What Is Shutdown Event Tracker?

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

What Is Shutdown Event Tracker?

In this section

  • Common Scenarios for Shutdown Event Tracker

  • Shutdown Event Tracker Dependencies on or Interactions with Other Technologies

  • Shutdown Event Tracker Logical Diagrams

  • How Shutdown Event Tracker Differs from Similar Technologies

  • How Shutdown Event Tracker Works

Shutdown Event Tracker is a feature of the Microsoft Windows Server 2003 operating systems that provides a way for IT professionals to consistently track why users restart or shut down their computers. Shutdown Event Tracker captures the reasons users give for restarts and shutdowns to help create a comprehensive picture of an organization’s system environment. It does not document why users choose other options, such as Log off and Hibernate.

In a more active sense, Shutdown Event Tracker also provides IT professionals with a specific tool, Remote Shutdown (Shutdown.exe), for restarting or shutting down both local and remote computers, while at the same time supplying reasons for doing so. In addition, users can employ Remote Shutdown to hibernate a local computer and cancel delayed shutdowns.

Shutdown Event Tracker is enabled by default and is a routine part of the computer shutdown process.

In first considering Shutdown Event Tracker, it is important to understand the difference between expected and unexpected restarts and shutdowns.

Expected restarts and shutdowns

Expected restarts and shutdowns can be either planned or unplanned.

A planned shutdown is one in which both the user and the computer fully anticipate the shutdown. For example, as a matter of either policy or habit, a user might shut down his or her computer at the end of each day. When a user has control over the timing of a restart or shutdown, the task is planned.

An unplanned shutdown is one in which the user does not anticipate the shutdown, but has time to perform the shutdown in a normal manner. For example, if an application becomes unresponsive, the user might be forced to restart or shut down the computer. When a user does not have control over the exact timing of a restart or shutdown, the task is unplanned.

Note

  • For the purpose of this topic, shutting down the system in a “normal manner” is defined as the user clicking Start and then Shutdown, or pressing CTRL+ALT+DELETE and then clicking Shutdown, or utilizing Shutdown.exe, a tool specific to Shutdown Event Tracker. These methods call the InitiateSystemShutdownEx application programming interface (API), which in turn spawns a number of related events. To find more information about these events, see “How Shutdown Event Tracker Works" in “How Shutdown Event Tracker Works.”
Unexpected restarts and shutdowns

Unexpected shutdowns are shutdowns that the computer does not anticipate, and that the user may or may not anticipate. For example, the computer abruptly loses power and immediately shuts down. In this instance, neither the computer nor the user could have anticipated the shutdown. However, in another example, the user shuts down the computer by holding down the power button. In this instance, the user did, in fact, anticipate the shutdown but the computer, as in the first example, did not. It is important to understand that in both instances shutdown did not occur in a normal manner and that therefore the two shutdowns must be classified as “unexpected.”

Common Scenarios for Shutdown Event Tracker

Shutdown Event Tracker is commonly used in the following scenarios:

Expected restarts and shutdowns

In this scenario, the user has complete control over the restart or shutdown process, and when the user performs the shutdown in a normal manner, the operating system has time to complete its usual shutdown routine. Moreover, because there is time, the user can provide a reason for the restart or shutdown in the dialog box presented to the user prior to shutdown.

In addition, it is important to understand that both planned and unplanned shutdowns form separate parts of the overall expected restarts and shutdowns scenario. They are described as follows:

Planned restarts and shutdowns

In this scenario, both the user and the computer fully anticipate the restart or shutdown: the user because he or she deliberately initiates the process, and the computer because the process is initiated in a normal manner, either by the user clicking Start and then Shutdown, or by pressing CTRL+ALT+DELETE and then clicking Shutdown,or by utilizing Shutdown.exe. When a restart or shutdown is planned, and shutdown occurs in a normal manner, the user is given the opportunity to provide a reason for the event at the time the event occurs.

Unplanned restarts and shutdowns

In this scenario, the user deliberately shuts down the computer, but in response to an unexpected event, such as an application failing to respond. The shutdown is therefore unplanned. If the user shuts down the computer in a normal manner, the operating system has time to execute the shutdown in a normal manner as well, and the user is given the opportunity to provide a reason for an “unplanned” shutdown. Conversely, if in response to the same unexpected event the user does not shut down the computer in a normal manner (for example, if the user unplugs the computer), the shutdown is no longer viewed as expected but unplanned, but as simply “unexpected.”

Unexpected restarts and shutdowns

In this scenario, the user has no control over the restart or shutdown process, and the computer does not have time to complete its usual shutdown routine. For example, in the event of a power loss, the computer will immediately shut down unless there is an uninterruptible power supply (UPS) or other fault-tolerant strategy in place. As a result, the user will not be given the opportunity to provide a reason for the shutdown at the time the shutdown occurs. However, the Shutdown Event Tracker (unexpected shutdown) dialog box appears to the first person with the Shutdown the system user right or with administrative credentials who logs on to the computer after the event, and the user can, at that time, provide a reason for the shutdown.

Note

  • It is important to realize that a person with administrative credentials automatically has the Shutdown the system user right, but that it is possible for another person to have only this one right and not have administrative credentials.

Other reasons for unexpected shutdowns include (but are not limited to):

  • A hardware failure

  • A system error (also referred to as a bugcheck, system crash, fatal system error, or stop error)

  • The user holding down the computer’s power button for five seconds or longer

  • The user pressing CTRL+ALT+DELETE and then holding down the CTRL key while clicking Shutdown

Local restarts and shutdowns

In this scenario, Remote Shutdown (Shutdown.exe) enables users to restart or shut down a local computer by either of two means: 1) the graphical user interface (GUI), invoked by typing Shutdown /i at the command prompt, or 2) the same Shutdown command used in combination with various other command-line parameters (for example, Shutdown /s, which causes the computer to shut down after a short interval).

Remote restarts and shutdowns

In this scenario, Remote Shutdown (Shutdown.exe) enables users to restart or shut down one or more remote computers by either of two means: 1) the graphical user interface (GUI), invoked by typing Shutdown /i at the command prompt, or 2) the same Shutdown command used in combination with various other command-line parameters (for example, Shutdown -m [\\ComputerName], which specifies the computer that the user wants to shut down).

Note

  • Although Remote Shutdown can be used to restart or shut down both local and remote computers, its primary purpose is to control the shutdown behavior of remote computers.

In addition, IT professionals can use this tool to perform remote bulk annotations of unexpected shutdowns, an alternative to the time-consuming task of logging on to each computer to record a reason for an unexpected shutdown. For example, a thousand computers in a datacenter all shut down at the same time because there is a catastrophic loss of power to the entire facility. In this circumstance, a user with administrative credentials can later record the same shutdown reason (power loss) in a single place (Remote Shutdown) for all one thousand computers, and is not required to log on to each computer to perform the same function over and over again.

To find more information about Shutdown Event Tracker command-line parameters, see Command Line References in Tools and Settings Collection.

Shutdown Event Tracker Dependencies on or Interactions with Other Technologies

Shutdown Event Tracker depends on, or interacts with, the following technologies:

  • Windows Base Services

  • Event log

  • Registry

  • Group Policy

  • Custom Reason Editor

  • System State Data feature

  • System State Data Formatter (SSDFormat)

  • Windows Error Reporting (WER)

  • Poolmon

To find more information about this topic, see “How Shutdown Event Tracker Works" in “How Shutdown Event Tracker Works.”

Shutdown Event Tracker Logical Diagrams

The following figures show the logical interactions between Shutdown Event Tracker components and between Shutdown Event Tracker and other Windows components.

Shutdown Event Tracker Logical Diagram — Expected Shutdown

Shutdown Event Tracker - Expected Shutdown

Shutdown Event Tracker Logical Diagram — Computer Startup After Expected or Unexpected Shutdown

Computer Startup After Shutdown

Shutdown Event Tracker Logical Diagram — User Logon After Expected or Unexpected Shutdown

User Logon After Shutdown

To find more information about the terms used in these diagrams (for example, Savedump.exe and Event ID 6008), click Windows Server 2003 Resource Kit Tools Help in Tools and Settings Collection. See also MSDN and type the appropriate key words in the “Search for” text box.

How Shutdown Event Tracker Differs from Similar Technologies

Other technologies, procedures, and actions in addition to Shutdown Event Tracker can be used to shut down Windows Server 2003. These include:

  • Tssshutdn.exe

  • Emergency Management Services (EMS)

  • Windows Management Instrumentation (WMI)

  • Computer Management MMC (Microsoft Management Console)

  • Earlier versions of Shutdown.exe

  • Pressing CTRL+ALT+DELETE, and then holding down the CTRL key while clicking Shutdown

Note

  • This action may cause permanent data loss and should therefore be used with caution.

However, unlike Shutdown Event Tracker, none of these technologies enable the user to provide a reason for the shutdown.

The following resources contain additional information that is relevant to this section.

  • To find more information about Custom Reason Editor, click Windows Server 2003 Resource Kit Tools Help in Tools and Settings Collection. After downloading Windows Resource Kit Tools, click Start, All Programs, Windows Resource Kit Tools, and then Windows Resource Kit Tools Read Me.

  • To find more information about System State Formatter (SSDFormat), click Windows Server 2003 Resource Kit Tools Help in Tools and Settings Collection.

  • To find more information about Windows Error Reporting (WER), click Windows Server 2003 Resource Kit Tools Help in Tools and Settings Collection.

  • To find more information about Poolmon.exe, click Windows Server 2003 Resource Kit Tools Help in Tools and Settings Collection.

  • To find more information about InitiateSystemShutdown, InitiateSystemShutdownEx, and ExitWindowsEx (the shutdown APIs), see MSDN and type the appropriate key words in the “Search for” text box.

  • To find more information about the terms used in the logical diagrams (for example, Savedump.exe and Event ID 6008), click Windows Server 2003 Resource Kit Tools Help in Tools and Settings Collection.

  • To find more information about Shutdown Event Tracker command-line parameters, see Command Line References in Tools and Settings Collection.