot cycle starts, which can be up to four
hours, but if no one takes action within a five minute window, it start a
shutdown and reboot cycle of about two minutes. Your description does sound
like that.

Jim
  
----- Original Message -----
From: "John R Bartow" <jbartow at winhaven.net>
To: "DBA-Tech" <dba-tech at databaseadvisors.com>
Sent: Saturday, September 21, 2013 1:02:18 PM
Subject: [dba-Tech] Windows Event Log help

Do any of you fine people know how to filter the event log for what PROGRAM
caused a reboot? 

I know Event IDs 6005 and 6006 will indicate a power down event but that
information isn't very helpful by itself in this instance.

I had an entire office of workstations reboot once during the day (at
various times). They all got a 2 minute warning that the computer was going
to reboot, save your work, etc. which sounds like my script. Except my
script happens on Tuesday nights not Thursday during work hours.

It appears that Java was updated but I do not allow for automatic updates,
so, I'm trying to track this down.

TIA
John B

_______________________________________________
dba-Tech mailing list
dba-Tech at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/dba-tech
Website: http://www.databaseadvisors.com
_______________________________________________
dba-Tech mailing list
dba-Tech at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/dba-tech
Website: http://www.databaseadvisors.com

_______________________________________________
dba-Tech mailing list
dba-Tech at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/dba-tech
Website: http://www.databaseadvisors.com
_______________________________________________
dba-Tech mailing list
dba-Tech at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/dba-tech
Website: http://www.databaseadvisors.com

_______________________________________________
dba-Tech mailing list
dba-Tech at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/dba-tech
Website: http://www.databaseadvisors.com


More information about the dba-Tech mailing list