If you're using Windows 11, your power plan might unintentionally switch from "Balanced" to "High Performance" or another setting. This is mainly because system optimization apps or manufacturer-specific tools are changing the settings in the background. This article will show you how to use the Event Viewer to pinpoint exactly which executable file (.exe) changed your power plan.
Filtering criteria in Event Viewer
To find the history of power plan changes, check the "System" log in Event Viewer. However, since Event ID 12 can be used for other system events, it is important to specify the source as well.
Specifically, we will filter by specifying the following two points:
- Event source: UserModePowerService
- Event ID: 12
By filtering with this condition, you can extract only the logs related to changes in the power scheme.
Procedure for identifying the perpetrator
- Right-click the Start button and launch "Event Viewer".
- From the "Windows Logs" on the left side of the screen, select "System".
- Click "Filter current log" on the right side of the screen.
- Select "UserModePowerService" from the "Event Source" dropdown list and check the box.
- Enter 12 in the "All Event IDs" field and press "OK".
- Select the displayed log and check the "General" tab at the bottom.
Check the executable file from the log.
The details section contains the following information:
"process C:\Windows\System32\powercfg.exe (プロセス ID:23916) がポリシー スキーマを {381b4222-f694-41f0-9685-ff5bb260df2e} から {8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c} にリセットします」
The path following this "process" is the program whose settings were modified. Here, the response diverges into two depending on the recorded information.
Pattern A: When a specific app name is recorded directly.
This is a case where a manufacturer's management app or similar application is directly recording the data. Once you identify the problematic app, consider disabling its power management function in its settings, or uninstalling it if it's no longer needed.
Pattern B: When powercfg.exe is recorded
In the logC:\Windows\System32\powercfg.exeThis is often recorded. This is the power management command line tool that comes standard with Windows 11. If this record remains, there are mainly two possibilities.
One possibility is that the user manually executed the powercfg command from Command Prompt or PowerShell. If you recall using any tools or entering commands yourself, this is what has been recorded.
Another possibility is that an external application, rather than the OS, is secretly instructing powercfg.exe to change the power plan. This is often the case when you feel like the power plan has "changed unexpectedly." In this case, the actual culprit (the application itself) will not leave its name directly in the logs. You will need to review the settings of any optimization tools or manufacturer-specific utility software that you suspect might be causing the change.
How to find the real culprit when the log shows powercfg.exe
When the power plan changes automatically in Windows 11, the log often records powercfg.exe, but this is simply the execution command. In the previous article, I introduced a method to trace the parent process, but in some environments, the parent process may not be recorded correctly.
In such cases, a highly effective approach is to identify "suspicious apps," such as optimization tools, and directly monitor their behavior. This article explains advanced procedures for monitoring specific apps using Process Monitor.
Download and launch Process Monitor
First, obtain the tool from Microsoft's Sysinternals website.
https://learn.microsoft.com/ja-jp/sysinternals/downloads/procmon(Official page)
- Search for "Process Monitor" on a search engine and download it from Microsoft's official website.
- Downloaded ZIP fileDeploy (unzip)Yes, I will. The destination folder can be anywhere, such as the desktop.
- Located in a folder Procmon64.exe Double-click to run it.
- If "User Account Control" appears, click "Yes".
Set up filters and start monitoring.
When you launch Process Monitor, it starts recording a large amount of activity from all processes on your system. You can set filters to find only the recordings you want.
- Immediately after launching, a screen called "Process Monitor Filter" will appear. (If it doesn't appear, click Filter… from the Filter menu at the top.)
- From the dropdown list on the left, in order: Process Name と is Choose.
- Enter the executable file name of the application you want to monitor in the blank input field to the right (e.g., SwitchPowerPlan.exe Enter (etc.), and the items on the right are Include Make sure it is set to that state.
- Clicking the Add button will add the condition to the list below.
- Click OK to close the settings screen.
This will ensure that a record is only displayed on the screen when powercfg.exe is running.
You can register multiple processes to monitor.
If you have multiple apps you want to monitor, you can register them all at once. By repeating steps 3-4 (enter the executable file name of the app and press the "Add" button), you can add multiple apps to the monitoring list at the same time.
About the default check items
The items in the image that are checked by default (such as Procmon.exe and System, where Action is set to Exclude) are fine as they are. In fact, you should leave them as they are. This is a "system noise exclusion" setting that prevents the screen from being cluttered with logging operations performed by Process Monitor itself.
Finding conclusive evidence: Access to "powercfg.exe"
Register the suspicious app in the filter and press "OK" to continue monitoring. After starting monitoring, leave it for a while, and if the power plan changes on its own, check the recorded logs.
In this case, you don't need to constantly monitor the screen. The most efficient approach is to focus on checking the time recorded in the Process Monitor log for any discrepancies between the "time the power plan was changed" that you previously confirmed in the Event Viewer.
If an application runs powercfg.exe in the background to modify power settings, the log will record "CreateFile" in the "Operation" field and the path to the executable file in the "Path" field, as shown below.
C:\Windows\System32\powercfg.exe
Due to Windows specifications, when one application calls and executes another program (powercfg.exe), it always performs a "CreateFile" operation to open the target file. Therefore, if you can find logs showing the monitored application accessing the above path, it will be conclusive evidence that the application is manipulating powercfg.exe in the background.
Once you've identified the problematic app, you can prevent it from changing your power plan without your permission by turning off its automatic control features or uninstalling it.
Addressing the problematic app
Once you've identified the executable file name of the culprit from the process tree, all you need to do is check the installation folder and settings of that application. Often, the cause is a management app or optimization tool for gaming laptops, so open the settings screen of that application and turn off features like power control and automatic profile switching. If it's an unnecessary tool, uninstalling the application itself will solve the problem permanently.
Comment: