Question Windows 10 randomly restarting, clues are in Event Viewer Log

[avg9956]

Hello
Recently I've been experiencing random restarts by my computer. I will carry out an anti-virus scan but in the past months I did not change any hardware components, nor did I notice any failures but I do see clues in Windows Event Viewer. I also did not change any windows settings at all for the past few months. This is the second random restart to date (1st random restart was yesterday but I thought it would come to pass). I was asleep when it happened but I did notice I went another random restart after logging into my computer. I also have Windows updates disabled as well. I am not really well verse with event viewer but I feel its my best lead as to why my PC is randomly restarting. My hunch right now is that it is a "Windows thing".

System Log in Event Viewer. Restart happened around 3:19AM when I was asleep

I also see that event id 5156 is being logged in the Security Log, literally every second. Not sure why

Application log. The restart happened around 3:18-3:19AM

 

[boju]

Spybot maybe? Try remove that and use Malwarebytes instead.

List entire PC specs including model and age of power supply and cpu cooler.

 

[avg9956]

Ok will do. My specs are all under my sig so I don't have to include it in my post. I have Malware bytes already installed as well. I usually have spybot around for its immunization feature it offers on the host file.
Age of PSU is around 3 years or so.

Actually, it just restarted again (10:25AM)! so from 3:18AM to 10:25:AM that would mean it restarts every 6 hours and 42 minutes.

What is security-SPP though. I see a related thread but I have a different event ID (1003) than his.
Event ID 6008 under System Log says that the previous shutdown at 10:26:12AM on 7/28/2024 was unexpected. This puts both spybot and security-SPP under suspicion.

I also have a program called Last Activity View. It doesn't run on the background but it can track what processes have been running. Can't find anything out of place before the 10:26AM mark unless I am missing something.

Also thought about Windows 10 end of life support. It's still in 2025. I was thinking they were sending telemetry data or something again of that sort which can cause issues.

 

[boju]

What is security-SPP though

Searching about it looks normal.

Try system file checker. Sfc /scannow in cmd ran as administrator.

 

[avg9956]

I ran sfc /verifyonly instead, which checks if any files are defective and found none. I'm always adamant about the /scannow command because it fixes something but then after running that command system gets messed up so had to reformat. It happened to me back in Windows 7 days.

I turned off Spybot S&D from autoruns (program that lists everything that starts on startup). If it still persists and I see it on the event viewer log again, I will fully uninstall it with Revo Uninstaller. This would leave Security-SPP left most probably.

Also will start my PC from a cold boot, to see if the random restart still persists.

 

[avg9956]

Just to give an update, it definitely was not spybot. It is Security SPP that is causing it.
I updated my Nvidia graphics driver on 7/29/2024, but the first restart happened on 7/27/2024, so that rules that out.

I've read several issues and tried several possible fixes, but no joy. The service is known to cause restarts if it doesn't feel satisfied. It runs at ring 0 of the kernel (or something to that effect), so "truly disabling it" is impossible.

Security SPP is a component in Microsoft OS that can't be disabled, but the activation can be blocked. If Security-SPP detects that it can't verify your Windows licenses, it will start to wreak havoc and may cause
a random reboot of your computer.

https://community.spiceworks.com/t/computers-shutting-off-on-their-own/807672

https://www.reddit.com/r/techsupport/comments/wuz9l5/securityspp_event_16384_repeating_every_minute/

https://www.chiefdelphi.com/t/psa-w...ing-disconnects-or-disabling-robots/406736/32

Going to be a hard way to fix it from here.
Interestingly though, I am still on version 20H2 of windows 10, last installed on 3/29/2021. I guess security SPP starts to necro itself. I blocked windows 10 updates intentionally so that I don't wake up one morning with a BSOD like what happened with crowdstrike, or find that some of my software is uninstalled or no longer working. I've always hated forced updates.

 

[Roland Of Gilead]

Running on an old version of WIn 10 is prob not helping here. It's likely it's causing issues for you.

Why do you not keep things up to date? (Edit: I see some of your reasoning, however, the crowdstrike issue was mainly to do with running a VM, and/or business centered as only business run the software that cause the issue.)

 

[Roland Of Gilead]

Also, random restarts are also a symptom of a failing PSU.

 

[Roland Of Gilead]

You could also try this: https://www.tomsguide.com/computing...o-repair-a-windows-11-using-dism-command-tool

Run DISM first, then do SFC.

 

[avg9956]

The guide you linked me is for Windows 11, I'm on Windows 10.
I purposely do block windows updates because I've experienced in the past of waking up with my Windows 10 machine with some programs removed, ruining my workflow. Some programs cannot even be installed after an update. Blocking updates cannot be easily be done by hand unlike back in Windows XP or Windows 7 days, but I downloaded a program that made it possible. I could unblock windows updates at any time with the program, but as of now I don't feel any incentive to update Windows 10.

What I would do rather, if I really wanted to update Windows 10, is either make an image of Windows 10 with the preinstalled latest updates or a clean install of Windows 10 and just keep updating it before I install all of my other programs. This is because there's a chance that some programs break after a Windows update. Also, people who dual boot Windows and Linux on the same machine but then run Windows updates may possibly mess up the boot loader as well, causing the Linux grub not to be recognized until you fix it. This is the logic why I block Windows updates.

And yes, I just used the crowdstrike incident as an analogy, but you get the point hehe.

I have one more ace up in my sleeve, and that is to try hardware ID (HWID) activation of computer. Hopefully that will satisfy Security SPP to stop restarting.

Not sure if running slgmr first before HWID activation is a good idea as outlined here.

slmgr /upk - This will uninstall the current product key from Windows and put it into an unlicensed state.
slmgr /cpky - This will remove the product key from the registry if it's still there.
slmgr /rearm - This is to reset the Windows activation timers so the new users will be prompted to activate Windows when they put in the key. You are then required to restart the computer to finish the command.

But afaik, if you do HWID activation, slmgr /rearming will no longer be an option in the future because with hardware ID activation, the client machine (i.e. my pc) won't ever need to "talk to microsoft servers" unlike KMS (Key Management System) style activation - that's according to ChatGPT.

 

[boju]

The guide you linked me is for Windows 11, I'm on Windows 10.

Dism / sfc isn't exclusive to Win11 and instructions would be pretty close to how it's done in 10. There are how to's for Win10 however if need.