Unknown event occurs at exactly 10 minute intervals

An unknown event occurs at exactly the 10 minute interval (i.e 7:00, 7:10, 7:20 etc). It is expressed as a black pop-up in the left corner of my primary screen - about the size of a CMD window. It occurs for only a brief portion of a second, way too quick to even tell if there is anything in the box. It is however, long enough to prevent the computer from going to sleep normally. It's been going on for a few weeks, but I can't correlate it to any particular change in my system which has only been running 11 for a couple of months. ("Upgraded" from 7.)

Application Event viewer says the Restart Manager (Event ID 10001 and 10000) starts and ends a session at these intervals.

Malwarebytes says I have no malware. CHKDSK says all files are normal.

Welcome to the forum. The restart manager is used by windows update and application updates, Explained here. About Restart Manager - Win32 apps


I suggest you start by performing a clean boot to eliminate software conflict causing the issue. If it doesn't happen in a clean boot, you have some software conflicting with Windows or even a software that is corrupted.. You have to narrow it down using the process of elimination. Brink's procedure will help you weed out which one. Perform a Clean Boot in Windows 11 to Troubleshoot Software Conflicts Tutorial

Thanks @glasskuter . I will give that a try.

You might want to get a Process Monitor trace too and check which processes it is terminating in order to release the files being held by them.

x BlueRobot said:

You might want to get a Process Monitor trace too and check which processes it is terminating in order to release the files being held by them.

Click to expand...

So, getting back to this. The event is still occurring at 10 min intervals and is indeed a terminal window that flashes open and closed.
SFC says no integrity violations. Malware scanners don't detect any threats.
Process Monitor provides waaaay too much information but I have driven my eyes red trying to identify meaningful data. I'm wondering if it isn't related to NVidia...
A bunch of terminal operations occur soon after which seem to refer to every language extension;

You need to filter the log down to process termination, check which processes are being terminated or at least look at which files are being closed.

ProcMon is not exactly intuitive and the GitHub just says learn by doing ...
What terms would I use to filter?

I've attached a zip file for a ProcMon filter. Download the attached zip and extract it. In Process Monitor, go to the Filter menu, then Organize Filters. Click the Import button and import the attached file. Click OK to save this filter. On the Filter menu again, choose Load Filter, and then the Process Start and Stop filter.

Clear the ProcMon log and start capturing again.

pseymour said:

I've attached a zip file for a ProcMon filter. Download the attached zip and extract it. In Process Monitor, go to the Filter menu, then Organize Filters. Click the Import button and import the attached file. Click OK to save this filter. On the Filter menu again, choose Load Filter, and then the Process Start and Stop filter.

Clear the ProcMon log and start capturing again.

Click to expand...

How cool is that - certainly cut down the clutter!


If it is relevant, I don't use Teams.

I'm wondering what the process " sjctbcs " is?

Double click that entry, and take screenshots of the three tabs, so we can see what's up.

@pseymour I don't use One Drive either

On the premise that it is easier to take out the archers than intercept the arrows, maybe I could just delete the roaming profile?

No, don't delete the Roaming folder. Not sure Windows will even let you do that, but it's a necessary folder anyway.

This is some randomly-named .NET application in your user folder, which raises my suspicion. Have you submitted it to VirusTotal to see what it says?

Edit: I say it's suspicious because I'm a .NET developer myself. That program says it's the .NET Assembly Registration Utility. That actual utility is named RegAsm.exe, not some crazy random string.

Also, not sure what the comment about OneDrive was about.

Additionally, you can grab a copy of AutoRuns, and search for that "sjctbcs" thing. There's a filter box at the top of AutoRuns. I'd be willing to bet you have a scheduled task or something running this thing periodically.

Autoruns for Windows - Sysinternals

pseymour said:

No, don't delete the Roaming folder. Not sure Windows will even let you do that, but it's a necessary folder anyway.

This is some randomly-named .NET application in your user folder, which raises my suspicion. Have you submitted it to VirusTotal to see what it says?

Edit: I say it's suspicious because I'm a .NET developer myself. That program says it's the .NET Assembly Registration Utility. That actual utility is named RegAsm.exe, not some crazy random string.

Also, not sure what the comment about OneDrive was about.

Click to expand...

What file would I submit to VirusTotal? I don't see any of those names in the Roaming folder.

The file could be hidden. Set Explorer to show hidden files, at least temporarily while we do this.

Found two similar posts about this...

Redirecting

I searched for "sjctbcs" with AutoRun. It only flagged (Roaming ...\Startup) DDM2.0.lnk which applies to Dell Display Manager Autolaunch but gives a 'file not found' error.

CCleaner found nothing.

Just wondering. Did you even try a clean boot?

glasskuter said:

Just wondering. Did you even try a clean boot?

Click to expand...

Yes. I performed a clean boot and then, without opening any programs, just waited for the ten minute interval. The terminal window popped up just the same.