Some computers keep shutting down uncontrolled

Steps 1 and 2 have already been done. It is alway Event-ID 1074 and always the same reason code 0x800000ff.
Furthermore I could not find any difference in the "SYSTEM..." and the "DOMAIN..." induced shutdowns.
Step 3, 4 and 5 will be the next thing to try.
Step 6 is not applicable
Step 7 has been done and is found to be unlikely the issue.

i will update.

Thank you for your kindly update!

That changes the picture quite a bit and in a useful way. The event signature matches the classic “ghost shutdown” pattern on Windows 10/11 and Windows Server 2016/2019/2022. This is not a crash, but a programmatic shutdown triggered from within the user’s session. A few important facts about this exact signature:

RuntimeBroker.exe is not the cause. It brokers UWP/Modern app requests. When any in-session process calls a shutdown API (e.g., ExitWindowsEx) without a proper reason, Windows often logs Event ID 1074 under RuntimeBroker.exe with reason 0x0 (Other/Unplanned).

The message “Restart/Shutdown initiated by the user from the Start → Power menu” is misleading. It simply means something called the same APIs as the Start menu (ExitWindowsEx, InitiateShutdown, WMI Win32Shutdown, or WinRT ShutdownManager)—not that a user clicked Shut Down.

Since the system shuts down daily, you can reliably capture it:

1. Enable Process Creation auditing with command line (captures shutdown.exe)

Computer Configuration → Windows Settings → Security Settings → Advanced Audit Policy → Detailed Tracking → Audit Process Creation = Success

Computer Configuration → Administrative Templates → System → Audit Process Creation → Include command line in process creation events = Enabled

After the next shutdown, in the Security log filter for Event ID 4688 in the minute before the 1074. The Creator Process Name + Process Command Line will name the parent.

2. Enable the WMI-Activity Trace (catches the Win32Shutdown / WMI variant)

Event Viewer → View → Show Analytic and Debug Logs.

Navigate to Applications and Services Logs → Microsoft → Windows → WMI-Activity → Trace → right-click Enable Log.

After the shutdown, look for Event ID 11 in that log. Use ClientProcessId and ClientMachine (can reveal remote initiators)

3. Run Process Monitor with an auto-stop trigger

Trigger on System / User32 / 1074, then stop Procmon:

"C:\WMI\procmon.exe" /Terminate

4. Inspect processes running as DomainUser

Run via powerShell:

# List everything running in the user's session

Get-CimInstance Win32_Process |

Where-Object { (Invoke-CimMethod -InputObject $ -MethodName GetOwner).User -eq 'DomainUser' } |_

Select-Object ProcessId, Name, CommandLine, CreationDate |

Sort-Object CreationDate

Compare with a healthy machine. Differences often include startup scripts / HKCU\Run, kiosk tools, RMM agents, idle-timeout utilities and custom apps calling shutdown APIs

5. Baseline recent 1074 events via Powershell

Get-WinEvent -FilterHashtable @{LogName='System'; Id=1074} -MaxEvents 20 |

Select-Object TimeCreated,

@{n='Process';e={$.Properties[0].Value}},_

@{n='User';e={$.Properties[6].Value}},_

@{n='ReasonCode';e={'0x{0:X}' -f $.Properties[3].Value}},_

@{n='Type';e={$.Properties[4].Value}} |_

Format-Table -AutoSize

If consistently RuntimeBroker.exe + Power off, this confirms an in-session API call, not hardware or OS failure.

I have just been informed, that we do have one system, that consistently shuts down daily. There is still no pattern for the time of day, but at least we now have a test subject where we won't have to wait too long to see results.
I also got the Event wrong, though on most systems, that i checked we did have the previously mentioned event ause the shutdown.

It reads:
The process C:\Windows\System32\RuntimeBroker.exe (Computer) has initiated the power off of computer "Computername" on behalf of user "Domain\DomainUser" for the following reason: "Other (Unplanned)"
Reason Code: "0x0"
Shutdown Type: "power off "
Comment: ""

The problem however persists.

Welcome to Microsoft Q&A Forum! 

Your issue is not a hardware crash but controlled, programmatic shutdowns triggered by shutdown.exe with Event ID 1074 and reason code 0x800000ff. This strongly suggests SCCM deployments, scheduled tasks, WMI calls, or third‑party agents are initiating shutdowns, and the next step is to trace which process or service is calling the shutdown API.

I would like to share some useful information about the event ID 1074 and other concern.

• Controlled shutdown/restart: Logged when a process, script, service, or user explicitly requests shutdown.
• Reason code 0x800000ff: “No title for this reason could be found.” Indicates a programmatic trigger without a mapped reason string.
• SYSTEM vs DOMAIN\User initiators: Both are consistent with automated tools (SCCM, WMI, scheduled tasks) rather than random crashes.

Reference: Identify the cause of unexpected WMI shutdowns - Windows Server | Microsoft Learn

Based on your findings and enterprise patterns, the most probable triggers are:

• SCCM / Configuration Manager: Reboots triggered by software updates or task sequences. Check: C:\Windows\CCM\Logs\RebootCoordinator.log for entries like requested from or scheduled reboot.
• Scheduled Tasks or automation: Hidden/system tasks or GPO‑deployed jobs can run under SYSTEM even if disabled visibly.
• WMI shutdowns: Scripts or management tools using Win32Shutdown silently trigger shutdowns. Microsoft documents enabling WMI Activity tracing to capture PID and user responsible.
• Third‑party agents: Antivirus, monitoring, or legacy software may programmatically call shutdown APIs.
• Custom applications: Even if logs show nothing, background components can conditionally trigger shutdowns.

Hence, I would like to share the following recommended solutions that may you. 

1. Filter Event Viewer

• Look for Event IDs 1074, 13, 6009 (planned shutdowns).
• Absence of 41/6008 confirms no crash/power loss.

2. Trace initiator

• Compare SYSTEM vs DOMAIN\User in Event 1074
• Review process ID and timestamps

3. Check SCCM reboot triggers

Review: _C:\Windows\CCM\Logs\RebootCoordinator._log. And look for “requested from”, “scheduled reboot”, “reboot request succeeded”. This is one of the most reliable sources in SCCM environments

4. Enable deeper tracing

• Enable: Applications and Services Logs → Microsoft → Windows → WMI-Activity → Trace
• Capture WMI shutdown requests and process ID responsible

This is required when shutdown is triggered programmatically

5. Use Process Monitor (ProcMon)

• Filter for process name (shutdown.exe)
• Capture during reproduction window

It helps identify parent process calling shutdown.exe

6. Validate scheduled tasks

• Check Task Scheduler, hidden/system tasks, GPO-deployed tasks
• Run: schtasks /query /fo LIST /v

7. Compare affected vs unaffected machines

Review installed software, services, SCCM deployments, Task Scheduler entries

I hope this information is helpful and thank you for choosing Microsoft Q&A to raise your concern.