I believe one of my old collegees has set a scheduled task to start at 9:30 every day on one of the pc's in our office ( he now no longer works here ). At 9:30 precisely the pc shutdowns however this doesnt seem to be the case if im not logged in to that pc. Ive searched for erroneous batch files and hunted high and low in the task schedular but i cant find anything to indicate that the task is being generated by the pc. Could anyone come up with some suggestions as to where i might find this pesky little process ?

5 Years
Discussion Span
Last Post by solomonski

Is it possible that this task is being executed from a remote computer? Shutting down PCs remotely is easily accomplished.


I would hassard a guess that it might be from the PDC, i guess i could try removing the network connection at 9:30 tomorrow to prove the point.


Ok so you are on a domain? There could be various tools that would shutdown the PCs at a certain time. Your idea about disconnecting the network interface would prove if its coming from a remote system.

however, aside from a scheduled task on your computer, it could also be handled from some type of client program/agent running on that system.

Does this process occur on any other computer on the network?


JorgeM is correct. THe windows "shutdown" command can be used to shutdown any remote computer so long as you have admin access to that host. Any computer on the network could be sending that command. Now since it doesn't shut down unless he is logged in, that's a big clue to tell me it is running locally.

My 2 cents would be to start with Hijackthis and have it pull the pc log. http://www.hijackthis.com/hijackthis

This shows you all the startup items and services.

Then you should check the sceduled tasks to look for anything that was running.

If you still suspect a remote machine, you can enable a 3rd party firewall to block and log all ports, or you can use wireshark to trace everything at 9:30 and see what shows up.


Thanks for the ideas and yes this is the only pc this happens to. I'll give the wireshark ago and see where that leds me. Failing that i'll post the log for hijackthis. Many thanks guys.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.