Shutdown Event Tracker in Windows Server 2008 Service Pack 2 and R2 editions
When it first appeared with Windows Server 2003 it resulted so annoying to me but quickly became one of my favorite features, it is a must. Shutdown Event Tracker is a Microsoft Windows Server 2003 and Microsoft Windows XP feature that you can use to consistently track the reason for system shutdowns. You can then use this information to analyze shutdowns and to develop a more comprehensive understanding of your system environment.
In Windows Server 2008 this feature is not enabled by default, so every server restart (shutdown keeps showing a warning) goes straight forward without giving you the chance of cancelling it or indicate any feasible reason for it. In med-size environments, IT staff tends to be considerably big and more than one deals with the same server for different reasons. Sometimes, people is not enough qualified or have not enough experience to deal with these environments and human errors arise.
One of the most common ones are the unexpected servers restarts. It is so common to see a system administrator restarting a production server without notifying it to the NOC (Network Operations Center) to avoid the corresponding hundreds of calls trying to realize what is going on.
In Windows Server 2008 Service Pack 1 and 2, shutdown button appears directly on the start menu followed by a big “more options” button (see below).
In Windows Server 2008 R2 Service Pack 1, this has been slightly modified to avoid what we have discussed previously (see below). The shutdown button has been removed and the “more options” one reduced in size, to probably avoid accidental actions.
Independently of which edition of Windows Server 2008 you have, if you want to have this extra information popping up on every shutdown or restart; being able to use it as “are you sure? Think it twice” screen, you should modify the Local Policy (or preferably use GPOs when available) as per Microsoft indications in Configure Shutdown Event Tracker on the Local Computer.
Unfortunately, the administrative template doesn’t work as expected, it correctly disables the Shutdown Event Tracker (removes the registry keys when existing) but doesn’t create them back when you want to show it.
So, the best option to display the Shutdown Event Tracker is creating the appropriate registry keys manually, without relaying on the policy administrative templates. To create them follow the instructions below:
-
Start Registry Editor.
-
Locate and then click the following registry key:_
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Reliability
_ -
On the Edit menu, click New, and then click DWORD Value.
-
Type the name of the registry key as ShutdownReasonOn and set a value of 1 (enable)
-
On the Edit menu, click New, and then click DWORD Value.
Type the name of the registry key as ShutdownReasonUI and set a value of 1 (enable) -
Close the Registry Editor.
It should look like this:
After creation you should be able to see the Shutdown Event Tracker popping up on every shutdown and restart of your Windows Server 2008 box.
You can get more information in Microsoft TechNet’s Shutdown Event Tracker page.