Solved

Windows 7 Shutdown Tracking ?

Posted on 2014-09-30
9
214 Views
Last Modified: 2014-10-07
At a site there is a user complaining that the Windows 7 machine they are using reboots periodically throughout the day (usually when they are out to lunch). Is there some way, perhaps through extended logging to the event logs or some type of Windows 7 Shutdown Event Tracker that one could track the frequency of the shutdowns as well as the cause of the shutdown ? In other words, if a GPO or Windows Update caused the shutdown have it detail that, or if there was a user-initiated interactive Shut Down from the Start Button to log and detail that as well ?  If the Event Logs and Auditing can be used for this, what specific Auditing features must be enabled and what events should be tracked in the Event Logs (assuming the System Event Log) ?  TIA
0
Comment
Question by:LGroup1
  • 2
  • 2
  • 2
  • +2
9 Comments
 
LVL 90

Assisted Solution

by:John Hurst
John Hurst earned 167 total points
Comment Utility
I would first look in Windows Event Viewer at time when the restart occurs and see what errors are there.

Second, look in Action Center, Maintenance, Review Reliability History. What errors are occurring when the restart occurs.

Are there updates waiting to occur?  Check Windows Update.

So first, use the tools Windows has, see what they say and then let's go from there.
0
 
LVL 24

Expert Comment

by:Mohammed Khawaja
Comment Utility
Run the following powershell scripts:

get-eventlog -logname system -message "*restart*" | out-file restart.txt
get-eventlog -logname system -message "*shutdown*" | out-file shutdown.txt

Analyze the content of both files to see what might be the cause.
0
 
LVL 8

Assisted Solution

by:Acosta Technology Services
Acosta Technology Services earned 166 total points
Comment Utility
There are a couple of options for this:

To log shutdown and startup times you can watch for 6006 which is the event log shutting down.  6005 will be logged when the event log service starts back up.

Using a basic remote tool like TurnedOnTimesView can show you exact shutdown and startup times for a remote PC on your network.  This doesn't provide detailed information, but can give you quick access to the information.


This won't give you the ability to see who/what caused the shutdown, but it's the first step in getting there.
0
 
LVL 24

Accepted Solution

by:
Mohammed Khawaja earned 167 total points
Comment Utility
Modify the script to following to get more details:

get-eventlog -logname system -message "*restart*" | fl* | out-file restart.txt
get-eventlog -logname system -message "*shutdown*" | fl* | out-file shutdown.txt
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Closing Comment

by:LGroup1
Comment Utility
All great answers, thanks all !
0
 
LVL 5

Expert Comment

by:Sir Learnalot
Comment Utility
There is a registry tweak that enables Shutdown Tracking for Windows 7 (the feature in Windows Server). Would this help? If so, enable shutdown tracking by following these steps:

Using Group Editor:
Type gpedit.msc in start search and hit Enter

Click on Computer Configuration -> Administrative Templates -> System -> Double-click the  "Display Shutdown Event Tracker" policy. Select "Enabled" and pick "Always" from the drop down menu.

If you enable this setting and choose “Always” from the drop-down menu, the Shutdown Event Tracker is displayed when you shut down.

If you don't configure this setting, the default behavior for the Shutdown Event Tracker occurs; it is only displayed on the Windows Server family.

Using the Registry Editor

Type regedit in start search and hit Enter

Navigate to the following key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Reliability

Double click on each of the following values and change them to 1.

    ShutdownReason
    OnShutdownReasonUI

Done :) You now have a dialogue box prompting for a reason for shutdown and a log where this is all tracked every time a shutdown is commenced.
0
 
LVL 90

Expert Comment

by:John Hurst
Comment Utility
@LGroup1  - Thank you and I was happy to help.
0
 
LVL 5

Expert Comment

by:Sir Learnalot
Comment Utility
wow lol by the time i finished writing my answer you have like 5 answers above me. Hope you got it done!
0
 

Author Comment

by:LGroup1
Comment Utility
Sorry I missed that one before I closed the post Sir Learnalot,
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

After playing around with my ASUS 1215n (http://www.asus.de/product.aspx?P_ID=HrglRhH8D60Rmlv3) Netbook, I finally managed to get smooth HD 1080p (http://en.wikipedia.org/wiki/1080p) playback of videos on it. Second Generation Intel Atom (http://en.…
The Display applet of Windows 7 Control Panel has changed a great deal since Windows XP  (it was missing and more or less replaced in Windows Vista by the Personalization applet.)  Below is a screenshot of what the Display applet of Windows XP, whic…
This Micro Tutorial will teach you how to change your appearance and customize your Windows 7 interface to your unique preference. This will be demonstrated using Windows 7 operating system.
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum editing capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now