Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Shutdown with minor causes 0x84010001 and 0x80070020

457 views
Skip to first unread message

mdgrkb

unread,
Nov 30, 2006, 2:25:24 PM11/30/06
to
Hello,

I'm investigating a server that recently shut down and it is unclear what or
who shut it down. I have the following events:

Event Type: Information
Event Source: USER32
Event Category: None
Event ID: 1074
Date: 29-11-2006
Time: 18:19:33
User: S-1-5-21-2718388043-1283238250-2015309376-500
Computer: MYSERVER
Description:
The process Explorer.EXE has initiated the restart of MYSERVER for the
following reason: Hardware: Maintenance (Planned)
Minor Reason: 0x84010001
Shutdown Type: shutdown
Comment:

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 01 00 01 84 ...„


Event Type: Information
Event Source: USER32
Event Category: None
Event ID: 1074
Date: 29-11-2006
Time: 18:24:20
User: NT AUTHORITY\SYSTEM
Computer: MYSERVER
Description:
The process svchost.exe has initiated the restart of MYSERVER for the
following reason: No title for this reason could be found
Minor Reason: 0x80070020
Shutdown Type: power off
Comment:

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 20 00 07 80 ..€

What puzzles me is that these events don't mention "on behalf of" what user
the shutdown was triggered. Does anyone know how to dig further into the
cause of this?

Thank you very much


acchong

unread,
Nov 30, 2006, 4:01:39 PM11/30/06
to
You need to have Audit Privelege Use turn on to trace who shutdown the
server.
If you have Audit Privilege Use turn on, check security log for use of
SeShutdownPrivilege privilege to identify who shutdown the server.

On Dec 1, 3:25 am, "mdgrkb" <noemail@thanks> wrote:
> Hello,
>
> I'm investigating a server that recently shut down and it is unclear what or
> who shut it down.  I have the following events:
>
> Event Type: Information
> Event Source: USER32
> Event Category: None
> Event ID: 1074
> Date:  29-11-2006
> Time:  18:19:33
> User:  S-1-5-21-2718388043-1283238250-2015309376-500
> Computer: MYSERVER
> Description:
> The process Explorer.EXE has initiated the restart of MYSERVER for the
> following reason: Hardware: Maintenance (Planned)
>  Minor Reason: 0x84010001
>  Shutdown Type: shutdown
>  Comment:
>

> For more information, see Help and Support Center athttp://go.microsoft.com/fwlink/events.asp.


> Data:
> 0000: 01 00 01 84               ...„
>
> Event Type: Information
> Event Source: USER32
> Event Category: None
> Event ID: 1074
> Date:  29-11-2006
> Time:  18:24:20
> User:  NT AUTHORITY\SYSTEM
> Computer: MYSERVER
> Description:
> The process svchost.exe has initiated the restart of MYSERVER for the
> following reason: No title for this reason could be found
>  Minor Reason: 0x80070020
>  Shutdown Type: power off
>  Comment:
>

> For more information, see Help and Support Center athttp://go.microsoft.com/fwlink/events.asp.

Roger Abell [MVP]

unread,
Dec 3, 2006, 10:51:31 AM12/3/06
to
I agree. It looks like someone manually initiated the shutdown.

"acchong" <aichun...@gmail.com> wrote in message
news:1164920499....@n67g2000cwd.googlegroups.com...

> 0000: 20 00 07 80 ..?

0 new messages