Remember the movie Gremlins? A friendly creature that if you fed it after midnight, all heck would break loose and humans would be left to clean up the mess in the morning.
Despite setting all of the basic configurations to the contrary, Windows 11 occasionally reboots after an update on its own. It restores all of the running windows afterward in an attempt to hide this from users. Sometimes it fails on the restart, and I have to dig my laptop out from under the monitor stand where it is connected to everything via a USB dock. Other times it succeeds and most users wouldn’t notice. I, on the other hand, have a massive amount of data and virtual machines collected over 34 years of Windows versions (and another 6 of DOS and whatever the original Mac OS was), all of which reside on encrypted external drives, and there is only one reason they will all have been disconnected: a stealthy reboot.
Step 1: Spot the Sneaky Restart in Event Logs (Skip the Freezing GUI)
Event Viewer sounds official, but it freezes like molasses when filtering big logs. Don’t bother with it—use PowerShell instead (search “PowerShell” → Run as Admin).
First command to check for crashes/power losses:
PowerShell
Get-WinEvent -FilterHashtable @{LogName='System'; Id=41,6008} -MaxEvents 20 | Sort-Object TimeCreated -Descending | Select-Object -First 1 TimeCreated, Id, LevelDisplayName, Message | Format-List
- What it does: Looks for “dirty” shutdowns (ID 41 or 6008). No results? Good news—your restart was “clean” (planned). (Mine showed nothing, so not a crash.)
Step 2: Dig for the Real Story with Broader Boot/Shut Logs
No crash? Check all reboot clues:
PowerShell
Get-WinEvent -FilterHashtable @{LogName='System'; ID=12,13,1074,6005,6006,6009} -MaxEvents 10 | Sort-Object TimeCreated -Descending | Format-Table TimeCreated, Id, LevelDisplayName, ProviderName, Message -Wrap
- Key IDs: 1074 reveals who restarted (e.g., “TrustedInstaller.exe… Operating System: Upgrade (Planned)”).
- The Culprit: TrustedInstaller (Windows Update’s installer) often forces an “upgrade” reboot. (Mine hit at 10:51 PM—classic move.)
Bonus quick boot time check:
PowerShell
Get-CimInstance -ClassName Win32_OperatingSystem | Select-Object LastBootUpTime
Step 3: Lock Down Future Restarts (Microsoft’s Hidden Maze)
Your BSOD “no auto-restart” setting? Useless here. Windows ignores it for updates. Time for the real fixes.
Quick Registry Shield (Copy-Paste PowerShell as Admin)
PowerShell
New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Force Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Name "NoAutoRebootWithLoggedOnUsers" -Value 1 Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Name "AlwaysAutoRebootAtScheduledTime" -Value 0 gpupdate /force
- Why it works: Tells Windows “Don’t reboot if I’m logged in.” Verify with
Get-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU".
Pro GUI Version (gpedit.msc)
- Run
gpedit.msc→ Computer Config → Admin Templates → Windows Components → Windows Update → Manage end user experience. - Enable Configure Automatic Updates → “2 – Notify download/install”. (This stops the OS from making decisions for you.)
- Enable Turn off auto-restart during active hours → Wide hours (e.g., 6 AM–11 PM).
gpupdate /force.
Nuclear Option: Tame Update Orchestrator
services.msc→ Update Orchestrator Service → Startup: Disabled → Stop.- No sneaky scheduling anymore (updates still work manually).
Why Microsoft Makes This So Hard (Minor Rant)
I get why the default configuration reboots on its own. Most users will never bother to check updates on their own, and if they are installed automatically but require a reboot, the message will be ignored by the general populace until the next upgrade. Anytime a non-technical friend or family member brings me a device that is giving them problems, finishing an update fixes it 92.8% of the time. But…
There’s a bunch of us nerds who came up from our basements (or down from the attic, in my case) and still want fine control over our own equipment without having to spend 4 hours on Google (or Gemini, or Claude, or…you get the idea). Or blowing up a movie theatre.
© Scott S. Nelson