Windows Server 2003 - Shutdown Reason / "Whodunnit" after logs have been cleared
Posted on 2014-12-16
I have a Windows 2003 server that has been rebooted outside of our normal authorization schedule, and I need to figure out who did the rebooting.
The thing is, whomever did it cleared the SYSTEM LOG and SECURITY LOG. The APP LOG and other logs are still intact. This server is a terminal server that is accessible by all users, but only admins are allowed to reboot...and all admins are denying that they did this, so we are trying to get to the bottom of WHO did this.
I do know exactly what time this happened, so if there are any other logs that I might check to see WHO logged in or the last person that was logged in when the server was rebooted, that would be great. The one surviving log (APPLOG) does not have anything that would let us know which user was logged in or who performed the reboot.
Help is appreciated, thanks!