Every time you shutdown a modern day Windows Server computer, it asks you for a reason for the shutdown or reboot. Some of us do not like it and disable the Shutdown Event Tracker, and others diligently select or enter a reason. But how do you look at this data at a later point of time? Here is a simple PowerShell script that enumerates these reasons for you.
Shutdown Event Tracker is a feature that has been there in the Windows Server OS since about Windows Server 2003. This feature is really meant to audit how, why and when the server was shutdown and keep track of it. When you are trying to search for reasons why a server was not responding to requests, you may want to also examine these entries to determine if the server had actually shutdown or was in the process of rebooting during that downtime. But where do you find this data logged and how do you look at it?
Shutdown Event Tracker logs its data into the… Windows Event Log. It is logged under the “System
” log with an event source of “User32
”. All event tracker entries are also flagged as “Warnings
” so that they are above the threshold of a regular “Information
” event and have a greater chance of beating the logging settings and getting written out. However, a typical organizational server is configured to always preserve its logs and there would be thousands of event log entries. While you can sort and filter all you like in the Event Viewer console, it still means clicking on each individual entry and reading the text. All in all, a very time consuming proposal.
Here is a quick and dirty PowerShell scriptlet that you can save into a file and run any time you want, that gives you a quick summary of the reasons selected or entered, along with the timestamp of that occurrence. Do note though that this particular script has one issue — it shows you the timestamp of when the reason has been entered (Windows only prompts you for a reason the next time after a reboot that you LOG ON), which on a well oiled server that is rarely logged on to… can be in a timeframe of days or weeks after the actual shutdown or reboot incident.
$Events = Get-EventLog -LogName System -Source "User32" -EntryType Warning
Write-Host "============================================================="
Write-Host " Recent Shutdown Events for this Computer "
Write-Host "============================================================="
Write-Host " Date-Time of Reason `t`t Reason "
Write-Host "============================================================="
foreach ($event in $Events) {
$Reason = $event.Message
$reasonIndex = $Reason.IndexOf("is:")
$endIndex = $Reason.IndexOf("`r`n")
$Reason = $Reason.Substring($reasonIndex + 3, ($endIndex-$reasonIndex)).Trim()
Write-Host " " + $event.TimeWritten " `t`t " $Reason
}
Write-Host "============================================================="
Write-Host "Done."
Save it into a file (say “Get-ShutdownReasons.ps1”) on all your servers and run it whenever you want to see the results.