Introduction
“The Shutdown Event Tracker is a Microsoft Windows Server 2003 and Microsoft Windows XP feature that you can use to consistently track the reason for system shutdowns. You can then use this information to analyze shutdowns and to develop a more comprehensive understanding of your system environment.” microsoft.com
The idea behind the shutdown event tracker is that a server isn’t meant to be restarted or shutdown regularly. Therefore, when it is, Administrators should keep a log of exactly why the machine was powered down. Essentially, this can be a good thing since it allows you to store a database of shutdown events for future reference.
For some people, especially those that use Windows 2003 as a client operating system or in a test environment – where restarting or shutting down a machine can be a common procedure – it might get to be quite annoying.
Note:
This feature does come with Windows XP Professional as well, but is disabled by default.
When you click on Shut Down… from the Start menu, the Shutdown Event Tracker pops up asking whether you want to Log Off, Restart or Shut down the computer.
Note:
When logging off, the Shutdown Event Tracker is grayed out.
If you decide to Shut down or Restart the machine, you will be given seven Shutdown Event Tracker options to choose from. These will allow you to best describe why the computer is to be shutdown or restarted. You can also add a comment in the Comment box which is very useful for helping you to determine the reason for the shutdown. The following are the seven event tracker options available, and an example of what might normally be written in the Comment box.
Other (Planned) – A shutdown or restart for an unknown reason.
This is usually chosen when the other options do not describe why a shutdown or restart of the machine is taking place.
Comment: Shut down virtual test machine. Time to go home!
Hardware: Maintenance (Planned) – A restart or shutdown to service hardware on the system.
Choose this option when you want to carry out planned maintenance on the machine’s hardware.
Comment: Change Serial ATA cable.
Hardware: Installation (Planned) – A restart or shutdown to begin or complete hardware installation.
Choose this option when you plan to upgrade or install additional hardware on the machine.
Comment: Install a new 200GB hard drive.
Operating System: Reconfiguration (Planned) – A restart or shutdown to change the operating system configuration.
This option is for when you have made operating system changes that require a restart or shutdown of the machine. When you rename a computer or install an additional component, for example.
Comment: Installation of DNS Server Service.
Application: Maintenance (Planned) – A restart or shutdown to perform planned maintenance on an application.
This option would be chosen when a planned upgrade or re-configuration of an application took place.
Comment: Upgraded to ISA 2004 Service Pack 1. Restart required.
Application: Installation (Planned) – A restart or shutdown to perform application installation.
Choose this option when a planned installation of a new application has taken place.
Comment: Installed SQL Server 2000. Restart required.
Security issue – The computer needs to be shut down due to a security issue.
This option would be chosen when the machine needs to be restarted or shut down for security reasons.
Comment: DOS Attack.
Viewing Shutdown Event Tracker events
To view previous Shutdown Event Tracker event logs, go to the Event Viewer (Start > Programs > Administrative Tools > Event Viewer or Control Panel – Administrative Tools – Event Viewer) and under the System Log, search for Information Events with ID 1074 or 1076. Double click the event to bring up the Event Properties page.
Note:
1074 Events are logged when you manually shutdown the machine using the Event Tracker. 1076 Events are logged when the machine shuts down unexpectedly and the Event Tracker pops up when the Administrator (or first user with shutdown rights) logs on to the machine.
As you can see in the image above, the Description indicates the reason for the shutdown, the time, the user that initiated the shutdown, as well as the comment that was typed in the Comment box.
Disable the Shutdown Event Tracker
If the event tracker is of no use to you then you can disable it. To do this, open the Group Policy Object Editor Console. Go to Start > Run…, type gpedit.msc and press OK.
Navigate to Computer Configuration > Administrative Templates > System and in the right hand pane, select the “Display Shutdown Event Tracker” setting.
Double Click this setting to open the Properties page. You are now given the option to leave it in a default state of Not Configured, set it to Always Enabled, Enabled for Servers/Workstations (Windows XP Pro) or Disabled completely (as the image below demonstrates).
Note:
When you enable the Group Policy for Server only, the Shutdown Event Tracker appears when you shut down a computer running Windows 2003, whereas for Workstation only, the Shutdown Event Tracker appears when a computer running Windows XP Professional is shut down.
After you make the change to the Group Policy, open the Command Prompt and run the gpupdate /force command to refresh the policy and have your settings be applied straight away. Alternatively you can just restart the machine.
When you next attempt to shutdown or restart the machine, the Shutdown event tracker will no longer be visible and the normal shutdown prompt will appear (as seen in the image below).
Summary
In this article I showed you how to disable the shutdown Event Tracker and view Shutdown Event Tracker events. Although some people think of the Shutdown Event Tracker as a handy little feature, it is thought of as an irrelevant additional step to powering down a machine by others.
