In this blog post, we’ll explore how to determine who restarted or shut down a Windows server. When a server is unexpectedly restarted during production hours and a P1 ticket is raised, it’s crucial to identify the reason behind the restart.
The cause could be an automatic restart triggered by a Windows update, a software component update, or a manual restart by an IT administrator. We can uncover these details by using Event Viewer. Let’s dive in and identify the root cause.
Steps
Below are the steps to identify the user account or service that may have triggered the restart of a Windows server. First, login on the server and follow below steps:
- Press Windows + R keys to open the Run dialog box.
- Type
eventvwr
and press Enter to open Event viewer console. - Expand Windows logs > System and right-click on it > Select Filter Current log…
- Type 1074 in the Event ID filter and press OK.
- You will find the list of all Events w.r.t. server restart. Go through each Event and check its details to find out which process and user account triggered server restart.
Below screenshot shows the process SystemSettingsAdminFlows.exe
initiated power off on behalf of user Techpress\tpadmin1.
Event ID Details
The process C:\Windows\system32\SystemSettingsAdminFlows.exe (TECHPRESSSVR221) has initiated the power off of computer TECHPRESSSVR221 on behalf of user TechPress\tpadmin1 for the following reason: Other (Unplanned)
Reason Code: 0x5000000
Shutdown Type: power off
Comment:
Use Powershell to find Who Restarted the Server
You can also check Windows Events using Powershell cmdlet. The cmdlet we will use is Get-WinEvent
and Get-EventLog
.
Get-WinEvent
Get-WinEvent -FilterHashtable @{logname="System";id=1074} | Select TimeCreated,Id,Message | ft -Wrap
Check Last 5 Events for Server restart with Information about the Date, Reason, Process and User details.
Get-EventLog -LogName System |
Where-Object { $_.EventId -eq 1074 } |
Select-Object -First 5 |
ForEach-Object {
if ($_.ReplacementStrings[4]) {
[pscustomobject]@{
EventDate = $_.TimeGenerated
InitiatingUser = $_.ReplacementStrings[6]
RelatedProcess = $_.ReplacementStrings[0]
ActionTaken = $_.ReplacementStrings[4]
ShutdownReason = $_.ReplacementStrings[2]
}
}
} | Select-Object EventDate, ActionTaken, ShutdownReason, InitiatingUser, RelatedProcess | Format-Table
Event ID 6008
If you do not find relevant event logs using Event ID 1074, please check for Event ID 6008 as well. This Event ID is generated when an unexpected shutdown of the server occurs.
Read Next
Discover more from TechPress
Subscribe to get the latest posts sent to your email.