Yesterday evening one of our test servers automatically rebooted. And today morning we found out that the last night’s test run was interrupted. Checking the logs and stuff, found out this was the case. So took on the task to find out what happened.
The best friend is Windows Event Logs – it is a reliable source to check computer’s history. (What happens in case of hibernate? #to-find)
Shutdown or reboot could happen because of various reasons and for each reason we could get a different Event ID. So we need is a quick way to find out the boot time . There are few events we can trust, the events logged by Event Logging service – that it is starting or shutting down. Very rarely would some one disable this service or start/stop it. The logs logged by Event Log Service are:
6005: logged at boot time, when the service starts
6006: at shutdown, that the service is stopping
The Date/Time of entries with these IDs can be taken as a rough idea when the computer stopped and booted.
In our case, we found that half an hour before a shutdown log – there was a log event (Event ID = 22, Category = Installation, Source = Windows Update Agent) logged by Windows Update – saying that the computer will be rebooted within 30 minutes.More info: http://support.microsoft.com/kb/196452