I have a similar problem also with a whonix-based AppVM. But I haven’t had the chance to look more into it yet. From the security perspectives, the possibility of a bug like this does sound some alarms.
Maybe worth checking on the whonix forum for similar problems?
(@abc I’ve made the title a bit more specific. Feel free to edit it back if you feel it doesn’t apply)
Thanks. Might be because two Whonix qubes connected to sys-whonix.
I’m still having this issue. Anyone else?
Yes, me.
@Registeron, please make sure you’re running a fully updated version of the operating system and then, maybe to try to bring it up on the whonix forum (as I stated here), so the whonix developers have a chance of being aware of it 
Recently (could be that it happened since my last template update) I am having the problem that my VMs are restarting for no reason as soon after I shut them down. They are succesfully shut down but then just restart even if I do nothing. Why is this?
I could just wait for the next update and hope it will go away but I am afraid it could be something dangerous (a compromise).
After clicking on Shutdown, the cube turns off, and then turns on itself again. It looks like a restart. The problem appeared on 4.1
@Userif I moved your post into this thread as it seems to be about the same issue. Please answer the questions I posted above. You originally posted under “R4.1” so we know which release you are using.
@Registeron are you on R4.0 or R4.1?
I just discovered that I’m having the same issue with at least one of my qubes:
Notably, if I kill the qube from the Qube Manager it does not restart.
I had a similar issue with sys-whonix starting automatically. I was using an alternate Tor gateway VM that was somehow triggering sys-whonix to start. This fixed it. ymmv
@Sven ephile’s answer does also apply to my case.
@necker I have created my Whonix VMs with sys-firewall as ‘Networking’. The link you’ve posted says I should use sys-whonix. Could this be the problem here? Why should I use sys-whonix?
Principle: if a qube is a dependency for another (netvm) or some system functionality (clockvm, updatevm) it will be started by the system on-demand.
Any chance you have set this qube to be e.g. the clockvm?
I tried another Whonix appVM, which I never use, and it had the same problem. Both appVMs have sys-whonix as their appVM. I fiddled around and managed to resolve the issue, so shutdown is working as normal again. I’m not sure if it was a template update, or poking around in the template root terminal and then restarting, but something appeared to reset…
@Registeron I’d be concerned about using sys-firewall as the netVM, since Whonix appVMs are designed to work only with a Tor gateway as the netVM. Seems like a recipe for trouble.
dom0$ qubes-prefs shows sys-net as the clockvm
It was worth checking, but I’m pretty sure none of my appVMs in question would need to be started by the system on-demand.
I don’t think a Whonix workstation would even work (have connectivity) when connected to any netvm that is not a Whonix gateway.
@Registeron That’s fine to have your Whonix VMs connect to sys-firewall. sys-whonix is the Qubes default Whonix gateway VM. anon-whonix is the Qubes default Whonix workstation.
Default Qubes Whonix network:
anon-whonix -> sys-whonix -> sys-firewall -> sys-net
The link I posted resolves the problem of sys-whonix autostarting when a Whonix workstation VM is connected to a Whonix gateway VM other than sys-whonix.
To clarify some of the other points raised on this thread - you can use a standard AppVM workstation (based on Debian or Fedora) connected to a Whonix gateway (based on the whonix-gw template).
However, you can’t use a Whonix workstation (based on whonix-ws template) to connect to a non-whonix netVM (example a Debian or Fedora-based VPN qube or sys-firewall).
Of course, it’s generally advised to use the whonix workstation and whonix gateway VMs as a linked pair. They are built to work together and should be used with little or no modification unless you are an advanced user. That includes no additional Tor browser plugins or extensive browser tweaks (with the exception of enhanced security settings such as the “safest” setting, prioritizing onion addresses, etc).
The whonix VMs work very well “out of the box” so it’s best to get used to the default settings to maximizing anonymity and security.
I moved @Registeron’s thread into an older one talking about the same thing to make sure all relevant posts are in one place for later consumption by others.
I am also having this issue. It started a few days ago after using the qubes update tool.
all VMs or only specific one (e.g. sys-net, sys-firewall)?
All whonix-ws-16 based appVMs besides disposables
how long did those VM run before you try to shutdown?
Any length of time, it does not matter. The issue always occurs.
how do you shut them down?
Use the upper right blue Q button, hover over the vm, and then click shutdown
what template are they based on?
whonix-ws-16 (but disposables are able to shut down)
how do you know they restart / are running?
I get a notification that the vm is shutting down, and then right away I get a notification that the vm is starting up.
are you using any testing repositories?
Security testing only.
which Qubes OS release are you using (R4.0 or R4.1)?
4.0
I saw some people have suggested that a vm could be requiring these whonix-ws-16 based vms, which is why they restart after shutdown. But that can’t be the case, because then they would be started right away. And I can run just sys-whonix, sys-firewall, and sys-net. Nothing auto starts. But when I open a whonix-ws-16 vm, I can not shut it down after. So I think that proves no other vm is using it?