Endpoint Protection clients rebooting unexpectedly with Legacy API shutdown
search cancel

Endpoint Protection clients rebooting unexpectedly with Legacy API shutdown

book

Article ID: 219780

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Unknown reboot occurring on the servers or workstations.  The Windows System logs show the following Reboot events by ccSvcHst.exe.


7/14/2021 9:06:20 AM System Information User32 <FQDN> NT AUTHORITY\SYSTEM 1074 "The process C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\14.3.3385.1000.105\Bin\ccSvcHst.exe (<COMPUTER>) has initiated the restart of computer <COMPUTER> on behalf of user NT AUTHORITY\SYSTEM for the following reason: Legacy API shutdown
 Reason Code: 0x80070000
 Shutdown Type: restart

7/13/2021 6:24:03 PM System Information User32 <FQDN> NT AUTHORITY\SYSTEM 1074 "The process C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\14.3.3385.1000.105\Bin\ccSvcHst.exe (<COMPUTER>) has initiated the restart of computer <COMPUTER> on behalf of user NT AUTHORITY\SYSTEM for the following reason: Legacy API shutdown
 Reason Code: 0x80070000
 Shutdown Type: restart
 Comment:"

Environment

SEP 14.3.X

Cause

The CVE-ACTIONS.LOG file, it will show the following events

[2021-Jul-14 09:06:20.584291] 8033634C0AF413570B7DA9E310B96A85 200 0 [GetNewCommand  ] 2021-Jul-14 09:06:20.557292 2021-Jul-14 09:06:20.584291 26 91539
[2021-Jul-13 18:24:03.924335] 8033634C0AF413570B7DA9E310B96A85 200 0 [GetNewCommand  ] 2021-Jul-13 18:24:03.891329 2021-Jul-13 18:24:03.924335 33 91269

The GetNewCommand event from CVE-Actions.log coincide with the Legacy API Shutdown from the Windows System logs.  

Resolution

The situation appears to happen when an admin issued a command to reboot from the Symantec Endpoint Protection Manager (SEPM) console.  All commands issued from the SEPM will immediately get queued for execution.  The command(s) stayed in the Queue until the client(s) check in and download the command(s) for processing before it gets purged from the Queue.

Steps to issue Restart Command: 

  • Login to the SEPM
  • Click Clients
  • Select the Group.
  • Right Click on the Group or the Client(s) to issue a Restart Command
  • Click Run Command on Group (or client(s))
  • Select Restart Client Computer.

To view the Restart commands issued in the last 30 days, generate the following Command Status.

  • Login to the SEPM
  • Click on Monitors
  • Click on Command Status tab
  • Define the following
  • Show Commands: issued in the last 30 days, Of type: Restart Client Computers, With Status: any status

 

Additional Information

Reason Code: 0x80070000 indicates ccSvcHst.exe called InitiateShutdownSystem to shutdown the system, according to the MSDN System Shutdown Codes page.

System Shutdown Reason Codes (Windows)
http://msdn.microsoft.com/en-us/library/windows/desktop/aa376885%28v=vs.85%29.aspx

This Reason Code is defined in Windows OS, and 0x80070000 is the OR of the following values.
    SHTDN_REASON_MAJOR_LEGACY_API (0x00070000)
    SHTDN_REASON_FLAG_PLANNED     (0x80000000)

Other reasons for SEP initiating a reboot could be:
- The client was upgraded (especially if upgrading from a version earlier than 14.3 RU3
- The client needs to reboot to remediate a detected infection fully.

Powered by Wolken Software