What events to search for to find a server reboot

With virtualization on the rise we sys admins find ourselves managing a lot more server than normal. Gone are the days of managing a couple racks of pizza boxes. Instead one of those pizza boxes may hold a hundred virtual servers itself. And with so many servers, and clients doing the same fun things, we find ourselves looking into the random “my server rebooted why?” question.

When investigating a reboot you can search the system event log for the event ID’s below. Each one corresponds to a reboot and will help determine why. And after you find the actual reboot you can check the rest of the events around that time to see if anything lead to or caused it. For example windows updates, or a BSOD.

The process Explorer.EXE has initiated the restart of computer SERVER01 on behalf of user SERVER01\UserName for the following reason: Other (Planned)
Reason Code: 0x85000000
Shutdown Type: restart
Comment: Server updates
The Event log service was stopped.
The Event log service was started.
The kernel power manager has initiated a shutdown transition.
Installation Successful: Windows successfully installed the following update: Definition Update for Windows Defender – KB2267602 (Definition 1.173.438.0)22
Restart Required: To complete the installation of the following updates, the computer will be restarted within 15 minutes:
The operating system is shutting down at system time.12
The operating system started at system time.
I just copy and paste this line into the event filter.
Reboot Events

Leave a Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.