Shutdown Event Tracker Tools and Settings

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Shutdown Event Tracker Tools and Settings

In this section

  • Shutdown Event Tracker Tools

  • Shutdown Event Tracker Registry Entries

  • Shutdown Event Tracker Group Policy Settings

  • Network Ports Used by Shutdown Event Tracker

Shutdown Event Tracker is a feature of the Microsoft Windows Server 2003 operating systems that provides a way for IT professionals to consistently track why users restart or shut down their computers. Shutdown Event Tracker captures the reasons users give for restarts and shutdowns to help create a comprehensive picture of an organization’s system environment. It does not document why users choose other options, such as Log off and Hibernate.

In a more active sense, Shutdown Event Tracker also provides IT professionals with a specific tool, Remote Shutdown (Shutdown.exe), for restarting or shutting down both local and remote computers, while at the same time supplying reasons for doing so. In addition, users can employ Remote Shutdown to hibernate a local computer and cancel delayed shutdowns.

Shutdown Event Tracker is enabled by default and is a routine part of the computer shutdown process.

Shutdown Event Tracker Tools

The following tools are associated with Shutdown Event Tracker.

Shutdown.exe: Remote Shutdown

Category

Remote Shutdown (Shutdown.exe) is part of Windows Server 2003.

Version compatibility

Remote Shutdown can also be used to control restarts or shutdowns on computers running Windows NT 4.0 and Windows 2000.

Remote Shutdown (Shutdown.exe) enables users to restart or shut down a local computer or one or more remote computers by either of two means: 1) the graphical user interface (GUI), invoked by typing Shutdown /i at the command prompt, or 2) the same Shutdown command used in combination with various other command-line parameters (for example, Shutdown /s, which causes the computer to shut down after a short interval).

IT professionals can also use this tool to perform remote bulk annotations of unexpected shutdowns, an alternative to the time-consuming task of logging on to each computer to record a reason for an unexpected shutdown.

In addition, users can employ Remote Shutdown to hibernate local computers and to cancel delayed shutdowns from the command prompt.

Note

  • Although Remote Shutdown can be used to restart or shut down both local and remote computers, its primary purpose is to control the shutdown behavior of remote computers.

To find more information about Shutdown Event Tracker command-line parameters, see Command Line References in Tools and Settings Collection.

To find more information about bulk annotations, see “Shutdown Event Tracker Processes and Interactions” in “How Shutdown Event Tracker Works.”

System State Data: System State Data feature

Category

The System State Data feature is part of Windows Server 2003.

Version compatibility

The System State Data feature runs on and targets all Windows Server 2003 operating systems.

System State Data gathers information for root-cause analysis of expected but unplanned shutdowns, and of unexpected shutdowns.

System state data is written to a log file when a user who has the Shutdown the system user right or administrative credentials specifies an “unplanned” reason for shutting down the computer. This file is stored in the %windir%\system32\LogFiles\Shutdown\ directory. The first user with administrative credentials who logs on to the computer after the shutdown will see a dialog box notification that reads: “The system has restarted after an unplanned shutdown. A log of this event has been created.” From this dialog box, the administrator can navigate to a more detailed description of the system state data file, its contents, and the Microsoft privacy policy for data collection on the Web. The administrator can choose whether to send the system state data file to Microsoft by clicking either the Send Error Report or Don’t Send button.

Windows Error Reporting: WER

Category

Windows Error Reporting is part of Windows Server 2003.

Version compatibility

Windows Error Reporting runs on and targets all Windows Server 2003 operating systems.

WER is a set of technologies that captures product failure (also known as crash) data, allows end users to report failure information, and allows software and hardware vendors to analyze and respond to these problems.

When the Report unplanned shutdown events policy setting is enabled, error reporting will include unplanned shutdown events. When this policy setting is disabled, unplanned shutdown events will not be included in error reporting.

If this setting is not configured, the user is able to control unplanned shutdown reporting using Control Panel, which is set to upload unplanned shutdown events by default.

The System State Data feature uses Windows Error Reporting to transmit shutdown data to Microsoft or to another designated recipient.

Note

  • Data will not be submitted to the designated recipient unless users click Send Error Report when presented with the Windows Error Reporting dialog box.

To find more information about Windows Error Reporting, click Windows Server 2003 Resource Kit Tools Help in Tools and Settings Collection.

SSDFormat.exe: System State Data Formatter

Category

System State Data Formatter (SSDFormat.exe) is available in Resource Kit Tools in Tools and Settings Collection.

Version compatibility

System State Data Formatter runs on all Windows Server 2003 operating systems.

SSDFormat.exe is a command-line tool that creates a formatted copy of a system state data log file. SSDFormat.exe opens a system state data log file, adds an XSL file header to format the data, fixes any characters from the original file that are not legitimate XML characters, and saves the changes to a new XML file. When the user opens the XML file created by SSDFormat in any XML-capable viewer, such as Microsoft Internet Explorer, the XSL style sheet formats the data into tabular form.

To find more information about System State Data Formatter, click Windows Server 2003 Resource Kit Tools Help in Tools and Settings Collection.

CustReasonEdit.exe: Custom Reason Editor

Category

Custom Reason Editor (CustomReasonEdit.exe) is available in Resource Kit Tools in Tools and Settings Collection. After downloading Windows Resource Kit Tools, click Start, All Programs, Windows Resource Kit Tools, and then Windows Resource Kit Tools Read Me to locate the tool.

Version compatibility

Custom Reason Editor runs on all Windows Server 2003 operating systems.

CustomReasonEdit.exe enables users to add, modify, and delete custom shutdown reasons for Shutdown Event Tracker.

Custom Reason Editor requires that the user have administrative credentials on the target system to function correctly. The tool has two interfaces: the command-line interface allows for basic importing and exporting functionality, and the graphical user interface allows for complete custom reason editing. Finally, a set of sample reasons is included in the package.

To find more information about Custom Reason Editor, click Windows Server 2003 Resource Kit Tools Help in Tools and Settings Collection. After downloading Windows Resource Kit Tools, click Start, All Programs, Windows Resource Kit Tools, and then Windows Resource Kit Tools Read Me.

Poolmon.exe: Memory Pool Monitor

Category

Memory Pool Monitor (Poolmon.exe) is available in the Windows NT 4.0 Resource Kit and in the \Support\Tools folder of Windows 2000, and on the Windows XP and Windows Server 2003 CD-ROMs.

Version compatibility

Memory Pool Monitor runs on Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003.

Poolmon.exe displays data that the operating system collects about memory allocations from the system paged and nonpaged kernel pools, and the memory pools used for Terminal Services sessions. The data is grouped by pool allocation tag. This information can be used by Microsoft Product Support Services to find kernel-mode memory leaks.

A memory leak is caused by an application or a process that allocates memory for use but does not free it up when finished. The result is that available memory is completely used over time, often causing the system to stop functioning properly.

Poolmon.exe is used to verify, or to further substantiate, memory usage information captured by the System State Data feature. In this sense, Memory Pool Monitor should be viewed as a non-interactive supplement to System State Data.

To find more information about Poolmon.exe, see MSDN and type the appropriate key words in the “Search for” text box.

Shutdown Event Tracker Registry Entries

Shutdown Event Tracker interacts with the registry in the following ways:

  • The expected shutdown dialog reads custom shutdown reasons from the registry.

  • Remote Shutdown (Shutdown.exe) reads custom shutdown reasons from the registry. It also writes bulk annotations to the registry and deletes keys from the registry.

  • Custom Reason Editor (CustReasonEdit.exe) writes custom shutdown reasons to the registry.

  • The unexpected shutdown dialog reads from the registry to determine if the previous shutdown was unexpected.

  • The Event Log service writes the Shutdown Event Tracker heartbeat to the registry and then deletes it just before a normal shutdown occurs. On restart it verifies whether the heartbeat is present and, if so, writes the DirtyShutdown key to the registry.

Note

  • Used in this context, heartbeat is a defined as a time stamp interval, written once a minute, that tells the registry, and therefore the system, that Shutdown Event Tracker is still enabled.

  • The System State Data feature reads system configuration information from the registry.

To find more information about these interactions, see How Shutdown Event Tracker Works.

The information here provided is a reference for use in troubleshooting or verifying that the required settings are applied. It is recommended that you do not directly edit the registry unless there is no other alternative. Modifications to the registry are not validated by the registry editor or by Windows before they are applied, and as a result, incorrect values can be stored. This can result in unrecoverable errors in the system. When possible, use Group Policy or other Windows tools, such as Microsoft Management Console (MMC), to accomplish tasks rather than editing the registry directly. If you must edit the registry, use extreme caution.

The following registry entries are associated with Shutdown Event Tracker.

BugcheckString

Registry path

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability\

Version

Windows Server 2003.

This key contains the bug check string information that is used to fill in the unexpected shutdown dialog box comment field (which appears at logon after an unexpected shutdown) if the previous shutdown was caused by a system failure (also know as a system crash).

DirtyShutdown

Registry path

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability\

Version

Windows Server 2003.

This key is set during event log startup. It indicates whether a previous shutdown was expected.

LastAliveStamp

Registry path

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability\

Version

Windows Server 2003.

This key is cleared during shutdown. It indicates the date and time of the previous unexpected shutdown if it is present during startup.

ReliabilityGUID

Registry path

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability\

Version

Windows Server 2003.

This key enables a GUID (globally unique identifier) to be written to the system state data file in order to uniquely identify the computer this file came from. It is not possible to physically identify the computer itself using this GUID, but it is possible to see how many different computers sent files and how many distinct reports were submitted by each computer. If the GUID is deleted from the registry, a new GUID is generated when a new system state data (.xml) file is created in the %windir%\system32\LogFiles\Shutdown\ directory at the time of an unplanned shutdown.

ShutdownIgnorePredefinedReasons

Registry path

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability\

Version

Windows Server 2003.

This key prevents the predefined or built-in shutdown reasons from being displayed. If at least one custom reason is defined in the registry and this key is set to “1,” the built-in reasons are not displayed.

TimeStampInterval

Registry path

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability\

Version

Windows Server 2003 and Windows 2000.

This key defines how often LastAliveStamp (or heartbeat) is written to the registry. By default it is written every minute in Windows Server 2003 and every five minutes in Windows 2000.

UserDefined

Registry path

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability\

Version

Windows Server 2003.

This key contains custom reasons stored as values. To add custom reasons, the user must define one key value for each reason. Each reason has a major and minor code that uniquely identifies the reason.

To find more information about Custom Reason Editor, click Windows Server 2003 Resource Kit Tools Help in Tools and Settings Collection. After downloading Windows Resource Kit Tools, click Start, All Programs, Windows Resource Kit Tools, and then Windows Resource Kit Tools Read Me.

HKEY_LOCAL_MACHINE\SOFTWARE\

The following registry entries are located under HKEY_LOCAL_MACHINE\SOFTWARE\.

ShutdownReasonUI

Registry path

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Reliability\

Version

Windows Server 2003.

This key is present if the Display Shutdown Event Tracker policy setting has been enabled.

ShutdownReasonUI

Registry path

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability\

Version

Windows Server 2003.

Shutdown Event Tracker references the Group Policy key first (see the previous entry). If the Group Policy key is not present, then this key can be configured as “0” (off), or “1” (on). If the Group Policy key is not present and this key is invalid or missing, then Shutdown Event Tracker is off.

Shutdown Event Tracker Group Policy Settings

The following tables list and describe the Group Policy settings that are associated with Shutdown Event Tracker.

Group Policy Settings Associated with Display Shutdown Event Tracker

Group Policy Setting Description

Not Configured

No choices are given. Specifies that no change is made to the registry for this setting.

Enabled

Shutdown Event Tracker is displayed. Specifies that the registry indicate that the policy setting applies to users or computers that are subject to this Group Policy object.

Disabled

Shutdown Event Tracker should not be displayed. Specifies that the registry indicate that the policy setting does not apply to users or computers that are subject to this Group Policy object.

Note

  • The path to Display Shutdown Event Tracker is Local Computer Policy \Computer Configuration\ Administrative Templates\System.

Group Policy Settings Associated with Activate Shutdown Event Tracker System State Data Feature

Group Policy Setting Description

Not Configured

Specifies that no change is made to the registry for this policy setting.

Enabled

Specifies that the registry indicate that the policy setting applies to users or computers that are subject to this Group Policy object.

Disabled

Specifies that the registry indicate that the policy setting does not apply to users or computers that are subject to this Group Policy object.

Note

  • The path to Activate Shutdown Event Tracker System State Data feature is Local Computer Policy\Computer Configuration\Administrative Templates\System.

Group Policy Settings Associated with Enable Persistent Time Stamp

Group Policy Setting Description

Not Configured

Specifies that no change is made to the registry for this policy setting.

Enabled

Specifies that the registry indicate that the policy setting applies to users or computers that are subject to this Group Policy object.

The policy setting enables the user to customize how often the Persistent System Time Stamp is written to disk. The range is from 1 through 86400 seconds (1 day).

Disabled

Specifies that the registry indicate that the policy setting does not apply to users or computers that are subject to this Group Policy object.

Note

  • The path to Enable Persistent Time Stamp is Local Computer Policy\Computer Configuration\Administrative Templates\System.

Group Policy Settings Associated with Report Unplanned Shutdown Events

Group Policy Setting Description

Not Configured

Specifies that no change is made to the registry for this policy setting.

Enabled

Specifies that the registry indicate that the policy setting applies to users or computers that are subject to this Group Policy object.

When this policy setting is enabled, error reporting will include unplanned shutdown events.

Disabled

Specifies that the registry indicate that the policy setting does not apply to users or computers that are subject to this Group Policy object.

When this policy setting is disabled, unplanned shutdown events will not be included in error reporting.

Note

  • The path to Report unplanned shutdown events is Local Computer Policy \Computer Configuration\Administrative Templates\System\Error Reporting\Advanced Error Reporting settings.

To find more information about these Group Policy settings, click Group Policy Settings Reference for Windows Server 2003 in Tools and Settings Collection.

Network Ports Used by Shutdown Event Tracker

The following table lists the port assignments for transmitting data collected by Shutdown Event Tracker.

Port Assignments for Shutdown Event Tracker

Service Name User Datagram Protocol (UDP) Transmission Control Protocol (TCP)

Windows Error Reporting (WER)

Not applicable

443

Remote Procedure Call (RPC)

Not applicable

445 and 139

Windows Error Reporting (WER) is a set of technologies built into Windows Server 2003 that captures failure (also known as crash) data, enables end users to report failure information, and enables software and hardware vendors to analyze and respond to these problems.

When the Report unplanned shutdown events policy setting is enabled, error reporting will include unplanned shutdown events. When this policy setting is disabled, unplanned shutdown events will not be included in error reporting.

If this policy setting is not configured, the user is able to control unplanned shutdown reporting using Control Panel, which is set to upload unplanned shutdown events by default.

The System State Data feature uses Windows Error Reporting to transmit shutdown data to Microsoft or other designated recipient.

Note

  • Data will not be submitted to the designated recipient unless users click Send Report when presented with the Windows Error Reporting dialog box.

The following resources contain additional information that is relevant to this section.

  • To find more information about Custom Reason Editor, click Windows Server 2003 Resource Kit Tools Help in Tools and Settings Collection. After downloading Windows Resource Kit Tools, click Start, All Programs, Windows Resource Kit Tools, and then Windows Resource Kit Tools Read Me.

  • To find more information about System State Formatter (SSDFormat), click Windows Server 2003 Resource Kit Tools Help in Tools and Settings Collection.

  • To find more information about Windows Error Reporting (WER), click Windows Server 2003 Resource Kit Tools Help in Tools and Settings Collection.

  • To find more information about Poolmon.exe, click Windows Server 2003 Resource Kit Tools Help in Tools and Settings Collection.

  • To find more information about InitiateSystemShutdown, InitiateSystemShutdownEx, and ExitWindowsEx (the shutdown APIs), see MSDN and type the appropriate key words in the “Search for” text box.

  • To find more information about the Group Policy settings listed in this section, click Group Policy Settings Reference for Windows Server 2003 in Tools and Settings Collection.

  • To find more information about Shutdown Event Tracker command-line parameters, see Command Line References in Tools and Settings Collection.