Question: Executing remote (Sysinternals) command... pskill \\machine winlogon ...can budge a server that is stuck rebooting, but how/why does this work? How do you know which service to kill?

To recreate (e.g.): You run Windows Update, allow a reboot, and ...NOTHING! RDP gets cut off but the server does not reboot. Just about every other service seems to stay up.

Further Background: I've faced this problem on VMs hosted around the planet for some years, and used various sc.exe and shutdown commands to learn the state of and attempt remote reboot of servers in such a state, with limited success. Most datacentres don't offer any way to see the true console or power off/on such machines. They charge $$ for you to call them to do such simple things after hours, when you nearly always have to run your maint tasks.

e.g.

NET USE \\machine\IPC$ /USER:login password

sc \\machine query RpcSs

sc \\machine query TermService

sc \\machine query wuauserv

tasklist /s machine

This occasionally works for me...

shutdown /m \\machine /r /f /t: 0

...but more often than not it fails with: A system shutdown is in progress (1115).

I found this question, and the answer by @Tweek, and it worked really well, but was I just lucky?

Can not RDP to Win 2003 box or initiate remote restart

@Tweek said to run: pskill \\hostname winlogon

...and that got me past this situation in a new way (Server 2008 R2 in my most recent case) - really useful! I just need to understand if I got lucky or there is more science here. What I'd like to know is why the winlogon process?

@Livne said to use "tasklist /s HostName" to see what is the culprit, but how do you tell from the listed output? It's just a list of running tasks etc. From that I would not know what to look for, nor could I see anything about the winlogon process that suggested to my eyes that was the one to kill.