Solved

Windows 7 Shutdown Tracking ?

Posted on 2014-09-30
9
231 Views
Last Modified: 2014-10-07
At a site there is a user complaining that the Windows 7 machine they are using reboots periodically throughout the day (usually when they are out to lunch). Is there some way, perhaps through extended logging to the event logs or some type of Windows 7 Shutdown Event Tracker that one could track the frequency of the shutdowns as well as the cause of the shutdown ? In other words, if a GPO or Windows Update caused the shutdown have it detail that, or if there was a user-initiated interactive Shut Down from the Start Button to log and detail that as well ?  If the Event Logs and Auditing can be used for this, what specific Auditing features must be enabled and what events should be tracked in the Event Logs (assuming the System Event Log) ?  TIA
0
Comment
Question by:LGroup1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +2
9 Comments
 
LVL 95

Assisted Solution

by:John Hurst
John Hurst earned 167 total points
ID: 40352034
I would first look in Windows Event Viewer at time when the restart occurs and see what errors are there.

Second, look in Action Center, Maintenance, Review Reliability History. What errors are occurring when the restart occurs.

Are there updates waiting to occur?  Check Windows Update.

So first, use the tools Windows has, see what they say and then let's go from there.
0
 
LVL 25

Expert Comment

by:Mohammed Khawaja
ID: 40352036
Run the following powershell scripts:

get-eventlog -logname system -message "*restart*" | out-file restart.txt
get-eventlog -logname system -message "*shutdown*" | out-file shutdown.txt

Analyze the content of both files to see what might be the cause.
0
 
LVL 8

Assisted Solution

by:Acosta Technology Services
Acosta Technology Services earned 166 total points
ID: 40352041
There are a couple of options for this:

To log shutdown and startup times you can watch for 6006 which is the event log shutting down.  6005 will be logged when the event log service starts back up.

Using a basic remote tool like TurnedOnTimesView can show you exact shutdown and startup times for a remote PC on your network.  This doesn't provide detailed information, but can give you quick access to the information.


This won't give you the ability to see who/what caused the shutdown, but it's the first step in getting there.
0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 
LVL 25

Accepted Solution

by:
Mohammed Khawaja earned 167 total points
ID: 40352044
Modify the script to following to get more details:

get-eventlog -logname system -message "*restart*" | fl* | out-file restart.txt
get-eventlog -logname system -message "*shutdown*" | fl* | out-file shutdown.txt
0
 

Author Closing Comment

by:LGroup1
ID: 40352060
All great answers, thanks all !
0
 
LVL 6

Expert Comment

by:Sir Learnalot
ID: 40352065
There is a registry tweak that enables Shutdown Tracking for Windows 7 (the feature in Windows Server). Would this help? If so, enable shutdown tracking by following these steps:

Using Group Editor:
Type gpedit.msc in start search and hit Enter

Click on Computer Configuration -> Administrative Templates -> System -> Double-click the  "Display Shutdown Event Tracker" policy. Select "Enabled" and pick "Always" from the drop down menu.

If you enable this setting and choose “Always” from the drop-down menu, the Shutdown Event Tracker is displayed when you shut down.

If you don't configure this setting, the default behavior for the Shutdown Event Tracker occurs; it is only displayed on the Windows Server family.

Using the Registry Editor

Type regedit in start search and hit Enter

Navigate to the following key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Reliability

Double click on each of the following values and change them to 1.

    ShutdownReason
    OnShutdownReasonUI

Done :) You now have a dialogue box prompting for a reason for shutdown and a log where this is all tracked every time a shutdown is commenced.
0
 
LVL 95

Expert Comment

by:John Hurst
ID: 40352068
@LGroup1  - Thank you and I was happy to help.
0
 
LVL 6

Expert Comment

by:Sir Learnalot
ID: 40352069
wow lol by the time i finished writing my answer you have like 5 answers above me. Hope you got it done!
0
 

Author Comment

by:LGroup1
ID: 40365734
Sorry I missed that one before I closed the post Sir Learnalot,
0

Featured Post

MS Dynamics Made Instantly Simpler

Make Your Microsoft Dynamics Investment Count  & Drastically Decrease Training Time by Providing Intuitive Step-By-Step WalkThru Tutorials.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
There are many software programs on offer that will claim to magically speed up your computer. The best advice I can give you is to avoid them like the plague, because they will often cause far more problems than they solve. Try some of these "do it…
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question