Finding out why Windows restarted unexpectedly.

Short Article on finding out why your server restarted. If your lucky its one of the following Events in the Event Viewer. Those are normally not a major problem. let me be clear to say if your system is just crashing, you may not find any of these events. The bright spot is if you do see one of these events, you may get a direction on what to do next.

The events I tend to miss are the ones below. They are instances where the server restarts because of an install, firmware update, or Battery Voltage issue. If you find a restart event, other then these, please send it along. I would like to keep an accurate list.  I dont mean an AD or Exchange Server restart. I just mean restarts of windows that would normally be unexpected. These are pretty well documented below:

Event 1074- or 1076 System or Application log
Event 6008 or Event 6006 or 6009 or 6013 System or Application log
Source of – USER32 in the System or Application log
Event 41 in the system log
event 4609 in security log

Finally, you can look for Changes in progress:

  1. To see a pending reboot- Check C:\Windows\WinXsx\ Search for pending.* – pending.xml is a pending reboot.

2. To see if you have a current pending reboot check: look for PendingRenameFileOperations

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager

3. Search for UpdateExeVolatile in the registry. if its set to 0 there is nothing being installed. You can set it to 0 but be aware of what you are installing and why you would do that.

4. the registry key would be at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates

5. Look for the In Progress Key located at – HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer – If Deleted the Installer stops trying to install.

 

There are some other things you can check. For example Search any involved applications to see if they have idea. Here is an example of Symantec Guidance.  There are even scripts out there to test for pending reboot. Check out some example and be cautious if you dont do scripting.

 

I hope this helps someone- Good luck out there

Louis

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s