Problem

My gaming PC got the fall update quite late and after that it wouldn't stay in sleep. Something got broken in the update and I had to shut it down every single time I didn't want to use it. Annoying!

Debugging - The Reason

The reason it popped back on wasn't big of a mystery. There is a simple command to query the wake reason:

PS C:\WINDOWS\system32> .\powercfg.exe /waketimers
Timer set by [SERVICE] \Device\HarddiskVolume4\Windows\System32\svchost.exe (SystemEventsBroker) expires at 21:46:29 on 15.12.2017.
Reason: Windows will execute 'NT TASK\Microsoft\Windows\UpdateOrchestrator\Reboot' scheduled task that requested waking the computer.

There are number of articles about How to disable wake timers?, but it doesn't fix this.

A peek into Windows Task Scheduler reveals the ugly fact:

There is a hourly scheduled task, that indeed does run every hour and every goddamn hour it will wake my computer from the sleep to see if it needs to reboot it! Who having half a brain made that engineering decision at Microsoft?!

Attempt 1 - Disable the task - FAIL!

Ok, easy thing, let's disable the task. Or ... let's not. It is impossible! The permissions prevent regular human beings from doing that.

After a while, I bumped into somebody else having this same particular problem. Computer is waking up and: Can't modify task “Reboot” in win10 home. Basically, the idea is to go get Sysinternals PStools. It contains a tool called PSexec, which can do the modification for you.

Like this:

First run a cmd.exe with the PSexec 64-bit version:

PS D:\Users\Downloads> .\PsExec64.exe /s cmd.exe

Now, that permission-barrier is fixed, then:

C:\WINDOWS\system32>schtasks /change /tn "\Microsoft\Windows\UpdateOrchestrator\Reboot" /disable
SUCCESS: The parameters of scheduled task "\Microsoft\Windows\UpdateOrchestrator\Reboot" have been changed.

Now the stupid scheduled task is running hourly as expected, but NOT when your computer is sleeping. But ... guess what! Yes! There is something in Windows 10 internals, that keeps that particular task enabled. It will stay disabled for half an hour or so, but ultimately just using the computer makes the task enabled again, and the problem persists.

Attempt 2 - Remove the allow wake setting - FAIL!

By using the PsExec64.exe-trick, it is possible to get an XML-representation of the task, by running:
schtasks /tn "\Microsoft\Windows\UpdateOrchestrator\Reboot" /xml
in the XML-data there is:
<WakeToRun>true</WakeToRun>
... but I don't know how to change a task from XML-file. You can create a new one, but changing seems impossible.

So, ultimately I had to find something else

Attempt 3 - Powershell - FAIL!

Instead of spawning a new cmd.exe, going for PowerShell has benefits - it can actually edit an existing task. There is a built-in applet Get-ScheduledTask, with appropriate counterpart for setting the properties.

Spawn a nice PowerShell-session with appropriate permissions:

.\PsExec64.exe /s powershell.exe

The shell is kinda dead, for example output is garbled and input editing has issues, but if you know what to run, it will do it given the correct permissions.

As suggested in use powershell to find scheduled tasks set to wake the computer, now it is possible to get a list of Scheduled Tasks which have permission to wake the computer:

PS C:\WINDOWS\system32> Get-ScheduledTask | where {$_.settings.waketorun}

My computer will output a list like:

TaskPath                               TaskName
--------                               --------
\Microsoft\Windows\.NET Framework\     .NET Framework NGEN v4.0.3031...
\Microsoft\Windows\.NET Framework\     .NET Framework NGEN v4.0.3031...
\Microsoft\Windows\SharedPC\           Account Cleanup
\Microsoft\Windows\UpdateOrchestrator\ Reboot

A simple(?) one-liner will edit the task (backtick is the word-wrap operator):

Get-ScheduledTask `
  -TaskPath \Microsoft\Windows\UpdateOrchestrator\ `
  -TaskName Reboot |
  %{ $_.Settings.WakeToRun = $false ; `
  Set-ScheduledTask -TaskName $_.TaskName -TaskPath $_.TaskPath -Settings $_.Settings }

Yes, now the task is enabled, but has the appropriate condition setting for allow wake the computer from sleep disabled.

... aaaand it doesn't work. The same thing altering the enabled-state also resets this setting. Darn!

Attempt 4 - Revoke permissions - Success!

This was driving me mad!

It worked perfectly before the stupid update!

Finally, I found an article from Reddit: Is there ANY way to stop UpdateOrchestrator for turning 'wake the computer to run this task' back on after every cumulative update?

That guy suggested to revoke all permissions from the file. Now the automator which keeps resetting the settings fails to touch the file.

The command I ran in PowerShell is:

icacls $env:windir"\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Reboot" `
  /inheritance:r `
  /deny "Everyone:F" `
  /deny "SYSTEM:F" `
  /deny "Local Service:F" `
  /deny "Administrators:F"

That simply puts everybody and everything into deny-list for the file-access. AND IT WORKS!

So, looks like ultimately whatever the mechanism is restoring the setting, somebody loves writing to the file, but it doesn't know how to reset the permissions. Which is nice!

I chose to keep the task enabled, but unset the allow wake -setting. So, when my computer is running, the task is ran every hour as expected, but when my computer is sleeping, my computer is sleeping and doesn't wake for nobody.

Microsoft:
Suggestion, eat your own dog food! If anybody at the Windows-team doing power management/task scheduler would run this at home they would know the annoyance instantly.

The fail

On a peaceful Sunday, I was just minding my own business and BOOM! Internet connection was gone. After a quick debugging session, restarting the router and eyeballing the LEDs, it was evident: something with my ISP Com Hem was down:

Ok, ISP down, what next?
I whipped up the iPhone and went for any possible service announcements. And yes, the above announcement was placed on my user account information. I was stunned by this, it was so cool to have:

• confirmation, that something was down with ISP: Yup, it's broken.
• that information tailored with the geographical location of my subscription: Yup, that fail affects you.

No Finnish ISP or telco has that. I was very impressed with such detail (and still am).

The fix

There is no way I'm sitting on my thumbs on such an event. I was just about to start playing Need for Speed and now Origin wouldn't even log me in, so, no Internet, no gaming.

I have an el-cheapo Huawei Android lying around somewhere, with a Swedish SIM-card in it. My dirt cheap subscription has couple of gigs data transfer per month in it, which I never use. I came up with a plan to temporarily use the cell phone as an Internet connection. The idea would be to hook it up into my Linux router with an USB-cable, make sure the Android pops up as a network interface and then configure the Linux to use that network interface as primary connection.

Thethering

I found tons of information about Android-tethering from Arch Linux wiki. It basically says:

1. Make sure your Android is newer than 2.2
2. Connect the phone to a Linux
3. Enable USB-tethering from the phone's connection sharing -menu
4. Confirm the new network interface's existence on the Linux end

On my phone, there was two settings for personal hotspot. Wifi/Bluetooth and USB:

Connection

New phones have USB-C, but its such a new connector type, that anything older than couple years, has most likely micro-USB -connector:

Hooking it up to a Linux will output tons of dmesg and and ultimately result in a brand new network interface:

# ip addr show
5: enp0s20u4u3:
    link/ether 82:49:a8:b4:96:c9 brd ff:ff:ff:ff:f
    inet 192.168.42.90/24 brd 192.168.42.255 scope
       valid_lft 3595sec preferred_lft 3595sec
    inet6 fe80::7762:e1a9:9fa:69f5/64 scope link
       valid_lft forever preferred_lft forever

Routing configuration

Now that there was a new connection, I tried pinging something in the wild world:
ping -I enp0s20u4u3 193.166.3.2

Nope. Didn't work.
I confirmed, that the default network gateway was still set up into the broken link:
# ip route show
default via 192.168.100.1 dev enp1s0 proto static metric 100

That needs to go to enable some functionality. But what to replace the bad gateway with?
Since the connection had IP-address from Telco DHCP, there is a lease-file with all the necessary information:
# cat /var/lib/NetworkManager/dhclient-*-enp0s20u4u3.lease
lease {
  interface "enp0s20u4u3";
  fixed-address 192.168.42.90;
  option subnet-mask 255.255.255.0;
  option routers 192.168.42.129;

The fixed-address in the file matches the above ip addr show -information. Required information was gathered, and the idea was to ditch the original gateway and replace it with a one from the Android phone's telco:
# ip route del default via 192.168.100.1
# ip route add default via 192.168.42.129 dev enp0s20u4u3
# ip route show
default via 192.168.42.129 dev enp0s20u4u3 proto static metric 101

Now it started cooking:
# ping -c 5 ftp.funet.fi
PING ftp.funet.fi (193.166.3.2) 56(84) bytes of data.
64 bytes from ftp.funet.fi (193.166.3.2): icmp_seq=1 ttl=242 time=35.6 ms
64 bytes from ftp.funet.fi (193.166.3.2): icmp_seq=2 ttl=242 time=31.7 ms

To finalize the access from my LAN, I ran following firewall-cmd --direct commands:
 --remove-rule ipv4 nat POSTROUTING 0 -o enp1s0 -j MASQUERADE
 --add-rule ipv4 nat POSTROUTING 0 -o enp0s20u4u3 -j MASQUERADE
 --add-rule ipv4 filter FORWARD 0 -i enp3s0 -o enp0s20u4u3 -j ACCEPT
 --add-rule ipv4 filter FORWARD 0 -i enp0s20u4u3 -o enp3s0 \
    -m state --state RELATED,ESTABLISHED -j ACCEPT

There is no firewall-cmd --permanent on purpose. I don't intend those to stick too long. I just wanted to play the darn game!

Done!

Now my gaming PC would connect to The Big Net. I could suft the web, read mail and even Origin logged me in.

That's it! Day saved!