GFI Software

Welcome to the GFI Software community forum! For support please open a ticket from https://support.gfi.com.

Home » GFI User Forums » GFI LanGuard » Unexpected Shutdowns - runtimebroker
help-browser.png  Unexpected Shutdowns - runtimebroker [message #149615] Thu, 15 April 2021 20:00 Go to next message
Alan_One is currently offline  Alan_One
Messages: 2
Registered: April 2021
Hello All,

We have recently begun deploying updates and remediations using GFP Languard in our environment. I'm starting to notice infrequent happenings of PCs going offline and needing to be powered on. When checking the logs the reoccurring events I am seeing are Event ID: 1074

The process C:\Windows\System32\RuntimeBroker.exe (PCNAME) has initiated the power off of computer PCNAME on behalf of user domain\username for the following reason: Other (Unplanned)
Reason Code: 0x0
Shutdown Type: power off


This has happened on about 5 machines in the last couple weeks. My company is full work from home and we have disabled the user's ability to shutdown their PCs via the typical start menu actions. However I don't think these are user shutdowns. I'm trying to find a possible link with the GFI updates that have been going out. I have been scheduling GFI to push updates at various times of day and after hours, and never set it to restart unless after hours. However none of those options include straight up shutting a PC down completely... Also, several of these Shutdown PCs when checked against the GFI event log, many of them didn't even complete or deploy the updates and failed anyway. So the shutdowns don't line up with the right timeframe of the planned update pushes, and thus a potential reboot (But again no shutdown option that I see can be selected for updates)

We have over 200 computers and so far this has only happened to about 5, but its the same thing each time so there must be something causing this. Other strange event entries right after the above 1074, within less than a min I see:

Microsoft-Windows-Kernel-Power is throwing- Event ID 187
"User-mode process attempted to change the system state by calling SetSuspendState or SetSystemPowerState APIs."


And then kernel Power again- Event ID 42
"The system is entering sleep.
Sleep Reason: Application API"


Sleep mode what the?

8 seconds later- Event ID 107
"The system has resumed from sleep"


And that is the last entry because the system is powered off and required physical power on in office.

This is a pretty weird one with not a lot of good answers online relating to runtimebroker, lot of references to virtual machines (These are Dell desktops) and references to user initiated shutdowns, which again we have the normal shutdown UI disabled via Group Policy and these particular users know not to shutdown as we have been work from home since the beginning of pandemic.

Toss it over in your heads and if anyone has any ideas let me know! Appreciate it.
Re: Unexpected Shutdowns - runtimebroker [message #149623 is a reply to message #149615] Fri, 16 April 2021 19:45 Go to previous messageGo to next message
bradley.smith is currently offline  bradley.smith
Messages: 31
Registered: February 2021
Reviewing what you shared, this doesn't look like LanGuard itself is directly causing the shutdown.

When LanGuard executes a shutdown, it does show up as an event 1074 in the System event logs. But it should be from the rebootattendant.exe. I'm including an example of a restart from one of VMs:

Event 1074, User32
The process C:\Windows\Patches\rebootattendant.exe (COMPUTER1) has initiated the restart of computer COMPUTER1 on behalf of user NT AUTHORITY\SYSTEM for the following reason: No title for this reason could be found
 Reason Code: 0x80004e32
 Shutdown Type: restart
 Comment: 

It's possible, that even though LanGuard isn't directly executing the reboot, that something with the Program Updates is executing the reboot. As I would not recommend sharing information on your internal network directly on our forums I will recommend you create a ticket with our support team.

When you create the ticket, I would recommend requesting that they prove that LanGuard is not causing the unexpected shutdowns. When you create the ticket I recommend including the following information:


  • From one of the client computers where you are having this issue, in C:\Windows\Patches, find the patchagent.log and include it on the ticket you create.
  • The SYSTEM and APPLICATION event logs from the system to include on the ticket you create. I personally always preferred this data in a .evtx format when I would request this data on the LanGuard tickets I would work.
The patchagent.log file is the log file left on the target systems from when the GFI LanGuard Patch Agent carries out any of its remediation tasks. The event logs would be leveraged just to see what's happening on those systems.



GFI Customer Support Edge Team
Re: Unexpected Shutdowns - runtimebroker [message #149624 is a reply to message #149623] Fri, 16 April 2021 19:52 Go to previous messageGo to next message
Alan_One is currently offline  Alan_One
Messages: 2
Registered: April 2021
Thanks, I opened a ticket with them about the same time I posted this. So far no response.
Re: Unexpected Shutdowns - runtimebroker [message #149634 is a reply to message #149624] Mon, 19 April 2021 19:42 Go to previous messageGo to next message
bradley.smith is currently offline  bradley.smith
Messages: 31
Registered: February 2021
I see the ticket now. I submitted an internal escalation earlier today on it. I'll submit another one as you still haven't received a response as of me writing this.

GFI Customer Support Edge Team
Re: Unexpected Shutdowns - runtimebroker [message #149921 is a reply to message #149615] Tue, 22 June 2021 14:59 Go to previous message
sigsyr is currently offline  sigsyr
Messages: 1
Registered: June 2021
Did you ever figure this issue out? We also use GFI for patch management, and are also experiencing the same issue, with the same messages in the event log. Thanks!
Previous Topic: LanGuard Agent for Linux
Next Topic: Relay Activation pending
Goto Forum:
  


Current Time: Tue Aug 16 04:02:10 CEST 2022

Total time taken to generate the page: 0.02926 seconds