Shutdown with minor causes 0x84010001 and 0x80070020

mdgrkb · 01-12-2006

Hello,

I'm investigating a server that recently shut down and it is unclear what or
who shut it down. I have the following events:

Event Type: Information
Event Source: USER32
Event Category: None
Event ID: 1074
Date: 29-11-2006
Time: 18:19:33
User: S-1-5-21-2718388043-1283238250-2015309376-500
Computer: MYSERVER
Description:
The process Explorer.EXE has initiated the restart of MYSERVER for the
following reason: Hardware: Maintenance (Planned)
Minor Reason: 0x84010001
Shutdown Type: shutdown
Comment:

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 01 00 01 84 ...„

Event Type: Information
Event Source: USER32
Event Category: None
Event ID: 1074
Date: 29-11-2006
Time: 18:24:20
User: NT AUTHORITY\SYSTEM
Computer: MYSERVER
Description:
The process svchost.exe has initiated the restart of MYSERVER for the
following reason: No title for this reason could be found
Minor Reason: 0x80070020
Shutdown Type: power off
Comment:

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 20 00 07 80 ..€

What puzzles me is that these events don't mention "on behalf of" what user
the shutdown was triggered. Does anyone know how to dig further into the
cause of this?

Thank you very much

acchong · 01-12-2006

You need to have Audit Privelege Use turn on to trace who shutdown the
server.
If you have Audit Privilege Use turn on, check security log for use of
SeShutdownPrivilege privilege to identify who shutdown the server.

On Dec 1, 3:25Â am, "mdgrkb" <noemail@thanks> wrote:
> Hello,
>
> I'm investigating a server that recently shut down and it is unclear whator
> who shut it down. Â I have the following events:
>
> Event Type: Information
> Event Source: USER32
> Event Category: None
> Event ID: 1074
> Date: Â 29-11-2006
> Time: Â 18:19:33
> User: Â S-1-5-21-2718388043-1283238250-2015309376-500
> Computer: MYSERVER
> Description:
> The process Explorer.EXE has initiated the restart of MYSERVER for the
> following reason: Hardware: Maintenance (Planned)
> Â Minor Reason: 0x84010001
> Â Shutdown Type: shutdown
> Â Comment:
>
> For more information, see Help and Support Center athttp://go.microsoft.com/fwlink/events.asp.
> Data:
> 0000: 01 00 01 84 Â Â Â Â Â Â Â ...â€ž
>
> Event Type: Information
> Event Source: USER32
> Event Category: None
> Event ID: 1074
> Date: Â 29-11-2006
> Time: Â 18:24:20
> User: Â NT AUTHORITY\SYSTEM
> Computer: MYSERVER
> Description:
> The process svchost.exe has initiated the restart of MYSERVER for the
> following reason: No title for this reason could be found
> Â Minor Reason: 0x80070020
> Â Shutdown Type: power off
> Â Comment:
>
> For more information, see Help and Support Center athttp://go.microsoft.com/fwlink/events.asp.
> Data:
> 0000: 20 00 07 80 Â Â Â Â Â Â Â Â ...â‚¬
>
> What puzzles me is that these events don't mention "on behalf of" what user
> the shutdown was triggered. Â Does anyone know how to dig further into the
> cause of this?
>
> Thank you very much

Roger Abell [MVP] · 03-12-2006

I agree. It looks like someone manually initiated the shutdown.

"acchong" <aichung.chong@gmail.com> wrote in message
news:1164920499.858863.61680@n67g2000cwd.googlegroups.com...
You need to have Audit Privelege Use turn on to trace who shutdown the
server.
If you have Audit Privilege Use turn on, check security log for use of
SeShutdownPrivilege privilege to identify who shutdown the server.

On Dec 1, 3:25 am, "mdgrkb" <noemail@thanks> wrote:
> Hello,
>
> I'm investigating a server that recently shut down and it is unclear what
> or
> who shut it down. I have the following events:
>
> Event Type: Information
> Event Source: USER32
> Event Category: None
> Event ID: 1074
> Date: 29-11-2006
> Time: 18:19:33
> User: S-1-5-21-2718388043-1283238250-2015309376-500
> Computer: MYSERVER
> Description:
> The process Explorer.EXE has initiated the restart of MYSERVER for the
> following reason: Hardware: Maintenance (Planned)
> Minor Reason: 0x84010001
> Shutdown Type: shutdown
> Comment:
>
> For more information, see Help and Support Center
> athttp://go.microsoft.com/fwlink/events.asp.
> Data:
> 0000: 01 00 01 84 ..."
>
> Event Type: Information
> Event Source: USER32
> Event Category: None
> Event ID: 1074
> Date: 29-11-2006
> Time: 18:24:20
> User: NT AUTHORITY\SYSTEM
> Computer: MYSERVER
> Description:
> The process svchost.exe has initiated the restart of MYSERVER for the
> following reason: No title for this reason could be found
> Minor Reason: 0x80070020
> Shutdown Type: power off
> Comment:
>
> For more information, see Help and Support Center
> athttp://go.microsoft.com/fwlink/events.asp.
> Data:
> 0000: 20 00 07 80 ..?
>
> What puzzles me is that these events don't mention "on behalf of" what
> user
> the shutdown was triggered. Does anyone know how to dig further into the
> cause of this?
>
> Thank you very much