Who Shutdown my OS?

By NadelOwesYou530 ·
I am running three Windows Server OS's: Windows NT Server 4.0, Windows Server 2000, and Windows Server 2003.

I have a remote machine that shuts down on occasion without a system event ID of 6008 (Unexpected Shutdown). This makes me believe that a user is shutting down the machine without authorization.

Is there a way to determine when that shutdown command was given and which user shutdown the PC?

Any advice will be much appreciated. Thank You!

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

Unexpected Shutdown

by NormH3 In reply to Who Shutdown my OS?

Unexpected Shutdowns are usually caused by environmental issues. Either loss of 120v or a power supply could be your culprit.

Collapse -

I agree....

by ---TK--- In reply to Unexpected Shutdown

thats the error we get when a server BSOD's... and event logs show just about nothing except for that and usually after it, it shows how long the server was.... If you have a HP management utility or Dell utility, it might show what caused the crash...

Collapse -


by Wizard-09 In reply to Who Shutdown my OS?

In order for anyone to shutdown the server they would need to be admins on the local machine (server in which they are shutting down) they would also need access to the cmd prompt to send the command shutdown -i to get the shutdown interface how many users have full admin rights to the server or doamin?

Keep us informed as to your progress if you require further assistance.

If you think that any of the posts that have been made by all TR Members, have solved or contributed to solving the problem, please Mark them as Helpful so that others may benefit from the outcome.

Collapse -

Change the password to the computer in question....

by Peconet Tietokoneet In reply to Who Shutdown my OS?

And then see who phones up and asks for access to the computer. :)

Collapse -

Further Information

by NadelOwesYou530 In reply to Who Shutdown my OS?

I thank you all for replying with these suggestions!

This server stays constantly logged in with a user that has local administrator rights. Unfortunately, there is no way to change the account or the password. This user is required for the software on the machine to run.

The individuals who reported this problem have yet to see a BSOD. My experience with BSOD shows that the machine will either freeze with the BSOD on screen or reboot. In this case, neither of these results is occurring.

I have reported shutdowns over a two month period and the machine is off until someone turns it back on. The shutdowns happen during either night-shift or on Fridays.

This is a Dell server with Open Manage Server Administrator installed. The logs only show chassis intrusion detection. All hardware checks out as far as Dell diagnostics are concerned. The machine is plugged into a UPS that is also used by other PCs. These PCs are not experiencing the same shutdowns and the UPS is not showing any errors or predicted power/battery failures.

These results have led me to believe that I have a user shutting down the machine. This is why I was wondering if there is any way to determine who gave the shutdown command to the computer. Even if it is this single user, it would still allow me to explain that the machine, itself, is in good condition.

Kindly advise.

Collapse -

Since you can see in the logs, see if the person in question....

by Peconet Tietokoneet In reply to Further Information

That has full access,see if the time of the shutdown is related with the time that he/she spends logged into the server. Printout the log sheets and have a good look. Is there a certain time it shuts off?. When the server goes down (shuts off), and returns to normal is the person still logged on or has he/she logged off?.

Collapse -

If the user is shutting it down...

by cmiller5400 In reply to Further Information

Then it would say so. Unexpected shutdown means loss of power, blue screen. A shutdown command will be logged. If the user is pressing and holding the power button, it probably is not logged (ie unexpected shutdown)

I had one server that was doing this. Would just be off at random times. No logs were of any help. Come to find out the battery in the UPS was bad and every time it would switch to battery it would shut the machine down hard. The server next to it on the same UPS was fine, it just must have been more picky.

Collapse -

"UPS was bad", you have a good point there.....

by Peconet Tietokoneet In reply to If the user is shutting i ...

"UPS was bad and every time it would switch to battery it would shut the machine down hard".
A very good point indeed.

Collapse -

6008 event log Unexpected Shutdown...

by Chris029 In reply to Who Shutdown my OS?

I have a windows 2000 server, and at 8:40PM on 6/18/09 started to randomly shut down at times, mostly at night when the machine was quiet. I did find in the registry a time and it looked to be the schedule for the next shutdown. There is a microsoft patch that changes the wording of the power off, so they do know about the problem. In my case the server has a password protected screensaver so when the poweroff happens it does not take into account that screensaver password security is going to cause a problem. So I get 1 extra error besides the normal eventlog off, then eventlog on. I am still tracking down the culprit who stops and restarts my server. We have video monotoring of our server racks and no one is around to hit the reset or power button. I would not rule out remote connections but I have started to log more security events for the server. Power problems could be tested by telling the bios not to automatically restart after power off. You would have to monitor the server closely and often to catch it in its dead state. If this happened you are looking at a power cord, power supply, outlet machine is plugged into, althoug we have other machines on the same ups outlets, motherboard error, heating or cooling, or runaway software problems. I have been on many sites and windows 2000 servier is shutting down en masse. I still am looking to the software on the machine just because of the amount of posts there are about this problem. We all cant have failing powersupplys?? Also taking the password from the screensaver and not having the monitor sleep would also be an indication-- theoretically you should not receive the 6008 unexpected error. Thanks.

Related Discussions

Related Forums