Windows reverted to old state!

Fluzzyy · Aug 21, 2017

Hey!

So i shutdown my computer normally today approx. 3-4hrs ago. Now that i came back home and booted it, i was confused because i saw my old wallpaper and desktop items etc. It seems like my computer has reverted to an older state. Like 1-2 years back!? It would be all good otherwise, but i have (or had?) important files i would like to keep.. Is it possible for me to get back to the state i was in 4hrs ago? Or is this a lost case. I'll give you the event log briefly. Ask if you need more information.

Log Name: Application
Source: Backupper Service
Date: 21.8.2017 23:24:14
Event ID: 0
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: Roope-PC
Description:
The description for Event ID 0 from source Backupper Service cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

Backupper Service
Backupper Service in OnStart

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Backupper Service" />
<EventID Qualifiers="0">0</EventID>
<Level>4</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2017-08-21T20:24:14.000000000Z" />
<EventRecordID>41284</EventRecordID>
<Channel>Application</Channel>
<Computer>Roope-PC</Computer>
<Security />
</System>
<EventData>
<Data>Backupper Service</Data>
<Data>Backupper Service in OnStart</Data>
</EventData>
</Event>

-------------------------------------------------------------------------------------------

Log Name: Application
Source: Microsoft-Windows-WMI
Date: 21.8.2017 23:25:08
Event ID: 10
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: Roope-PC
Description:
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-WMI" Guid="{1edeee53-0afe-4609-b846-d8c0b2075b1f}" EventSourceName="WinMgmt" />
<EventID Qualifiers="49152">10</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2017-08-21T20:25:08.000000000Z" />
<EventRecordID>41306</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>Roope-PC</Computer>
<Security />
</System>
<EventData>
<Data>//./root/CIMV2</Data>
<Data>SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99</Data>
<Data>0x80041003</Data>
</EventData>
</Event>

------------------------------------------------------------------------------------------

Log Name: System
Source: EventLog
Date: 21.8.2017 23:23:35
Event ID: 6008
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: Roope-PC
Description:
The previous system shutdown at 19:02:23 on ‎11.‎3.‎2015 was unexpected.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="EventLog" />
<EventID Qualifiers="32768">6008</EventID>
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2017-08-21T20:23:35.000000000Z" />
<EventRecordID>173538</EventRecordID>
<Channel>System</Channel>
<Computer>Roope-PC</Computer>
<Security />
</System>
<EventData>
<Data>19:02:23</Data>
<Data>‎11.‎3.‎2015</Data>
<Data>
</Data>
<Data>
</Data>
<Data>146</Data>
<Data>
</Data>
<Data>
</Data>
<Binary>DF07030003000B00130002001700D603DF07030003000B00110002001700D6033C0000003C000000000000000000000000000000000000000100000000000000</Binary>
</EventData>
</Event>

---------------------------------------------------------------------------------------------------------------------

Log Name: System
Source: Microsoft-Windows-SharedAccess_NAT
Date: 21.8.2017 23:25:26
Event ID: 30013
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: Roope-PC
Description:
The DHCP allocator has disabled itself on IP address 192.168.1.4, since the IP address is outside the 192.168.137.0/255.255.255.0 scope from which addresses are being allocated to DHCP clients. To enable the DHCP allocator on this IP address, change the scope to include the IP address, or change the IP address to fall within the scope.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-SharedAccess_NAT" Guid="{A6F32731-9A38-4159-A220-3D9B7FC5FE5D}" EventSourceName="ipnathlp" />
<EventID Qualifiers="0">30013</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2017-08-21T20:25:26.000000000Z" />
<EventRecordID>173658</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>System</Channel>
<Computer>Roope-PC</Computer>
<Security />
</System>
<EventData Name="IP_AUTO_DHCP_LOG_NON_SCOPE_ADDRESS">
<Data Name="param1">192.168.1.4</Data>
<Data Name="param2">192.168.137.0</Data>
<Data Name="param3">255.255.255.0</Data>
</EventData>
</Event>

Fluzzyy · Aug 21, 2017

This particularly was very odd to me..

The previous system shutdown at 19:02:23 on ‎11.‎3.‎2015 was unexpected.
Date: 21.8.2017 23:23:35

Fluzzyy · Aug 21, 2017

More logs below:

Log Name: Application
Source: Microsoft-Windows-RPC-Events
Date: 21.8.2017 23:27:04
Event ID: 11
Task Category: None
Level: Warning
Keywords:
User: LOCAL SERVICE
Computer: Roope-PC
Description:
Possible Memory Leak. Application (C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted) (PID: 840) has passed a non-NULL pointer to RPC for an [out] parameter marked [allocate(all_nodes)]. [allocate(all_nodes)] parameters are always reallocated; if the original pointer contained the address of valid memory, that memory will be leaked. The call originated on the interface with UUID ({3f31c91e-2545-4b7b-9311-9529e8bffef6}), Method number (20). User Action: Contact your application vendor for an updated version of the application.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-RPC-Events" Guid="{F4AED7C7-A898-4627-B053-44A7CAA12FCD}" />
<EventID>11</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2017-08-21T20:27:04.432304800Z" />
<EventRecordID>41325</EventRecordID>
<Correlation />
<Execution ProcessID="840" ThreadID="1040" />
<Channel>Application</Channel>
<Computer>Roope-PC</Computer>
<Security UserID="S-1-5-19" />
</System>
<EventData>
<Data Name="ApplicationName">C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted</Data>
<Data Name="ProcessId">840</Data>
<Data Name="InterfaceId">{3F31C91E-2545-4B7B-9311-9529E8BFFEF6}</Data>
<Data Name="Method">20</Data>
</EventData>
</Event>

------------------------------------------------------------------------------

Log Name: Application
Source: Microsoft-Windows-User Profiles Service
Date: 21.8.2017 23:27:06
Event ID: 1530
Task Category: None
Level: Warning
Keywords:
User: SYSTEM
Computer: Roope-PC
Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
9 user registry handles leaked from \Registry\User\S-1-5-21-277359064-2101747513-2303701814-1000:
Process 6244 (\Device\HarddiskVolume1\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-277359064-2101747513-2303701814-1000
Process 6244 (\Device\HarddiskVolume1\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-277359064-2101747513-2303701814-1000
Process 6244 (\Device\HarddiskVolume1\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-277359064-2101747513-2303701814-1000\Software\Microsoft\SystemCertificates\trust
Process 6244 (\Device\HarddiskVolume1\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-277359064-2101747513-2303701814-1000\Software\Microsoft\SystemCertificates\My
Process 6244 (\Device\HarddiskVolume1\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-277359064-2101747513-2303701814-1000\Software\Microsoft\SystemCertificates\CA
Process 6244 (\Device\HarddiskVolume1\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-277359064-2101747513-2303701814-1000\Software\Microsoft\SystemCertificates\Root
Process 6244 (\Device\HarddiskVolume1\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-277359064-2101747513-2303701814-1000\Software\Policies\Microsoft\SystemCertificates
Process 6244 (\Device\HarddiskVolume1\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-277359064-2101747513-2303701814-1000\Software\Policies\Microsoft\SystemCertificates
Process 6244 (\Device\HarddiskVolume1\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-277359064-2101747513-2303701814-1000\Software\Microsoft\SystemCertificates\SmartCardRoot

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />
<EventID>1530</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2017-08-21T20:27:06.320308300Z" />
<EventRecordID>41328</EventRecordID>
<Correlation ActivityID="{036BAC40-F800-0000-698A-5D4EBB1AD301}" />
<Execution ProcessID="1084" ThreadID="4196" />
<Channel>Application</Channel>
<Computer>Roope-PC</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData Name="EVENT_HIVE_LEAK">
<Data Name="Detail">9 user registry handles leaked from \Registry\User\S-1-5-21-277359064-2101747513-2303701814-1000:
Process 6244 (\Device\HarddiskVolume1\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-277359064-2101747513-2303701814-1000
Process 6244 (\Device\HarddiskVolume1\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-277359064-2101747513-2303701814-1000
Process 6244 (\Device\HarddiskVolume1\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-277359064-2101747513-2303701814-1000\Software\Microsoft\SystemCertificates\trust
Process 6244 (\Device\HarddiskVolume1\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-277359064-2101747513-2303701814-1000\Software\Microsoft\SystemCertificates\My
Process 6244 (\Device\HarddiskVolume1\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-277359064-2101747513-2303701814-1000\Software\Microsoft\SystemCertificates\CA
Process 6244 (\Device\HarddiskVolume1\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-277359064-2101747513-2303701814-1000\Software\Microsoft\SystemCertificates\Root
Process 6244 (\Device\HarddiskVolume1\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-277359064-2101747513-2303701814-1000\Software\Policies\Microsoft\SystemCertificates
Process 6244 (\Device\HarddiskVolume1\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-277359064-2101747513-2303701814-1000\Software\Policies\Microsoft\SystemCertificates
Process 6244 (\Device\HarddiskVolume1\Windows\SysWOW64\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-277359064-2101747513-2303701814-1000\Software\Microsoft\SystemCertificates\SmartCardRoot
</Data>
</EventData>
</Event>

----------------------------------------------------------------

Log Name: Application
Source: Microsoft-Windows-User Profiles Service
Date: 21.8.2017 23:27:07
Event ID: 1530
Task Category: None
Level: Warning
Keywords:
User: SYSTEM
Computer: Roope-PC
Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
1 user registry handles leaked from \Registry\User\S-1-5-21-277359064-2101747513-2303701814-1000_Classes:
Process 6056 (\Device\HarddiskVolume1\Program Files (x86)\Google\Update\GoogleUpdate.exe) has opened key \REGISTRY\USER\S-1-5-21-277359064-2101747513-2303701814-1000_CLASSES

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />
<EventID>1530</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2017-08-21T20:27:07.443510300Z" />
<EventRecordID>41329</EventRecordID>
<Correlation ActivityID="{036BAC40-F800-0000-698A-5D4EBB1AD301}" />
<Execution ProcessID="1084" ThreadID="4196" />
<Channel>Application</Channel>
<Computer>Roope-PC</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData Name="EVENT_HIVE_LEAK">
<Data Name="Detail">1 user registry handles leaked from \Registry\User\S-1-5-21-277359064-2101747513-2303701814-1000_Classes:
Process 6056 (\Device\HarddiskVolume1\Program Files (x86)\Google\Update\GoogleUpdate.exe) has opened key \REGISTRY\USER\S-1-5-21-277359064-2101747513-2303701814-1000_CLASSES
</Data>
</EventData>
</Event>

-------------------------------------------------------------------

Log Name: Application
Source: Microsoft-Windows-WMI
Date: 21.8.2017 22:30:50
Event ID: 10
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: Roope-PC
Description:
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-WMI" Guid="{1edeee53-0afe-4609-b846-d8c0b2075b1f}" EventSourceName="WinMgmt" />
<EventID Qualifiers="49152">10</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2017-08-21T19:30:50.000000000Z" />
<EventRecordID>41353</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>Roope-PC</Computer>
<Security />
</System>
<EventData>
<Data>//./root/CIMV2</Data>
<Data>SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99</Data>
<Data>0x80041003</Data>
</EventData>
</Event>

Mousemonkey · Aug 21, 2017

Please learn to use the spoiler option.

Fluzzyy · Aug 21, 2017

Mousemonkey :

Sorry, my bad.

Search

Windows reverted to old state!

Fluzzyy

Honorable

Fluzzyy

Honorable

Fluzzyy

Honorable

Mousemonkey

Titan

Fluzzyy

Honorable

TRENDING THREADS

Latest posts

Moderators online

Share this page