• Status: Solved
  • Priority: High
  • Security: Public
  • Views: 150
  • Last Modified:

what happens when you right click on start choose shutdown in server 2012?

Hi techs,
I cant find anything online re: what happens when you right click on start > choose shutdown in server 2012.
Do you get the box that forces you to choose a reason?
Does the server just shutdown?
etc...
0
Mark O'Brien
Asked:
Mark O'Brien
  • 19
  • 13
  • 2
  • +3
1 Solution
 
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
Depends on the settings. The default for server 2012 is to prompt for a reason.
2
 
Mark O'BrienDispatch Software Support and Server AdministrationAuthor Commented:
We set to prompt admin to make a choice.
0
 
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
Sounds good. Do you have any more questions?
0
On-Demand: Securing Your Wi-Fi for Summer Travel

Traveling this summer?Check out our on-demand webinar to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

 
Mark O'BrienDispatch Software Support and Server AdministrationAuthor Commented:
Yes.  This server suddenly shut itself down while I was moving files.  Now mgmt wants to know why I shut it down, but I didnt touch it.  How can I prove that?
M
0
 
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
You should look though the event log. It should show you if it was a graceful shutdown or if it was unexpected. It will also show you bugckeck info If is was a BSOD.
0
 
Mark O'BrienDispatch Software Support and Server AdministrationAuthor Commented:
So far admin says "it shows you shut it down"
0
 
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
Does anyone else have access to your credentials? The event log doesn't make stuff up so your user restarted the computer. :-/
0
 
Mark O'BrienDispatch Software Support and Server AdministrationAuthor Commented:
Well, it's a hyperV soooo who knows.  I certainly did not restart that server.  I would have had to go through the restart menu and everything, which I did not do
0
 
akosinoahCommented:
I'm suspecting a malware has entered to the server or existing applications running on the server 2012 might cause the issues.

Can you give further details what applications are running and have you checked the event viewer?

also have you checked the task manager process see if there any abnormalities or unknown services interrupting.
0
 
Mark O'BrienDispatch Software Support and Server AdministrationAuthor Commented:
Ok. The Admin says he checked the server and the only thing he saw is that it shut down while I was logged in.  I dont have access to what other apps were running.  If there were unknown services running, Im sure the Server admin wouldve mentioned that.
this is really odd.
0
 
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
There are events recording the information, as I said. It will tell you if the shutdown was unexpected or if someone shut it down (event source is "eventlog") and also if there was a BSOD (event source is "bugcheck"). Look for those events to track down the issue.
0
 
Mark O'BrienDispatch Software Support and Server AdministrationAuthor Commented:
I think management is looking into this more.  I want to keep this open.  I KNOW I did not click four times into a shutdown menu and shut it down.  I was not even in the same room when it shut off.  It's scary, b/c it certainly could happen again!
0
 
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
If you have access to the system event log, you could look through it for the events and point them out to the admin.
0
 
Mark O'BrienDispatch Software Support and Server AdministrationAuthor Commented:
Wait, what would I search in the Event log again?
0
 
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
In the system event log, filter by the time of the shutdown (maybe 30 mins before and 30 mins after...) and by event source "eventlog" and "bugcheck". If there's two sources called "Eventlog" I check them both.

Then go through each entry. It should show if there was a shutdown initiated and who initiated it. It will also show boot time and if the shutdown was unexpected. If the shutdown was unexpected that means something went wrong like a crash, BSOD, loss of power, etc. If there was a BSOD, you'll see a bugcheck event with the stop codes.
0
 
Mark O'BrienDispatch Software Support and Server AdministrationAuthor Commented:
Ok, I have these files from Event Viewer... Which is the right one?
Application.evtx
LocaleMetaData
ForwardedEvents.evtx
RemoteDesktopServices-RdpCoreTS.evtx
RemoteDesktopServices-SessionServices-Operational.evtx
Security.evtx
Setup.evtx
System.evtx
0
 
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
Use the event viewer.
1. Expand the logs and select System
2. Click on Filter Current Log
3. Choose the time range that the server rebooted. 5 mins before and after should be plenty. Expand the time range if you're not certain what time the reboot occurred.
4. Choose bugcheck and eventlog as the sources.
eventviewer.pngThen go through the results looking for the events I pointed out. :)
0
 
Mark O'BrienDispatch Software Support and Server AdministrationAuthor Commented:
All I can get are those files I listed.  I think they're the saved EV files, arent they?
0
 
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
You can open those files in event viewer. Are they saved from that timeframe of the reboot? If so then the system file should contain the events. If not you should just view the system events of the server.
0
 
Mark O'BrienDispatch Software Support and Server AdministrationAuthor Commented:
Ive opened the "System" one and am looking for time 12:50 pm but dont see anything unusual.
0
 
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
If you followed my instructions and are not seeing the events then I guess you'll have to wait to see what the admin says.
0
 
Mark O'BrienDispatch Software Support and Server AdministrationAuthor Commented:
Wait I found this. User32 1074

The process C:\Windows\system32\winlogon.exe (servername) has initiated the power off of computer servername on behalf of user domain\username for the following reason: No title for this reason could be found
 Reason Code: 0x500ff
 Shutdown Type: power off
0
 
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
If that event is about the same time as the server reboot in question then the user listed is the one that initiated the shutdown.
0
 
Mark O'BrienDispatch Software Support and Server AdministrationAuthor Commented:
But I was in the restroom.  There's no way I couldve shut it down.  I would have had to "accidentally" clicked FOUR times to shut it down.  There's just no way.
0
 
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
I take it by your response that your username is in the event. Either you or someone else using your credentials (or walking up to your computer) shutdown/reboot the computer.
0
 
Mark O'BrienDispatch Software Support and Server AdministrationAuthor Commented:
Nope.  Nobody here touched anything while I was logged in.
0
 
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
The walking up to computer was just an example. Either way, the event logs are saying that your user initiated the shutdown. There's no way around that.

Back to your initial question, what I said earlier is true about the defaults. But that is only if you initiate the shutdown as you said. If you're really wondering what are the ways you can shutdown a server then the answer is quite different.

It is possible to initiate a shutdown user the command line or powershell and that wouldn't give any prompt.
You can also initiate a shutdown remotely. Again, no prompt for that.
And there's the possibility that a program (like an installer) or Windows itself would initiate a reboot. But there's usually prompts for them, though they would be different prompts.
0
 
Mark O'BrienDispatch Software Support and Server AdministrationAuthor Commented:
Would there be any log of the cmd line, PS shutdown, or Windows installer?  There has to be some explanation.
This is why I asked the original question though. I thought maybe I accidentally hit shutdown.  But that's not even possible b/c I would've had to have gone through the entire shutdown menu and I know I didn't do that.
0
 
DrDave242Commented:
It wouldn't hurt to change the password on your account. If the shutdown was performed by another user with access to your account, changing the password should at least slow them down. If it was performed by a service or automated process running under your account, changing the password should cause that service or process to be unable to function until its credentials are updated.

Regardless of whether it's a user or process, changing the password will cause logon failures to appear in the Security log (unless it's a user and they never again attempt to log in with your credentials). Those events can be quite useful in tracking down what's going on.
1
 
Mark O'BrienDispatch Software Support and Server AdministrationAuthor Commented:
What happens during a pwr outage?
0
 
David Johnson, CD, MVPOwnerCommented:
If you walked away without locking the computer ANYONE could have initiated the shutdown
0
 
DrDave242Commented:
What happens during a pwr outage?

If the server is not plugged into a working UPS, it won't shut down in an orderly fashion in the event of a power outage. The logs won't show anything at all when it happens, for obvious reasons. You'll see an abnormal shutdown event (error 6008) in the System log the next time it powers up, and you'll likely see Kernel-Power critical event 41 as well. Abnormal shutdowns are unmistakable; Windows puts very clear events in the log when they occur, because a server losing power is something an admin will certainly want to know about.

If the server is plugged into a working UPS, it may not go down at all during a power outage, if the outage is short. During a log outage, the UPS should shut the server down in an orderly fashion, which will look in the logs like any other normal shutdown.
0
 
Mark O'BrienDispatch Software Support and Server AdministrationAuthor Commented:
huh. So odd.  I work in a secure area.  no way anyone would have done anything.  There's got to be an explanation.  I know the vpn connection was up and down though
0
 
Mark O'BrienDispatch Software Support and Server AdministrationAuthor Commented:
It would be very difficult to "accidentally" click 4-5 times within the Shutdown menu.  there's just no way
0
 
Jackie ManCommented:
The best practice is to log off from your user account when you go to toilet.
1
 
David Johnson, CD, MVPOwnerCommented:
the shutdown reason can be simply canceled by hitting the [X] button.

If you don't logoff then you should at least LOCK when leaving your computer for any reason.. windows key - L works very well.
0
 
Mark O'BrienDispatch Software Support and Server AdministrationAuthor Commented:
I understand that.  But I work in a secure area high security.  There's no way someone walked up to my computer and did this.
0
 
Jackie ManCommented:
I understand that.  But I work in a secure area high security.  There's no way someone walked up to my computer and did this.

In such case, your admin account is likely to be compromised by malware.
0
 
Mark O'BrienDispatch Software Support and Server AdministrationAuthor Commented:
ty
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 19
  • 13
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now