Windows Server 2003 - Shutdown Reason / "Whodunnit" after logs have been cleared
Hello,
I have a Windows 2003 server that has been rebooted outside of our normal authorization schedule, and I need to figure out who did the rebooting.
The thing is, whomever did it cleared the SYSTEM LOG and SECURITY LOG. The APP LOG and other logs are still intact. This server is a terminal server that is accessible by all users, but only admins are allowed to reboot...and all admins are denying that they did this, so we are trying to get to the bottom of WHO did this.
I do know exactly what time this happened, so if there are any other logs that I might check to see WHO logged in or the last person that was logged in when the server was rebooted, that would be great. The one surviving log (APPLOG) does not have anything that would let us know which user was logged in or who performed the reboot.
Help is appreciated, thanks!
I have a Windows 2003 server that has been rebooted outside of our normal authorization schedule, and I need to figure out who did the rebooting.
The thing is, whomever did it cleared the SYSTEM LOG and SECURITY LOG. The APP LOG and other logs are still intact. This server is a terminal server that is accessible by all users, but only admins are allowed to reboot...and all admins are denying that they did this, so we are trying to get to the bottom of WHO did this.
I do know exactly what time this happened, so if there are any other logs that I might check to see WHO logged in or the last person that was logged in when the server was rebooted, that would be great. The one surviving log (APPLOG) does not have anything that would let us know which user was logged in or who performed the reboot.
Help is appreciated, thanks!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Example:
The audit log was cleared
Primary User Name: SYSTEM
Primary Domain: NT AUTHORITY
Primary Logon ID: (0x0,0x3E7)
Client User Name: Administrator
Client Domain: ACME
Client Logon ID: (0x0,0x3F5C9)
And I windows 2008 event ID 1102 gets generated
The audit log was cleared.
Subject:
Security ID: WIN-R9H529RIO4Y\Administra
Account Name: Administrator
Domain Name: WIN-R9H529RIO4Y
Logon ID: 0x169e9