Patch Management Group

Hello everyone,

Would you please advise which Altiris process call the shutdown (auto restart) of the windows 2003/2008 servers when patching and a specific patch requires restart?

I often see AeXNSAgent.exe and sometimes see winlogon.exe. I know for sure that AeXNSAgent.exe call the restart when a patch requires restart, but NOT QUITE SURE if WINLOGON.EXE has anything to do with Altiris Patching?

Please advise.

Thank you,

Charlie Tran

I'm not sure what you are ultimately looking for, but the question is moot since all shutdown calls go to the operating system, at least in XP via Winlogon, but where they originate from is the question you are really asking?

In which case if you have configured a machine to reboot (and by default it doesn't so you have to configure it) then the call originates from the client.

I think it's best that you actually ask the question you really want answered, like, "Why did this machine reboot?" or similar.

Hi Michael,

I would like to find out who initiated the restart on a windows 2003/2008/2012 server after patch deployment.

I would see number of AeXNSAgent.exe as "shutdown process" which matched with number of specific patches that required restart to be effective. Other number of winlogon.exe would match with our windows adminstrators initiated those restart.

My question is that if ever Altiris use winlogon.exe to initiate the restart when a patch required a restart to be effective.

Please see below is log of restart info for a windows 2003 servers.

Thanks very much, Michael

Charlie.

Startup Time Shutdown Time Duration Shutdown Reason Shutdown Type Shutdown Process Shutdown Code 
11/30/2013 12:43:20 AM 1/30/2014 12:01:46 AM 60 Days + 23:18:26  (Planned) Restart winlogon.exe 0x80070000 
11/30/2013 12:24:50 AM 11/30/2013 12:42:31 AM 00:17:41  Restart AeXNSAgent.exe 0x00000000 
11/30/2013 12:15:20 AM 11/30/2013 12:23:50 AM 00:08:30  Restart AeXNSAgent.exe 0x00000000 
11/30/2013 12:03:31 AM 11/30/2013 12:13:38 AM 00:10:07  Restart AeXNSAgent.exe 0x00000000 
11/9/2013 1:29:08 AM 11/29/2013 11:59:56 PM 20 Days + 22:30:48  (Planned) - Scheduled PM, 11/30/2013 - SAS Restart winlogon.exe 0x85000000 
8/25/2013 2:00:11 AM 11/9/2013 12:03:28 AM 75 Days + 23:03:17  (Planned) - 6C Consolidation Project - CRQ #3548 - Planned Maintenance (cjones2) Power Off winlogon.exe 0x85000000 
 

Hi Charlie,

Apologies, this situation is very important to you, however the detail above shows you are looking into a matter 8 months old and do not have any Altiris logs which would show any such reboot if it had been made.

There is nothing authoritative Symantec can supply in terms of forensics in this matter that can be used meaningfully to convince someone of the root cause.

If you do have an issue with machines currently rebooting unexpectedly it's important you contact support as soon as possible - it can be caused by a number of reasons I can think of on  versions in the last few years.

Hello Charlie,

It appears the problem isn't finding how the Altiris Agent initiates a reboot on the client, but rather why did it complete that process.

The best methods I have found for troubleshooting reboot outside schedule are detailed on KM: HOWTO95533.

Searching the Client Logs for 'change' and 'state' will assist in finding the start of the process changing state from Ready to Installing to Finished to Rebooting. Timing is key in reviewing these logs, for they get overwritten every few days by default.

 Hope this helps,

Joshua

Unfortunately, I am unable to reverse-engineer the product or provide code level processes, but to summarize the reboot process: The Patch Plug-in tells the Altiris Agent it is time for reboot, and the Altiris Agent sends a Windows API call to reboot the client. The process is logged in the Agent Logs and from there the OS takes over rebooting the client.

Hope this helps, and good luck!

Joshua