Yet another (soft) random reboot under windows xp home (on core duo toshiba laptop)

[fabrice.baro]

I've had my Toshiba M100-JG2 laptop for 2 months now, and I've always
suffered randoms reboots.
I've read quite a few threads on random reboots: I've disabled
auto-restart. Anyways, in my case it's a soft reboot: I will be asked
if I want to save open documents "logging off", "saving settings", etc.
just like if I had clicked Start > Turn off computer > Reboot.
I haven't found any significant errors in the event viewer. This one
(under "Application" category) seems to have happened during the reboot
process ("while an application or service was still using the registry
during log off").
==========================================
Event Type: Warning
Event Source: Userenv
Event Category: None
Event ID: 1517
Date: 19-07-2006
Time: 20:48:28
User: NT AUTHORITY\SYSTEM
Computer: FABRICE-2
Description:
Windows saved user FABRICE-2\Fabrice Baro registry while an application
or service was still using the registry during log off. The memory used
by the user's registry has not been freed. The registry will be
unloaded when it is no longer in use.

This is often caused by services running as a user account, try
configuring the services to run in either the LocalService or
NetworkService account.
==========================================

I also get this one in the "Security" category:
==========================================
Event Type: Success Audit
Event Source: Security
Event Category: System Event
Event ID: 513
Date: 19-07-2006
Time: 20:48:31
User: NT AUTHORITY\SYSTEM
Computer: FABRICE-2
Description:
Windows is shutting down. All logon sessions will be terminated by this
shutdown.
==========================================

And under the "System" category:
==========================================
Event Type: Information
Event Source: EventLog
Event Category: None
Event ID: 6006
Date: 19-07-2006
Time: 20:48:33
User: N/A
Computer: FABRICE-2
Description:
The Event log service was stopped.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 000000ff
==========================================

 

[fabrice.baro]

EDIT:

I have found suspicious events under the "Security" category (in
chronological order):
=================================
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 551
Date: 19-07-2006
Time: 20:47:52
User: FABRICE-2\Fabrice Baro
Computer: FABRICE-2
Description:
User initiated logoff:
User Name: Fabrice Baro
Domain: FABRICE-2
Logon ID: (0x0,0xf563)
=================================
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 528
Date: 19-07-2006
Time: 20:47:54
User: NT AUTHORITY\NETWORK SERVICE
Computer: FABRICE-2
Description:
Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}
=================================
Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 576
Date: 19-07-2006
Time: 20:47:54
User: NT AUTHORITY\NETWORK SERVICE
Computer: FABRICE-2
Description:
Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
=================================

I also get lots of anonymous logons from other computers on my network.
Example:
=================================
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 19-07-2006
Time: 20:39:34
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: FABRICE-2
Description:
Successful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0x11E6643)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: FLANAGAN
Logon GUID: {00000000-0000-0000-0000-000000000000}
=================================
Should I be worried ?
I also get some KSecDD related events, although after some research
KSecDD seems to be a legitimate security device driver (see
http://groups.google.com/group/micr...ca638?lnk=st&q=ksecdd&rnum=1#ed1f28811e7ca638
for example).
=================================
Event Type: Success Audit
Event Source: Security
Event Category: System Event
Event ID: 515
Date: 19-07-2006
Time: 21:06:15
User: NT AUTHORITY\SYSTEM
Computer: FABRICE-2
Description:
A trusted logon process has registered with the Local Security
Authority. This logon process will be trusted to submit logon requests.


Logon Process Name: KSecDD
=================================

 

[Guest]

EDIT:

I have found suspicious events under the "Security" category (in
chronological order):
=================================
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 551
Date: 19-07-2006
Time: 20:47:52
User: FABRICE-2\Fabrice Baro
Computer: FABRICE-2
Description:
User initiated logoff:
User Name: Fabrice Baro
Domain: FABRICE-2
Logon ID: (0x0,0xf563)
=================================
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 528
Date: 19-07-2006
Time: 20:47:54
User: NT AUTHORITY\NETWORK SERVICE
Computer: FABRICE-2
Description:
Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}
=================================
Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 576
Date: 19-07-2006
Time: 20:47:54
User: NT AUTHORITY\NETWORK SERVICE
Computer: FABRICE-2
Description:
Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
=================================

I also get lots of anonymous logons from other computers on my network.
Example:
=================================
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 19-07-2006
Time: 20:39:34
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: FABRICE-2
Description:
Successful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0x11E6643)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: FLANAGAN
Logon GUID: {00000000-0000-0000-0000-000000000000}
=================================
Should I be worried ?
I also get some KSecDD related events, although after some research
KSecDD seems to be a legitimate security device driver (see
http://groups.google.com/group/micr...ca638?lnk=st&q=ksecdd&rnum=1#ed1f28811e7ca638
for example).
=================================
Event Type: Success Audit
Event Source: Security
Event Category: System Event
Event ID: 515
Date: 19-07-2006
Time: 21:06:15
User: NT AUTHORITY\SYSTEM
Computer: FABRICE-2
Description:
A trusted logon process has registered with the Local Security
Authority. This logon process will be trusted to submit logon requests.


Logon Process Name: KSecDD
=================================

Well if your on a network anyone can shutdown your workstation if they
know its ip address 'shutdown -t 0 x.y.z.a' from a dos window also have
you checked your cpu temperature and case temperature, generally youll
get a beep sound from the case but overheating will shut the comp down
(your internal speaker may not exist so even if you dont hear a beep it
could still be the cause).

Flamer.

 

[fabrice.baro]

Well if your on a network anyone can shutdown your workstation if they
know its ip address 'shutdown -t 0 x.y.z.a' from a dos window also have
you checked your cpu temperature and case temperature, generally youll
get a beep sound from the case but overheating will shut the comp down
(your internal speaker may not exist so even if you dont hear a beep it
could still be the cause).

Flamer.

Thanks flamer,

I've tried the shutdown command. The exact syntax is 'shutdown -r -m
x.y.z.a', or 'shutdown -r -m x.y.z.a -t 0' but it says "The network
path was not found".
How come anyone can issue those commands ?
I'm certain nobody on the network has issued that command. It's a home
network with 2 other computers. Maybe a virus ?

I'm not able to check CPU or case temperature: when I install SpeedFan
2.48, I only get the HDD temperature. After a full night running, it
gives 50C. Do you know of other tools to read CPU sensors (I assume
there are some sensors!).
However I don't think temperature is the reason; I run my CPU @966 MHz
(it's a T2300 designed to run @ 1600 MHz); plus I barely run CPU
intensive tasks, and the restarts occur when almost idle (text editing
or web browsing).