Windows 11 PC shuts down automatically after fixed time, need help identifying what triggers it (offline analysis)

NeVet24 · Dec 15, 2025

Hi everyone,

I’m dealing with a very persistent and unusual shutdown issue on a Windows 11 PC and would really appreciate expert help.

Problem summary:
• The computer shuts down automatically after a fixed amount of time (previously ~1 hour, now sometimes ~1 minute).
• It happens even before logging into a user account.
• It does NOT shut down while staying in BIOS.
• shutdown -a does NOT cancel it.
• This is NOT overheating or power supply related.

System:
• Windows 11 (exact build unknown at the moment)
• Gigabyte H510M H V2 motherboard
• PC was self-built
• BIOS password was previously set, later cleared via CMOS reset

Important background:
Previously, a parental time control program called “Babaika / Parents Time Control” was installed. It is known to:
• Run invisibly
• Shut down the PC when daily time expires
• Store state so shutdown can happen shortly after boot
• Work via service / background agent

I removed all visible Babaika files, renamed folders, deleted limit.txt files, etc.
However, the shutdown behavior continued, so I suspect:
• a leftover service
• a scheduled task
• or a kernel-level component / driver

What I have already checked (offline, via BootCD / WinPE):
• Prefetch folder (C:\Windows\Prefetch)
Found repeated launches of a non-system file named “AGENT.EXE”
• Recent files
• Startup folders
• BIOS settings
• Power settings

Prefetch shows AGENT.EXE launching shortly before shutdown events.
System files (svchost, runtimebroker, trustedinstaller, etc.) look normal.

Current situation:
• I can boot from external media (BootCD / WinPE)
• Windows Event Viewer is not available directly, so I’m trying to analyze System.evtx offline
• I want to determine EXACTLY what process or service initiates the shutdown

My questions:
1. What is the best way to identify a shutdown initiator using offline analysis (System.evtx, services, drivers)?
2. Could a leftover service or driver still enforce shutdown even if the original EXE was removed?
3. What specific Event IDs or registry/service locations should I focus on for time-based shutdowns?
4. Any known cases of parental control software persisting after removal?

I’m happy to provide:
• Event log excerpts
• Prefetch listings
• Service lists (offline)
• Folder paths of suspicious files

Thanks in advance, any help or ideas are very welcome.

maur0 · Dec 15, 2025

NeVet24 said:
Hi everyone,

I’m dealing with a very persistent and unusual shutdown issue on a Windows 11 PC and would really appreciate expert help.

Problem summary:
• The computer shuts down automatically after a fixed amount of time (previously ~1 hour, now sometimes ~1 minute).
• It happens even before logging into a user account.
• It does NOT shut down while staying in BIOS.
• shutdown -a does NOT cancel it.
• This is NOT overheating or power supply related.

System:
• Windows 11 (exact build unknown at the moment)
• Gigabyte H510M H V2 motherboard
• PC was self-built
• BIOS password was previously set, later cleared via CMOS reset

Important background:
Previously, a parental time control program called “Babaika / Parents Time Control” was installed. It is known to:
• Run invisibly
• Shut down the PC when daily time expires
• Store state so shutdown can happen shortly after boot
• Work via service / background agent

I removed all visible Babaika files, renamed folders, deleted limit.txt files, etc.
However, the shutdown behavior continued, so I suspect:
• a leftover service
• a scheduled task
• or a kernel-level component / driver

What I have already checked (offline, via BootCD / WinPE):
• Prefetch folder (C:\Windows\Prefetch)
Found repeated launches of a non-system file named “AGENT.EXE”
• Recent files
• Startup folders
• BIOS settings
• Power settings

Prefetch shows AGENT.EXE launching shortly before shutdown events.
System files (svchost, runtimebroker, trustedinstaller, etc.) look normal.

Current situation:
• I can boot from external media (BootCD / WinPE)
• Windows Event Viewer is not available directly, so I’m trying to analyze System.evtx offline
• I want to determine EXACTLY what process or service initiates the shutdown

My questions:
1. What is the best way to identify a shutdown initiator using offline analysis (System.evtx, services, drivers)?
2. Could a leftover service or driver still enforce shutdown even if the original EXE was removed?
3. What specific Event IDs or registry/service locations should I focus on for time-based shutdowns?
4. Any known cases of parental control software persisting after removal?

I’m happy to provide:
• Event log excerpts
• Prefetch listings
• Service lists (offline)
• Folder paths of suspicious files

Thanks in advance, any help or ideas are very welcome.

Try3 · Dec 15, 2025

NeVet24 said:
I removed all visible Babaika files

I suggest you check their website / user forum for any guidance such as a specialist uninstall tool that removes remnants such as those that might cause your symptoms.

I assume you did not make a system image before installing that utility.

Denis

Try3 · Dec 15, 2025

MS SysInternals AutoRuns might reveal some remnant that starts with Windows.
Autoruns for Windows

my list of AutoRuns links [post #16] - TenForums

Denis

hader · Dec 15, 2025

My suggestion? Remove that program. You may already have done that already but there is still stuff inside the registry and/or tasks that was not removed. Take a look inside scheduled tasks because that 1 hour is a dead giveaway. Type: Win+R and type taskschd.msc. When open; open Task Schedular-Library. If the maker did a good job; there should be at that level an entry called; "Babaika" (or the company's name. Something you would recognize....) Look under that tree and find out if there is a task that runs every hour and shuts down your PC. Delete that task. If you can't see an entry at that level; That will become a little bit difficult. It then can hide itself under the Microsoft tree. Do you see it there?

To bad you can't search for such an entry. It's nobody's business to make a task under the Microsoft tree. If you find any tasks called "Babaika" just delete it.

The further option is to use a clean registry program. There are many of them. Programs like Yamicsoft's Windows 11 manager, or Revo's Registry Cleaner Pro and others. Both Windows Manager and Registry Pro are capable of inspecting your registry and finding keys that are invalid (because they are pointing to a program, location, etc. that does exists anymore) They will highlight those keys. After completion; Hit clean registry. Both will ask you if you want to save the to be deleted keys first. Always say yes!!!!! After the save it will delete all invalid keys. (if you do this for the first time? I can be as more than a hunderd.... The registry is also a thing that needs maintenance once in a while. If you don't? More and more not deleted keys will accumulate during time. When Windows starts it will go through the whole registry. At a certain point it becomes slower and slower because it has to go though all those invalid keys. Just a tip) The "save" contains a .reg file. Want to put back everything? (undo the save) DoubleClick on it and all deleted entry's are injected again into your registry.

Let me know if you had any succes removing the cause..... It's better to ask then to reinstall Windows if things go wrong.

glasskuter · Dec 15, 2025

I disagree with the others. If you know it's not heat related, to be make sure it's not hardware/bios related, I would boot from a live Linux distro usb drive like Ubuntu or Mint Cinnamon. If it doesn't shut down, I wouldn't jack around wasting my time with it. I'd backup any important personal files while using the distro and clean install Windows.

NeVet24 · Dec 16, 2025

hader said:
My suggestion? Remove that program. You may already have done that already but there is still stuff inside the registry and/or tasks that was not removed. Take a look inside scheduled tasks because that 1 hour is a dead giveaway. Type: Win+R and type taskschd.msc. When open; open Task Schedular-Library. If the maker did a good job; there should be at that level an entry called; "Babaika" (or the company's name. Something you would recognize....) Look under that tree and find out if there is a task that runs every hour and shuts down your PC. Delete that task. If you can't see an entry at that level; That will become a little bit difficult. It then can hide itself under the Microsoft tree. Do you see it there?

To bad you can't search for such an entry. It's nobody's business to make a task under the Microsoft tree. If you find any tasks called "Babaika" just delete it.

The further option is to use a clean registry program. There are many of them. Programs like Yamicsoft's Windows 11 manager, or Revo's Registry Cleaner Pro and others. Both Windows Manager and Registry Pro are capable of inspecting your registry and finding keys that are invalid (because they are pointing to a program, location, etc. that does exists anymore) They will highlight those keys. After completion; Hit clean registry. Both will ask you if you want to save the to be deleted keys first. Always say yes!!!!! After the save it will delete all invalid keys. (if you do this for the first time? I can be as more than a hunderd.... The registry is also a thing that needs maintenance once in a while. If you don't? More and more not deleted keys will accumulate during time. When Windows starts it will go through the whole registry. At a certain point it becomes slower and slower because it has to go though all those invalid keys. Just a tip) The "save" contains a .reg file. Want to put back everything? (undo the save) DoubleClick on it and all deleted entry's are injected again into your registry.

Let me know if you had any succes removing the cause..... It's better to ask then to reinstall Windows if things go wrong.

Thanks for the detailed reply.

Important detail: I currently do NOT have administrator access inside Windows.
I’m doing most of the investigation offline via BootCD / WinPE.

Because of that, I can’t use taskschd.msc directly.
However, I will manually inspect:
C:\Windows\System32\Tasks
and the Microsoft subfolders offline.

Prefetch already shows repeated launches of AGENT.EXE shortly before shutdowns,
so I strongly suspect a leftover scheduled task or service.

I’ll report back if I find a suspicious task XML.
Thanks again.

Try3 · Dec 17, 2025

NeVet24 said:
Important detail: I currently do NOT have administrator access inside Windows

Unless you can fix that I think you will have no choice but to reinstall WIndows.
Why did you say currently?

Denis

hader · Dec 17, 2025

NeVet24 said:
Thanks for the detailed reply.

Important detail: I currently do NOT have administrator access inside Windows.
.....
Prefetch already shows repeated launches of AGENT.EXE shortly before shutdowns,
so I strongly suspect a leftover scheduled task or service.

I’ll report back if I find a suspicious task XML.
Thanks again.

OK. Odd that you're not have administrator rights on that machine. (Installed and deinstalled it under a separate account?) Would make life so much easier.
The task are indeed inside C:\Windows\System32\Tasks. The files there don't have any extension with it. It's content has an XML format.

If you are able to delete that task (that has to be seen as your not an administrator) don't forget to delete the correct accompanying task inside the registry.
The entry's under the Tasks tree has a GUID format, but you can search from there by searching using the name of the task. You have to delete (if you can start regedit..) that entry also in the registry. Location: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks
Then you need also delete the task (name is visible, it's "path" was already visible in the task itself) in the Tree below Tasks.
Location: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree

Yes I am certain it's a leftover in the scheduled task. Don't believe it is an service. (To much hassle. Finding out when the PC started and look at the time. If 1 hour then shutdown.... Can easily be achieved by a task. That what they are there for; starting jobs under certain conditions.)

There maybe an alternate solution to all of this. You can edit the task. There must be a line like shutdown /s /t 0 inside the task. If you remove that entry (empty) that will prevent a shutdown. The task may be triggered but that has no consequences. Look also at the Logon task. There can be an action been added like shutdown /s /t 3600 (shutdown after 1 hour)

It's not easy to do this with one hand tied behind your back. Goodluck.
N.B. You also need to clean your registry! If this was an leftover who know how many rubbish has been left behind..

gunrunnerjohn · Dec 17, 2025

NeVet24 said:
Important detail: I currently do NOT have administrator access inside Windows.
I’m doing most of the investigation offline via BootCD / WinPE.

This seems kinda' important! Why exactly don't you have admin access? If you have a an admin account on this machine, you can give that account admin access.

gewb · Dec 17, 2025

I recommend first updating the BIOS to version F5b. This BIOS update addresses critical security vulnerabilities (CVE-2025-7026, CVE-2025-7027, CVE-2025-7029) identified by BRLY. That should wipe anything hiding there.

Following that, I agree with glasscutter in post #6 - boot to Linux and test/recover files then wipe and reload Windows from backup or from scratch.

hader · Dec 18, 2025

gunrunnerjohn said:
This seems kinda' important! Why exactly don't you have admin access? If you have a an admin account on this machine, you can give that account admin access.

Would not say this; I suspect this is not his laptop/PC..... All he has to do is ask the owner that installed Windows for his account to log in. If this is a company's laptop/PC let their tech support solve this issue. Some else installed Windows. He may only have an user account that is limited. That could be the reason why he is not Admin on this laptop/PC. As it's often the case with company's laptop's/PC's..... Or he bought it on eBay and the previous owner didn't gave his credentials. :eyeroll:

idgat · Dec 18, 2025

I've had some doubts about the OPs access to this device from the start

Plain and simple, replace the drive with a new one and do a clean install

No matter what's going on here, I don't know why anyone would accept a second hand device and not do a clean install, at the minimum, but with preferably a new drive replacement.

Eksy61 · Dec 18, 2025

Get Autoruns for PC (it's free).

Autoruns - Sysinternals

See what programs are configured to startup automatically when your system boots and you login.

learn.microsoft.com

Autoruns wlll display a list of everything that is designed to run at bootup and/or login. (You may be surprised how much stuff that is!)
Then search for "Babaika" in the list of vendors.
Some apps even install auxiliary tasks in AppData.

Alternatively, just complain to whoever installed this app that it's failed.

hader · Dec 18, 2025

Eksy61 said:
Get Autoruns for PC (it's free).

Autoruns - Sysinternals

See what programs are configured to startup automatically when your system boots and you login.

learn.microsoft.com

Autoruns wlll display a list of everything that is designed to run at bootup and/or login. (You may be surprised how much stuff that is!)
Then search for "Babaika" in the list of vendors.
Some apps even install auxiliary tasks in AppData.

Alternatively, just complain to whoever installed this app that it's failed.

Don't think this will run. Sysinternal programs must run under a user that has admin rights. He has no admin rights.

Try3 · Dec 18, 2025

Here is the OP's previous thread
PC shuts down automatically every 60 minutes - how to find what triggers it?

Denis

gunrunnerjohn · Dec 18, 2025

hader said:
Would not say this; I suspect this is not his laptop/PC..... All he has to do is ask the owner that installed Windows for his account to log in. If this is a company's laptop/PC let their tech support solve this issue. Some else installed Windows. He may only have an user account that is limited. That could be the reason why he is not Admin on this laptop/PC. As it's often the case with company's laptop's/PC's..... Or he bought it on eBay and the previous owner didn't gave his credentials.

Yes, you are stating the obvious! I was really looking for the reason that he couldn't obtain access.

I realize the implications, just wanted to hear it from the source. When you're working on stuff like this, it's hard to imagine making much progress without admin rights.

I'm checking out anyway, we're wasting our time thinking about this if it's not his laptop, let the owner figure it out.

Windows 11 PC shuts down automatically after fixed time, need help identifying what triggers it (offline analysis)

New member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

aka Mama Glass

My Computers

New member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computers

Similar threads