Windows closes all my programs overnight when screen is locked

nommy the first said:

Hello Herqulees,

Before I start my analysis of the log I quickly read over it, and from the top of my head I see a lot of errors that are native to Windows Server 2008, and not Windows 7 (Event ID 9009, Event ID 4672, Event ID 6000 etc etc etc).
While I have quite a bit of knowledge of Windows 7 and it's event viewer logs, I have noticeably less knowledge of the Windows Server 2008 event viewer log, and so deem myself as unable to properly assist you on that.

And I also see quite a few corrupted registries.
So you might want to try and run start up repair, as explained in this tutorial, before anything else.
Please try to recreate the problem after that to see if it persists.


Good luck and keep us posted,
Nommy

How can you tell I have corrupt registries? Also are you saying my 7 OS is running like it's another OS, or that it's giving a bunch of errors/messages from a part of the OS you're unfamiliar with? After posting that last night I disabled all start up entries and scheduled tasks involving Google Update (gupdate). So am going to put a short pause on my investigating for a couple days to see if the issue persists. Though I will try the startup repair just to see if it comes up with anything.

Kari said:

Search for user log in / log off entries in Event Viewer. Although published on our sister the Eight Forums, this tutorial is also valid for Windows 7 and shows you how: Event Viewer - Monitor User Account Activity in Windows 8

Come back to tell if you found some suspicious log off entries.

Kari

See my post up above a bit of suspicious log on/off events I found while the computer was idle. Unless you're saying doing that will give me more info of log ons and offs?

Kari said:

herqulees said:

Kari said:

Search for user log in / log off entries in Event Viewer. Although published on our sister the Eight Forums, this tutorial is also valid for Windows 7 and shows you how: Event Viewer - Monitor User Account Activity in Windows 8

Come back to tell if you found some suspicious log off entries.

Kari

See my post up above a bit of suspicious log on/off events I found while the computer was idle. Unless you're saying doing that will give me more info of log ons and offs?

Your posted events show a lot of uninteresting events, although it also very clearly shows that you were logged off. Following my advice we would get a more specific list of log in / log off events.

Here for instance the event and time stamp of your log off. See the highlighted statement at the end of the event description:

Code:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          7/28/2013 3:27:07 AM
Event ID:      4647
Task Category: Logoff
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      Michael-Laptop
Description:
User initiated logoff:

Subject:
	Security ID:		Michael-Laptop\Michael ********
	Account Name:		Michael ********
	Account Domain:		Michael-Laptop
	Logon ID:		0x73e9b49

This event is generated when a logoff is initiated. No further user-initiated
activity can occur. This event can be interpreted as a logoff event.

Kari

I figured at least some of the events I posted were unhelpful but since this log in and out process was only about a half hour long I figured post it all to see if someone sees something I don't. Either way, made a new custom view with that tutorial (thanks for the link) and will keep an eye on it.

nommy the first said:

herqulees said:

How can you tell I have corrupt registries? Also are you saying my 7 OS is running like it's another OS, or that it's giving a bunch of errors/messages from a part of the OS you're unfamiliar with? After posting that last night I disabled all start up entries and scheduled tasks involving Google Update (gupdate). So am going to put a short pause on my investigating for a couple days to see if the issue persists. Though I will try the startup repair just to see if it comes up with anything.

Hello Herqulees,

What I mean is that your log has errors from Windows Server 2008 in them, and that I am unfamiliar with that happening.

The corrupt registries are for instance the Event ID: 6000;

Windows logon availability determines whether the Windows logon process is able to be completed successfully. The logon process is the interface between the account for a user, process, or service and the computer that establishes authenticated credentials for the account and allocates the appropriate system and network resources.
If the Windows registry is corrupted, logon might be prevented and you will need to interrupt the startup process to boot the computer into Safe Mode or the Recovery Console.

This particular error could be caused by two things. First is a service that has failed to start, and second is a corrupt registry.
To check the failed service; navigate to the event viewer, double click on Windows Logs and then on system. Now you'll see a list of entries with an icon in front of them. Search for a white exclamation mark in a red circle, that will indicate that a service has stopped.
If you can not find such icon, then there is a corrupt registry.

It could also indicate that Windows doesn't have enough resources available, but if that were the case then you would log in with limited capabilities instead of not at all.


Good luck and keep us posted,
Nommy

That log goes all the way back to the end of May without anything more than informational events, so it's on to try the Startup Repair.

Kari said:

herqulees said:

I figured at least some of the events I posted were unhelpful but since this log in and out process was only about a half hour long I figured post it all to see if someone sees something I don't. Either way, made a new custom view with that tutorial (thanks for the link) and will keep an eye on it.

You told us your PC was unattended from Saturday evening at about 9pm to Sunday morning at about 9am. As the quote in my last post from your Event Viewer told us, you were logged out that night at 03:27 AM.

According to your posted events there was nothing happening during the last 13 minutes before the log off, which I find quite hard to believe. Check the event viewer to see what really happened during the last few minutes before log off, let's say from 03:20 onwards.

Sadly everything I posted before were all the events I found that seemed even slightly interesting, not much was going on, but I'll go ahead and look again to see if I missed anything.
EDIT: Is their a way I can make a new tab to show EVERYTHING from 7-28 at 3am to 4am? I'm not familiar with event viewer, but am quickly finding how useful it is. Literally never opened it till this issue.
EDIT-EDIT- Nevermind that was a silly question, quickly figured it out after clicking on Custom View. Looking through everything now.

The only time their are interesting events in this log are right around the few seconds I was logged off so that's what I posted here. It looks like I had a remote desktop connection close from address "LOCAL"? I don't use Windows Remote Desktop at all and as far as I'm aware it's disabled. I do use TeamViewer, but can't remember the last time it was actually used, only this computer is on my TeamViewer account and the only thing that connects to it is my phone when I need to transfer a file or something, like I said very rarely used. The only other thing network-wise I use is I share a couple folders over the home network. Could this be some sort of hacking? I seriously doubt it, but still.

Code:

Log Name:      Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
Source:        Microsoft-Windows-TerminalServices-LocalSessionManager
Date:          7/28/2013 3:27:08 AM
Event ID:      24
Task Category: None
Level:         Information
Keywords:      
User:          SYSTEM
Computer:      Michael-Laptop
Description:
Remote Desktop Services: Session has been disconnected:

User: Michael-Laptop\Michael ********
Session ID: 3
Source Network Address: LOCAL
--------------------------------------------------
Log Name:      System
Source:        Microsoft-Windows-Winlogon
Date:          7/28/2013 3:27:07 AM
Event ID:      7002
Task Category: (1102)
Level:         Information
Keywords:      
User:          SYSTEM
Computer:      Michael-Laptop
Description:
User Logoff Notification for Customer Experience Improvement Program
--------------------------------------------------
Log Name:      Microsoft-Windows-User Profile Service/Operational
Source:        Microsoft-Windows-User Profiles Service
Date:          7/28/2013 3:27:07 AM
Event ID:      4
Task Category: None
Level:         Information
Keywords:      
User:          Michael-Laptop\Michael ********
Computer:      Michael-Laptop
Description:
Finished processing user logoff notification on session 3.
--------------------------------------------------
Log Name:      Microsoft-Windows-User Profile Service/Operational
Source:        Microsoft-Windows-User Profiles Service
Date:          7/28/2013 3:27:07 AM
Event ID:      3
Task Category: None
Level:         Information
Keywords:      
User:          Michael-Laptop\Michael ********
Computer:      Michael-Laptop
Description:
Recieved user logoff notification on session 3.
--------------------------------------------------
Log Name:      Microsoft-Windows-GroupPolicy/Operational
Source:        Microsoft-Windows-GroupPolicy
Date:          7/28/2013 3:27:07 AM
Event ID:      5324
Task Category: None
Level:         Information
Keywords:      
User:          SYSTEM
Computer:      Michael-Laptop
Description:
Group Policy received the notification Logoff from Winlogon for session 3.
--------------------------------------------------
Log Name:      Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
Source:        Microsoft-Windows-TerminalServices-LocalSessionManager
Date:          7/28/2013 3:27:07 AM
Event ID:      23
Task Category: None
Level:         Information
Keywords:      
User:          SYSTEM
Computer:      Michael-Laptop
Description:
Remote Desktop Services: Session logoff succeeded:

User: Michael-Laptop\Michael ********
Session ID: 3
--------------------------------------------------
Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          7/28/2013 3:27:07 AM
Event ID:      4647
Task Category: Logoff
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      Michael-Laptop
Description:
User initiated logoff:

Subject:
	Security ID:		Michael-Laptop\Michael ********
	Account Name:		Michael ********
	Account Domain:		Michael-Laptop
	Logon ID:		0x73e9b49

This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
--------------------------------------------------
Log Name:      Application
Source:        Microsoft-Windows-Winlogon
Date:          7/28/2013 3:27:07 AM
Event ID:      6000
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      Michael-Laptop
Description:
The winlogon notification subscriber <SessionEnv> was unavailable to handle a notification event.
--------------------------------------------------
Log Name:      Microsoft-Windows-GroupPolicy/Operational
Source:        Microsoft-Windows-GroupPolicy
Date:          7/28/2013 3:27:06 AM
Event ID:      5324
Task Category: None
Level:         Information
Keywords:      
User:          SYSTEM
Computer:      Michael-Laptop
Description:
Group Policy received the notification EndShell from Winlogon for session 3.
--------------------------------------------------
Log Name:      Application
Source:        Desktop Window Manager
Date:          7/28/2013 3:27:06 AM
Event ID:      9009
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      Michael-Laptop
Description:
The Desktop Window Manager has exited with code (0x40010004)
--------------------------------------------------
Log Name:      Microsoft-Windows-Resource-Exhaustion-Resolver/Operational
Source:        Microsoft-Windows-Resource-Exhaustion-Resolver
Date:          7/28/2013 3:27:04 AM
Event ID:      1002
Task Category: Lifecycle Events
Level:         Information
Keywords:      Lifecycle
User:          Michael-Laptop\Michael ********
Computer:      Michael-Laptop
Description:
The Windows Resource Exhaustion Resolver stopped.
--------------------------------------------------