S
sebs92
My PC randomly restarted itself for the 3rd time in 2 days.
Yesterday after a 2nd event I have disabled automatic restarts on system failure. Today computer has shut itself down and powered back on regardless while I was in other room. No entries in system log for today, however there is an entry from yesterday and bunch of the same ones dating back to February (computer only started restarting yesterday)
Event viewer shows this in every event it recorded:
HostApplication=C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Unrestricted -NonInteractive -NoProfile -WindowStyle Hidden & C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\SmbShare\DisableUnusedSmb1.ps1 -Scenario Client
Now for the strange part, I need SMB and I use it, I have a drive plugged into my router that I use to exchange files between 2 computers in the house. I went to features in order to see if disabling SMB will help, however all SMB features are already disabled. WTF?
Is someone trying to remotely access my machine?
There is usually a pattern of a bunch of Event IDs 600 then one 400 and 403
EventID 600
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="PowerShell" />
<EventID Qualifiers="0">600</EventID>
<Level>4</Level>
<Task>6</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2018-05-18T20:56:14.821547600Z" />
<EventRecordID>1443</EventRecordID>
<Channel>Windows PowerShell</Channel>
<Computer>User-PC</Computer>
<Security />
</System>
- <EventData>
<Data>Environment</Data>
<Data>Started</Data>
<Data>ProviderName=Environment NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=5.1.16299.431 HostId=937de22a-97ae-4b72-9d69-2796923a814c HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=</Data>
</EventData>
</Event>
Event 400
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="PowerShell" />
<EventID Qualifiers="0">400</EventID>
<Level>4</Level>
<Task>4</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2018-04-17T18:19:16.112442500Z" />
<EventRecordID>1439</EventRecordID>
<Channel>Windows PowerShell</Channel>
<Computer>User-PC</Computer>
<Security />
</System>
- <EventData>
<Data>Available</Data>
<Data>None</Data>
<Data>NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=5.1.16299.251 HostId=3b307815-fc85-476a-8300-54e9a3c3a869 HostApplication=C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Unrestricted -NonInteractive -NoProfile -WindowStyle Hidden & C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\SmbShare\DisableUnusedSmb1.ps1 -Scenario Client EngineVersion=5.1.16299.251 RunspaceId=aa83ae8a-2dfe-4819-a487-e3bc8a1487ba PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=</Data>
</EventData>
</Event>
Event 403
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="PowerShell" />
<EventID Qualifiers="0">403</EventID>
<Level>4</Level>
<Task>4</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2018-04-17T18:19:21.300702000Z" />
<EventRecordID>1440</EventRecordID>
<Channel>Windows PowerShell</Channel>
<Computer>User-PC</Computer>
<Security />
</System>
- <EventData>
<Data>Stopped</Data>
<Data>Available</Data>
<Data>NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=5.1.16299.251 HostId=3b307815-fc85-476a-8300-54e9a3c3a869 HostApplication=C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Unrestricted -NonInteractive -NoProfile -WindowStyle Hidden & C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\SmbShare\DisableUnusedSmb1.ps1 -Scenario Client EngineVersion=5.1.16299.251 RunspaceId=aa83ae8a-2dfe-4819-a487-e3bc8a1487ba PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=</Data>
</EventData>
</Event>
Continue reading...
Yesterday after a 2nd event I have disabled automatic restarts on system failure. Today computer has shut itself down and powered back on regardless while I was in other room. No entries in system log for today, however there is an entry from yesterday and bunch of the same ones dating back to February (computer only started restarting yesterday)
Event viewer shows this in every event it recorded:
HostApplication=C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Unrestricted -NonInteractive -NoProfile -WindowStyle Hidden & C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\SmbShare\DisableUnusedSmb1.ps1 -Scenario Client
Now for the strange part, I need SMB and I use it, I have a drive plugged into my router that I use to exchange files between 2 computers in the house. I went to features in order to see if disabling SMB will help, however all SMB features are already disabled. WTF?
Is someone trying to remotely access my machine?
There is usually a pattern of a bunch of Event IDs 600 then one 400 and 403
EventID 600
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="PowerShell" />
<EventID Qualifiers="0">600</EventID>
<Level>4</Level>
<Task>6</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2018-05-18T20:56:14.821547600Z" />
<EventRecordID>1443</EventRecordID>
<Channel>Windows PowerShell</Channel>
<Computer>User-PC</Computer>
<Security />
</System>
- <EventData>
<Data>Environment</Data>
<Data>Started</Data>
<Data>ProviderName=Environment NewProviderState=Started SequenceNumber=5 HostName=ConsoleHost HostVersion=5.1.16299.431 HostId=937de22a-97ae-4b72-9d69-2796923a814c HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=</Data>
</EventData>
</Event>
Event 400
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="PowerShell" />
<EventID Qualifiers="0">400</EventID>
<Level>4</Level>
<Task>4</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2018-04-17T18:19:16.112442500Z" />
<EventRecordID>1439</EventRecordID>
<Channel>Windows PowerShell</Channel>
<Computer>User-PC</Computer>
<Security />
</System>
- <EventData>
<Data>Available</Data>
<Data>None</Data>
<Data>NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=ConsoleHost HostVersion=5.1.16299.251 HostId=3b307815-fc85-476a-8300-54e9a3c3a869 HostApplication=C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Unrestricted -NonInteractive -NoProfile -WindowStyle Hidden & C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\SmbShare\DisableUnusedSmb1.ps1 -Scenario Client EngineVersion=5.1.16299.251 RunspaceId=aa83ae8a-2dfe-4819-a487-e3bc8a1487ba PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=</Data>
</EventData>
</Event>
Event 403
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="PowerShell" />
<EventID Qualifiers="0">403</EventID>
<Level>4</Level>
<Task>4</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2018-04-17T18:19:21.300702000Z" />
<EventRecordID>1440</EventRecordID>
<Channel>Windows PowerShell</Channel>
<Computer>User-PC</Computer>
<Security />
</System>
- <EventData>
<Data>Stopped</Data>
<Data>Available</Data>
<Data>NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=5.1.16299.251 HostId=3b307815-fc85-476a-8300-54e9a3c3a869 HostApplication=C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Unrestricted -NonInteractive -NoProfile -WindowStyle Hidden & C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\SmbShare\DisableUnusedSmb1.ps1 -Scenario Client EngineVersion=5.1.16299.251 RunspaceId=aa83ae8a-2dfe-4819-a487-e3bc8a1487ba PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=</Data>
</EventData>
</Event>
Continue reading...