<div>
We set to prompt admin to make a choice.
</div>


<div>
Sounds good. Do you have any more questions?
</div>


<div>
Yes. &nbsp;This server suddenly shut itself down while I was moving files. &nbsp;Now mgmt wants to know why I shut it down, but I didnt touch it. &nbsp;How can I prove that?<br />
M
</div>


<div>
You should look though the event log. It should show you if it was a graceful shutdown or if it was unexpected. It will also show you bugckeck info If is was a BSOD.
</div>


<div>
So far admin says &quot;it shows you shut it down&quot;
</div>


<div>
Does anyone else have access to your credentials? The event log doesn't make stuff up so your user restarted the computer. :-/
</div>


<div>
Well, it's a hyperV soooo who knows. &nbsp;I certainly did not restart that server. &nbsp;I would have had to go through the restart menu and everything, which I did not do
</div>


<div>
I'm suspecting a malware has entered to the server or existing applications running on the server 2012 might cause the issues. <br />
<br />
Can you give further details what applications are running and have you checked the event viewer?<br />
<br />
also have you checked the task manager process see if there any abnormalities or unknown services interrupting.
</div>


<div>
Ok. The Admin says he checked the server and the only thing he saw is that it shut down while I was logged in. &nbsp;I dont have access to what other apps were running. &nbsp;If there were unknown services running, Im sure the Server admin wouldve mentioned that.<br />
this is really odd.
</div>


<div>
There are events recording the information, as I said. It will tell you if the shutdown was unexpected or if someone shut it down (event source is &quot;eventlog&quot;) and also if there was a BSOD (event source is &quot;bugcheck&quot;). Look for those events to track down the issue.
</div>


<div>
I think management is looking into this more. &nbsp;I want to keep this open. &nbsp;I KNOW I did not click four times into a shutdown menu and shut it down. &nbsp;I was not even in the same room when it shut off. &nbsp;It's scary, b/c it certainly could happen again!
</div>


<div>
If you have access to the system event log, you could look through it for the events and point them out to the admin.
</div>


<div>
Wait, what would I search in the Event log again?
</div>


<div>
In the system event log, filter by the time of the shutdown (maybe 30 mins before and 30 mins after...) and by event source &quot;eventlog&quot; and &quot;bugcheck&quot;. If there's two sources called &quot;Eventlog&quot; I check them both.<br />
<br />
Then go through each entry. It should show if there was a shutdown initiated and who initiated it. It will also show boot time and if the shutdown was unexpected. If the shutdown was unexpected that means something went wrong like a crash, BSOD, loss of power, etc. If there was a BSOD, you'll see a bugcheck event with the stop codes.
</div>


<div>
Ok, I have these files from Event Viewer... Which is the right one?<br />
Application.evtx<br />
LocaleMetaData<br />
ForwardedEvents.evtx<br />
RemoteDesktopServices-RdpC<wbr />oreTS.evtx<wbr /><br />
RemoteDesktopServices-Sess<wbr />ionService<wbr />s-Operatio<wbr />nal.evtx<br />
Security.evtx<br />
Setup.evtx<br />
System.evtx
</div>


<div>
Use the event viewer. <br />
1. Expand the logs and select System<br />
2. Click on Filter Current Log<br />
3. Choose the time range that the server rebooted. 5 mins before and after should be plenty. Expand the time range if you're not certain what time the reboot occurred. <br />
4. Choose bugcheck and eventlog as the sources.<br />
<a href="https://filedb.experts-exchange.com/incoming/2017/11_w46/1211089/eventviewer.png" target="_blank" title="eventviewer.png (118 KB)"><img alt="eventviewer.png" class="file-block lazyload" style="max-width: 800px;" data-src="https://filedb.experts-exchange.com/incoming/2017/11_w46/800_1211089/eventviewer.png" /></a>Then go through the results looking for the events I pointed out. :)
</div>


eventviewer.png

<div>
All I can get are those files I listed. &nbsp;I think they're the saved EV files, arent they?
</div>


<div>
You can open those files in event viewer. Are they saved from that timeframe of the reboot? If so then the system file should contain the events. If not you should just view the system events of the server.
</div>


<div>
Ive opened the &quot;System&quot; one and am looking for time 12:50 pm but dont see anything unusual.
</div>


<div>
If you followed my instructions and are not seeing the events then I guess you'll have to wait to see what the admin says.
</div>


<div>
Wait I found this. User32 1074<br />
<br />
The process C:\Windows\system32\winlog<wbr />on.exe (servername) has initiated the power off of computer servername on behalf of user domain\username for the following reason: No title for this reason could be found<br />
&nbsp;Reason Code: 0x500ff<br />
&nbsp;Shutdown Type: power off
</div>


<div>
If that event is about the same time as the server reboot in question then the user listed is the one that initiated the shutdown.
</div>


<div>
But I was in the restroom. &nbsp;There's no way I couldve shut it down. &nbsp;I would have had to &quot;accidentally&quot; clicked FOUR times to shut it down. &nbsp;There's just no way.
</div>


<div>
I take it by your response that your username is in the event. Either you or someone else using your credentials (or walking up to your computer) shutdown/reboot the computer.
</div>


<div>
Nope. &nbsp;Nobody here touched anything while I was logged in.
</div>


<div>
The walking up to computer was just an example. Either way, the event logs are saying that your user initiated the shutdown. There's no way around that. <br />
<br />
Back to your initial question, what I said earlier is true about the defaults. But that is only if you initiate the shutdown as you said. If you're really wondering what are the ways you can shutdown a server then the answer is quite different. <br />
<br />
It is possible to initiate a shutdown user the command line or powershell and that wouldn't give any prompt.<br />
You can also initiate a shutdown remotely. Again, no prompt for that.<br />
And there's the possibility that a program (like an installer) or Windows itself would initiate a reboot. But there's usually prompts for them, though they would be different prompts.
</div>


<div>
Would there be any log of the cmd line, PS shutdown, or Windows installer? &nbsp;There has to be some explanation.<br />
This is why I asked the original question though. I thought maybe I accidentally hit shutdown. &nbsp;But that's not even possible b/c I would've had to have gone through the entire shutdown menu and I know I didn't do that.
</div>


<div>
It wouldn't hurt to change the password on your account. If the shutdown was performed by another user with access to your account, changing the password should at least slow them down. If it was performed by a service or automated process running under your account, changing the password should cause that service or process to be unable to function until its credentials are updated.<br />
<br />
Regardless of whether it's a user or process, changing the password will cause logon failures to appear in the Security log (unless it's a user and they never again attempt to log in with your credentials). Those events can be quite useful in tracking down what's going on.
</div>


<div>
What happens during a pwr outage?
</div>


<div>
If you walked away without locking the computer ANYONE could have initiated the shutdown
</div>


<div>
<blockquote>
What happens during a pwr outage?
</blockquote>
<br />
If the server is not plugged into a working UPS, it won't shut down in an orderly fashion in the event of a power outage. The logs won't show anything at all when it happens, for obvious reasons. You'll see an abnormal shutdown event (error 6008) in the System log the next time it powers up, and you'll likely see Kernel-Power critical event 41 as well. Abnormal shutdowns are unmistakable; Windows puts very clear events in the log when they occur, because a server losing power is something an admin will certainly want to know about.<br />
<br />
If the server is plugged into a working UPS, it may not go down at all during a power outage, if the outage is short. During a log outage, the UPS should shut the server down in an orderly fashion, which will look in the logs like any other normal shutdown.
</div>


<div>
huh. So odd. &nbsp;I work in a secure area. &nbsp;no way anyone would have done anything. &nbsp;There's got to be an explanation. &nbsp;I know the vpn connection was up and down though
</div>


<div>
It would be very difficult to &quot;accidentally&quot; click 4-5 times within the Shutdown menu. &nbsp;there's just no way
</div>


<div>
The best practice is to log off from your user account when you go to toilet.
</div>


<div>
the shutdown reason can be simply canceled by hitting the [X] button.<br />
<br />
If you don't logoff then you should at least LOCK when leaving your computer for any reason.. windows key - L works very well.
</div>


<div>
I understand that. &nbsp;But I work in a secure area high security. &nbsp;There's no way someone walked up to my computer and did this.
</div>


<div>
<blockquote>
I understand that. &nbsp;But I work in a secure area high security. &nbsp;There's no way someone walked up to my computer and did this.
</blockquote>
<br />
In such case, your admin account is likely to be compromised by malware.
</div>


<div>
<div class="content wysiwyg-content">
Hi techs,<br />
I cant find anything online re: what happens when you right click on start &gt;&nbsp;choose shutdown in server 2012.<br />
Do you get the box that forces you to choose a reason?<br />
Does the server just shutdown?<br />
etc...
</div>
</div>


Hi techs,
I cant find anything online re: what happens when you right click on start > choose shutdown in server 2012.
Do you get the box that forces you to choose a reason?
Does the server just shutdown?
etc...

what happens when you right click on start choose shutdown in server 2012?

IT Administration is the processes and best practices for programming and development, and incorporates methodologies for managing activities and projects. Common methodologies include waterfall, prototyping, iterative and incremental development, spiral development, rapid application development, extreme programming and various types of agile methodology. The life-cycle "model" is a more general term for a category of methodologies, and a software development "process" a more specific term to refer to a specific process chosen by a specific organization.

IT Administration

The Microsoft Server topic includes all of the legacy versions of the operating system, including the Windows NT 3.1, NT 3.5, NT 4.0 and Windows 2000 and Windows Home Server versions.

Microsoft Server OS

Windows Server 2012 is the server version of Windows 8 and the successor to Windows Server 2008 R2. Windows Server 2012 is the first version of Windows Server to have no support for Itanium-based computers since Windows NT 4.0. Windows Server 2012, now in its second release (Windows Server 2012 Release 2) includes Foundation, Essentials, Standard and Datacenter, and does not support IA-32 or IA-64 processors.