locked
Find out unexpected shutdowns from a log /event !!! RRS feed

  • Question

  • HI,

       I  want  to  find out a way  to identify a proper shutdown & a force shutdown. from a log/ event   or any other  way ....

    pls  help me out on this ...


    G
    Saturday, June 11, 2011 4:45 PM

Answers

  • Assuming you have configured Startup5.vbs as a startup script and Shutdown5.vbs as a shutdown script in a GPO, the program ParseStartups.vbs will parse the resulting shared log file to identify "sessions" for each computer. A session is a startup followed by a shutdown for the same computer and includes the session time in hours, minutes, and seconds. For each session the program outputs <computer name>,<startup time>,<shutdown time>,<duration> in comma delimited format (so the output, redirected to a text file, can be read into a spreadsheet program).

    If a startup is encountered, and the previous event for this computer was also a startup, the program outputs "<unknown>" for shutdown time and duration. If a shutdown is encountered, and there is no corresponding previous startup for the computer, the program outputs "<unknown>" for startup time and duration (this should only happen in the beginning when the GPO is first applied, and only to computers already started at that time). Any row in the output file where shutdown is "<unknown>" means an unexpected shutdown happened some time before the startup time on the same line and after the previous startup time for the same computer.

    ParseStartups.vbs was written to document computer session durations, but you can identify unexpected shutdowns as well (although not exactly when they occurred).

     


    Richard Mueller - MVP Directory Services
    • Marked as answer by GSenanayake Saturday, July 2, 2011 12:54 AM
    Wednesday, June 29, 2011 9:26 PM

All replies

  • Hello,

    have a look to that: http://technet.microsoft.com/en-us/library/cc753185.aspx

    If there is a BSOD then your computer will shutdown and a dump file will be created under c:\windows\minidumps).

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified IT Professional: Enterprise Administrator 

    Saturday, June 11, 2011 6:01 PM
  • HI Mr X,

               got it. But this  applies to win7 & server 2008. My  requirement  is  for XPSp2


    G
    Saturday, June 11, 2011 6:19 PM
  • I assume that a "Proper shutdown" is by pressing Ctrl+Alt+Del or by clicking Start/Shutdown. What then is a "Force shutdown"?
    Sunday, June 12, 2011 5:59 AM
  • Oops i  have used a incorrect  word.. it  should  be an unexpected shutdown. Not a force shutdown. ( eg due  to a power failiur) 
    G
    Sunday, June 12, 2011 4:53 PM
  • On my WinXP machines, the Event Recorder does not appear to register an improper shutdown, e.g. a shutdown caused by a power failure. You would have to "do it yourself" by modifying the local policy to run a shutdown and a startup script. Each would append a marker to a log file. You then examine the log file with your own script. Whenever the script finds two successive startup markers it marks this as an improper shutdown.
    Sunday, June 12, 2011 10:41 PM
  • See http://support.microsoft.com/kb/307973 for information on enabling logging of system failures. Logging is always enabled on server systems. When logging is enabled, event 6008 will be written to the System event log after recovering from a system failure. In English, the description of the event is "The previous system shutdown at <time> on <date> was unexpected."

    The system will log event 6009 at startup, and I think event 6008 is logged after 6009 on recovery. I don't have a system available to test. In any case, you scan for the existance of event 6008 following the last restart to determine whether or not the restart was expected.


    Monday, June 13, 2011 1:42 AM
  • HI Pegasus,

                    I like your idea. This is  something  we could  think  of .

     

    Anyway no such  log / event  in  XP  to  find out a unexpected shutdown ? or differentiate a the log / event  of  shutdown  from unexpected & proper shutdown.

    ????????????????????????


    G
    Friday, June 17, 2011 5:23 PM
  • I have example startup and shutdown VBscripts that log to a shared log file. Then I have another script that reads the log file and can determine when there was a startup without a preceeding shutdown for each computer. The scripts are linked here:

    http://www.rlmueller.net/Logon5.htm

    However, Trevor's suggestion to enable logging of system failures, then search for event 6008 may be even better.

     


    Richard Mueller - MVP Directory Services
    Sunday, June 26, 2011 12:43 AM
  • HI  Richard,

                  I visited http://www.rlmueller.net/Logon5.htm  &  checked scripts mentioned there. Which  script you  ar e refering  for determining startup  without preseding a shutdown ?

     

    RGDS,


    G
    Wednesday, June 29, 2011 8:51 PM
  • Assuming you have configured Startup5.vbs as a startup script and Shutdown5.vbs as a shutdown script in a GPO, the program ParseStartups.vbs will parse the resulting shared log file to identify "sessions" for each computer. A session is a startup followed by a shutdown for the same computer and includes the session time in hours, minutes, and seconds. For each session the program outputs <computer name>,<startup time>,<shutdown time>,<duration> in comma delimited format (so the output, redirected to a text file, can be read into a spreadsheet program).

    If a startup is encountered, and the previous event for this computer was also a startup, the program outputs "<unknown>" for shutdown time and duration. If a shutdown is encountered, and there is no corresponding previous startup for the computer, the program outputs "<unknown>" for startup time and duration (this should only happen in the beginning when the GPO is first applied, and only to computers already started at that time). Any row in the output file where shutdown is "<unknown>" means an unexpected shutdown happened some time before the startup time on the same line and after the previous startup time for the same computer.

    ParseStartups.vbs was written to document computer session durations, but you can identify unexpected shutdowns as well (although not exactly when they occurred).

     


    Richard Mueller - MVP Directory Services
    • Marked as answer by GSenanayake Saturday, July 2, 2011 12:54 AM
    Wednesday, June 29, 2011 9:26 PM
  • HI  Rchard,

                    got it , i  tested that . So When ever i  get the <Unknown> it is for a Start up / Shutdown mismatch .Hoping  we have all records of  start-up, can be point out towards Shutdown.  

    One more concern , when many  PC s try  to  write to this  log file  , how  it  could  behave ? Also will there be an  delay  if  many  PC s start  / shut  down together ?

    RGDS,


    G
    Wednesday, June 29, 2011 10:07 PM
  • I thought about the possibility of conflicts, although I could not create any in my tests. However, both Startup5.vbs and Shutdown5.vbs on the page I linked make 3 attempts to write to the shared log file, with a 200 millisecond delay between attempts, in case the file is busy.

     


    Richard Mueller - MVP Directory Services
    Wednesday, June 29, 2011 10:58 PM
  • HI Richard , 

                     Noted. Currently  i'm  working  gathering <unknown> list from ParseStartups.vbs output &  get  a mail  notification end of the  day. Anyway let me update you  with some test results. Thanks  for your support ...

     

    RGDS,


    G
    Thursday, June 30, 2011 11:54 PM
  • HI Richard ,

                    Its  working  fine. After ParseStartups.vbs i extracted <unknown> list  &  arranged an  email  notification.I tink this is the ideal  solotuion  for my  requirement. Thanks  for the support , really  appreciate .

    HI  All, 

              Thanks for all of your  inputs .

     

    RGDS,

     


    G
    Saturday, July 2, 2011 12:53 AM