locked
Windows does not write an Event Log 6008 entry on unexpected shutdown RRS feed

  • Question

  • Hi there,

    I am looking to set up some monitoring on devices for our company estate running Windows XP professional SP3.

    I know how to do this and that I want to monitor for occurrences of unexpected shutdowns, for example; when a user holds down the power button to turn off the device rather than performing a software shutdown.

    The problem I have is that when this action is performed, the expected event log entry, 6008, is not recorded. The system shows the other event logs round about this stage, such as 6005 and 6009 when it starts up again, but there is no 'flag' to say the shutdown was unexpected.
    Can anyone direct me to where I can check or enable this?

    I have already been into the 'Startup and Recorvery' menu and ensured that 'write an event to the system log' is selected under system failure.

    Many thanks,

    Monday, March 25, 2013 5:01 PM

Answers

  • Just in case anyone does read this and wants to know the solution I have come across.

    The problem is that the registry key which sends out the 'heartbeat' to check for 'Dirty' Shutdowns was not turned on on our machines.

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability

    needs to have the following keys;

    LastAliveStamp  REG_BINARY  d0 ba ad 0b
    TimeStampInterval  REG_DWORD  1

    The Event Log service periodically updates the last alive time stamp that is stored in a registry entry. The Event Log service cleans the last alive time stamp during system shutdown. This time stamp is not cleaned after an unexpected shutdown (dirty shutdown). Then the next time that the system starts, the Event Log service raises an event to report the unexpected shutdown.

    Therefore adding the above 2 keys our systems now create an error log when the timestamp is not cleared down.

    Monday, April 8, 2013 3:44 PM

All replies

  • Check this http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/5456b947-3a8c-4d6f-9335-2a478ef0316c

    Arnav Sharma | Facebook | Twitter Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Friday, March 29, 2013 9:33 AM
    Moderator
  • Thanks for your reply Arnav, but this link was in no way relevant.

    Regards,

    Thursday, April 4, 2013 11:56 AM
  • Just in case anyone does read this and wants to know the solution I have come across.

    The problem is that the registry key which sends out the 'heartbeat' to check for 'Dirty' Shutdowns was not turned on on our machines.

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability

    needs to have the following keys;

    LastAliveStamp  REG_BINARY  d0 ba ad 0b
    TimeStampInterval  REG_DWORD  1

    The Event Log service periodically updates the last alive time stamp that is stored in a registry entry. The Event Log service cleans the last alive time stamp during system shutdown. This time stamp is not cleaned after an unexpected shutdown (dirty shutdown). Then the next time that the system starts, the Event Log service raises an event to report the unexpected shutdown.

    Therefore adding the above 2 keys our systems now create an error log when the timestamp is not cleared down.

    Monday, April 8, 2013 3:44 PM
  • Thanks for Sharing. 

    Arnav Sharma | Facebook | Twitter Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Tuesday, April 9, 2013 8:53 AM
    Moderator