This sounds strange but something uninstalled my plex server. I still see it listed in my apps and programs but most of the directories are gone in the main folder. only resources folder remains.
I see these entries in my event log around 2:05am on 9-11:
Successfully created restore point (Process = C:\WINDOWS\Temp{060A301A-EB32-4F82-AC6C-61175ED6650A}.be\pms.exe -q -burn.elevated BurnPipe.{C391A8C2-A879-48C7-B1A3-174CE83ECA19} {4A112A8E-584C-44A6-92F2-F19818E3C19D} 11140; Description = Plex Media Server).
Successfully created restore point (Process = C:\WINDOWS\Temp{A8708E94-1DDF-46A2-ABDC-378066CDC049}.be\VC_redist.x86.exe -q -burn.elevated BurnPipe.{C1D0AED9-A101-452A-BD10-980D29ED73FA} {ABC1BE03-1777-421D-830C-1571BDECBDEE} 12884; Description = Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.24.28127).
Beginning a Windows Installer transaction: {617685F1-E82D-4F3B-9594-69DE9726C5BD}. Client Process Id: 11896.
Starting session 0 - 2021-09-11T06:05:43.145267700Z. (this was from Restart Manager)
Volume Shadow Copy Service error: Unexpected error calling routine QueryFullProcessImageNameW. hr = 0x80070006, The handle is invalid.
.
Operation:
Executing Asynchronous Operation
Context:
Current State: DoSnapshotSet
Application ‘C:\Program Files (x86)\Plex\Plex Media Server\Plex Update Service Launcher.exe’ (pid 7296) cannot be restarted - Application SID does not match Conductor SID…
One entry says a machine restart is required and then:
Application ‘C:\Program Files (x86)\Plex\Plex Media Server\Plex Update Service Launcher.exe’ (pid 7296) cannot be restarted - Application SID does not match Conductor SID…
Scoping completed for shadowcopy \?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2.
Scoping unsuccessful for shadowcopy \?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2 with error 0x80070057.
Product: Plex Media Server – Removal completed successfully.
Windows Installer removed the product. Product Name: Plex Media Server. Product Version: 1.24.2973. Product Language: 1033. Manufacturer: Plex, Inc… Removal success or error status: 0.
Ending a Windows Installer transaction: {617685F1-E82D-4F3B-9594-69DE9726C5BD}. Client Process Id: 11896.
Beginning a Windows Installer transaction: {8E8AB16A-76C5-45A2-8B73-D0B303B19C93}. Client Process Id: 11896.
Product: Stopping Plex – Removal completed successfully.
Windows Installer removed the product. Product Name: Stopping Plex. Product Version: 1.24.2973. Product Language: 1033. Manufacturer: Plex, Inc… Removal success or error status: 0.
Ending a Windows Installer transaction: {8E8AB16A-76C5-45A2-8B73-D0B303B19C93}. Client Process Id: 11896.
Ending session 0 started 2021-09-11T06:05:43.145267700Z.
Ending session 0 started 2021-09-11T06:05:47.771010200Z.
Starting session 0 - 2021-09-11T06:10:16.076308300Z.
Ending session 0 started 2021-09-11T06:10:16.076308300Z.
I’ve been looking for signs of a compromise but I dont see anything out of the ordinary otherwise. The server is behind my router and only port 32400 goes to it.
If I am reading it correctly windows created a snapshot, because plex told it to. But then plex uninstalled itself and then tried to launch Plex Update Service Launcher.exe but couldnt because it was removed?
I have backups so I can restore, but I find this very odd.
