what happens when you right click on start choose shutdown in server 2012?

Mark O'Brien
Mark O'Brien used Ask the Experts™
on
Hi techs,
I cant find anything online re: what happens when you right click on start > choose shutdown in server 2012.
Do you get the box that forces you to choose a reason?
Does the server just shutdown?
etc...
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Senior Network Consultant / Engineer
Commented:
Depends on the settings. The default for server 2012 is to prompt for a reason.
Mark O'BrienDispatch Software Support and Server Administration

Author

Commented:
We set to prompt admin to make a choice.
Jeremy WeisingerSenior Network Consultant / Engineer

Commented:
Sounds good. Do you have any more questions?
11/26 Forrester Webinar: Savings for Enterprise

How can your organization benefit from savings just by replacing your legacy backup solutions with Acronis' #CyberProtection? Join Forrester's Joe Branca and Ryan Davis from Acronis live as they explain how you can too.

Mark O'BrienDispatch Software Support and Server Administration

Author

Commented:
Yes.  This server suddenly shut itself down while I was moving files.  Now mgmt wants to know why I shut it down, but I didnt touch it.  How can I prove that?
M
Jeremy WeisingerSenior Network Consultant / Engineer

Commented:
You should look though the event log. It should show you if it was a graceful shutdown or if it was unexpected. It will also show you bugckeck info If is was a BSOD.
Mark O'BrienDispatch Software Support and Server Administration

Author

Commented:
So far admin says "it shows you shut it down"
Jeremy WeisingerSenior Network Consultant / Engineer

Commented:
Does anyone else have access to your credentials? The event log doesn't make stuff up so your user restarted the computer. :-/
Mark O'BrienDispatch Software Support and Server Administration

Author

Commented:
Well, it's a hyperV soooo who knows.  I certainly did not restart that server.  I would have had to go through the restart menu and everything, which I did not do
I'm suspecting a malware has entered to the server or existing applications running on the server 2012 might cause the issues.

Can you give further details what applications are running and have you checked the event viewer?

also have you checked the task manager process see if there any abnormalities or unknown services interrupting.
Mark O'BrienDispatch Software Support and Server Administration

Author

Commented:
Ok. The Admin says he checked the server and the only thing he saw is that it shut down while I was logged in.  I dont have access to what other apps were running.  If there were unknown services running, Im sure the Server admin wouldve mentioned that.
this is really odd.
Jeremy WeisingerSenior Network Consultant / Engineer

Commented:
There are events recording the information, as I said. It will tell you if the shutdown was unexpected or if someone shut it down (event source is "eventlog") and also if there was a BSOD (event source is "bugcheck"). Look for those events to track down the issue.
Mark O'BrienDispatch Software Support and Server Administration

Author

Commented:
I think management is looking into this more.  I want to keep this open.  I KNOW I did not click four times into a shutdown menu and shut it down.  I was not even in the same room when it shut off.  It's scary, b/c it certainly could happen again!
Jeremy WeisingerSenior Network Consultant / Engineer

Commented:
If you have access to the system event log, you could look through it for the events and point them out to the admin.
Mark O'BrienDispatch Software Support and Server Administration

Author

Commented:
Wait, what would I search in the Event log again?
Jeremy WeisingerSenior Network Consultant / Engineer

Commented:
In the system event log, filter by the time of the shutdown (maybe 30 mins before and 30 mins after...) and by event source "eventlog" and "bugcheck". If there's two sources called "Eventlog" I check them both.

Then go through each entry. It should show if there was a shutdown initiated and who initiated it. It will also show boot time and if the shutdown was unexpected. If the shutdown was unexpected that means something went wrong like a crash, BSOD, loss of power, etc. If there was a BSOD, you'll see a bugcheck event with the stop codes.
Mark O'BrienDispatch Software Support and Server Administration

Author

Commented:
Ok, I have these files from Event Viewer... Which is the right one?
Application.evtx
LocaleMetaData
ForwardedEvents.evtx
RemoteDesktopServices-RdpCoreTS.evtx
RemoteDesktopServices-SessionServices-Operational.evtx
Security.evtx
Setup.evtx
System.evtx
Jeremy WeisingerSenior Network Consultant / Engineer

Commented:
Use the event viewer.
1. Expand the logs and select System
2. Click on Filter Current Log
3. Choose the time range that the server rebooted. 5 mins before and after should be plenty. Expand the time range if you're not certain what time the reboot occurred.
4. Choose bugcheck and eventlog as the sources.
eventviewer.pngThen go through the results looking for the events I pointed out. :)
Mark O'BrienDispatch Software Support and Server Administration

Author

Commented:
All I can get are those files I listed.  I think they're the saved EV files, arent they?
Jeremy WeisingerSenior Network Consultant / Engineer

Commented:
You can open those files in event viewer. Are they saved from that timeframe of the reboot? If so then the system file should contain the events. If not you should just view the system events of the server.
Mark O'BrienDispatch Software Support and Server Administration

Author

Commented:
Ive opened the "System" one and am looking for time 12:50 pm but dont see anything unusual.
Jeremy WeisingerSenior Network Consultant / Engineer

Commented:
If you followed my instructions and are not seeing the events then I guess you'll have to wait to see what the admin says.
Mark O'BrienDispatch Software Support and Server Administration

Author

Commented:
Wait I found this. User32 1074

The process C:\Windows\system32\winlogon.exe (servername) has initiated the power off of computer servername on behalf of user domain\username for the following reason: No title for this reason could be found
 Reason Code: 0x500ff
 Shutdown Type: power off
Jeremy WeisingerSenior Network Consultant / Engineer

Commented:
If that event is about the same time as the server reboot in question then the user listed is the one that initiated the shutdown.
Mark O'BrienDispatch Software Support and Server Administration

Author

Commented:
But I was in the restroom.  There's no way I couldve shut it down.  I would have had to "accidentally" clicked FOUR times to shut it down.  There's just no way.
Jeremy WeisingerSenior Network Consultant / Engineer

Commented:
I take it by your response that your username is in the event. Either you or someone else using your credentials (or walking up to your computer) shutdown/reboot the computer.
Mark O'BrienDispatch Software Support and Server Administration

Author

Commented:
Nope.  Nobody here touched anything while I was logged in.
Jeremy WeisingerSenior Network Consultant / Engineer

Commented:
The walking up to computer was just an example. Either way, the event logs are saying that your user initiated the shutdown. There's no way around that.

Back to your initial question, what I said earlier is true about the defaults. But that is only if you initiate the shutdown as you said. If you're really wondering what are the ways you can shutdown a server then the answer is quite different.

It is possible to initiate a shutdown user the command line or powershell and that wouldn't give any prompt.
You can also initiate a shutdown remotely. Again, no prompt for that.
And there's the possibility that a program (like an installer) or Windows itself would initiate a reboot. But there's usually prompts for them, though they would be different prompts.
Mark O'BrienDispatch Software Support and Server Administration

Author

Commented:
Would there be any log of the cmd line, PS shutdown, or Windows installer?  There has to be some explanation.
This is why I asked the original question though. I thought maybe I accidentally hit shutdown.  But that's not even possible b/c I would've had to have gone through the entire shutdown menu and I know I didn't do that.
DrDave242Principal Support Engineer

Commented:
It wouldn't hurt to change the password on your account. If the shutdown was performed by another user with access to your account, changing the password should at least slow them down. If it was performed by a service or automated process running under your account, changing the password should cause that service or process to be unable to function until its credentials are updated.

Regardless of whether it's a user or process, changing the password will cause logon failures to appear in the Security log (unless it's a user and they never again attempt to log in with your credentials). Those events can be quite useful in tracking down what's going on.
Mark O'BrienDispatch Software Support and Server Administration

Author

Commented:
What happens during a pwr outage?
Top Expert 2016

Commented:
If you walked away without locking the computer ANYONE could have initiated the shutdown
DrDave242Principal Support Engineer

Commented:
What happens during a pwr outage?

If the server is not plugged into a working UPS, it won't shut down in an orderly fashion in the event of a power outage. The logs won't show anything at all when it happens, for obvious reasons. You'll see an abnormal shutdown event (error 6008) in the System log the next time it powers up, and you'll likely see Kernel-Power critical event 41 as well. Abnormal shutdowns are unmistakable; Windows puts very clear events in the log when they occur, because a server losing power is something an admin will certainly want to know about.

If the server is plugged into a working UPS, it may not go down at all during a power outage, if the outage is short. During a log outage, the UPS should shut the server down in an orderly fashion, which will look in the logs like any other normal shutdown.
Mark O'BrienDispatch Software Support and Server Administration

Author

Commented:
huh. So odd.  I work in a secure area.  no way anyone would have done anything.  There's got to be an explanation.  I know the vpn connection was up and down though
Mark O'BrienDispatch Software Support and Server Administration

Author

Commented:
It would be very difficult to "accidentally" click 4-5 times within the Shutdown menu.  there's just no way
Jackie Man IT Manager
Top Expert 2010

Commented:
The best practice is to log off from your user account when you go to toilet.
Top Expert 2016

Commented:
the shutdown reason can be simply canceled by hitting the [X] button.

If you don't logoff then you should at least LOCK when leaving your computer for any reason.. windows key - L works very well.
Mark O'BrienDispatch Software Support and Server Administration

Author

Commented:
I understand that.  But I work in a secure area high security.  There's no way someone walked up to my computer and did this.
Jackie Man IT Manager
Top Expert 2010

Commented:
I understand that.  But I work in a secure area high security.  There's no way someone walked up to my computer and did this.

In such case, your admin account is likely to be compromised by malware.
Mark O'BrienDispatch Software Support and Server Administration

Author

Commented:
ty

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial