Sorry I didn't get back to you sooner. If you still have the ERP installed, have you started seeing alerts? Either way, look in the system tray and right click on the icon. Set the mode to Alert Mode if it's not already set that way.
Just look closely at the alerts. See what is requesting activity and what it's trying to start. You can whitelist by command line, which means you can let command lines go by that you know are safe. It's safer just to allow rather than whitelist, but the whitelist is there.
What you can do with NVT is follow the progression of malware via the alerts. In this case, you are looking for something that turns off your computer but not necessarily malware. It works the same.
Try the following. Double click on the tray icon and choose File->settings in the menu up top. Click on the advanced tab and then Vulnerable Processes about half way down on the program client. Next right click in the area where you see data in Vulnerable Processes. Select add new. Navigate to C:\Windows\system32\csrss.exe and add it. Then do the same thing with C:\Windows\system32\winlogon.exe. Also while you are at it you might want to add C:\Windows\system32\taskeng.exe or C:\Windows\syswow\taskeng.exe, depending on what OS version of W7 you have, 32 or 64 bit. If you get any alerts from those processes just make note of anything interesting you see and then click allow, or you can click block if something is trying to restart the computer. Just don't whitelist anything, but it isn't a big deal if you do. If you blacklist whatever is causing the restarts, they will stop for sure, however. Otherwise, stay away from blacklisting Windows processes, because that can cause the system to function improperly and send you to safe mode to adjust the ERP settings. No harm long term. Be sure to look at the command line line in the alert. Note anything you don't recognize, and you can post it back.
Any time anything initiates a restart, you should get an alert that will give you helpful information on what initiated the event, in this case shutdown. Then you will know if it's a program or a scheduled task, and you can hunt it down. When you are done with your investigation, you can delete the entries you added to the Vulnerable Processes list.