Click here to get back home

Shutdown with minor causes 0x84010001 and 0x80070020
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Shutdown with minor causes 0x84010001 and 0x80070020 mdgrkb 11-30-2006
Posted by mdgrkb on November 30, 2006, 2:25 pm
Please log in for more thread options
 Hello,

I'm investigating a server that recently shut down and it is unclear what or
who shut it down. I have the following events:

Event Type: Information
Event Source: USER32
Event Category: None
Event ID: 1074
Date: 29-11-2006
Time: 18:19:33
User: S-1-5-21-2718388043-1283238250-2015309376-500
Computer: MYSERVER
Description:
The process Explorer.EXE has initiated the restart of MYSERVER for the
following reason: Hardware: Maintenance (Planned)
Minor Reason: 0x84010001
Shutdown Type: shutdown
Comment:

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 01 00 01 84 ...„


Event Type: Information
Event Source: USER32
Event Category: None
Event ID: 1074
Date: 29-11-2006
Time: 18:24:20
User: NT AUTHORITY\SYSTEM
Computer: MYSERVER
Description:
The process svchost.exe has initiated the restart of MYSERVER for the
following reason: No title for this reason could be found
Minor Reason: 0x80070020
Shutdown Type: power off
Comment:

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 20 00 07 80 ..€

What puzzles me is that these events don't mention "on behalf of" what user
the shutdown was triggered. Does anyone know how to dig further into the
cause of this?

Thank you very much



Posted by acchong on November 30, 2006, 4:01 pm
Please log in for more thread options
 You need to have Audit Privelege Use turn on to trace who shutdown the
server.
If you have Audit Privilege Use turn on, check security log for use of
SeShutdownPrivilege privilege to identify who shutdown the server.

> Hello,
>
> I'm investigating a server that recently shut down and it is unclear what=
or
> who shut it down. =C2=A0I have the following events:
>
> Event Type: Information
> Event Source: USER32
> Event Category: None
> Event ID: 1074
> Date: =C2=A029-11-2006
> Time: =C2=A018:19:33
> User: =C2=A0S-1-5-21-2718388043-1283238250-2015309376-500
> Computer: MYSERVER
> Description:
> The process Explorer.EXE has initiated the restart of MYSERVER for the
> following reason: Hardware: Maintenance (Planned)
> =C2=A0Minor Reason: 0x84010001
> =C2=A0Shutdown Type: shutdown
> =C2=A0Comment:
>
> For more information, see Help and Support Center athttp://go.microsoft.c=
om/fwlink/events.asp.
> Data:
> 0000: 01 00 01 84 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 ...=E2=
=80=9E
>
> Event Type: Information
> Event Source: USER32
> Event Category: None
> Event ID: 1074
> Date: =C2=A029-11-2006
> Time: =C2=A018:24:20
> User: =C2=A0NT AUTHORITY\SYSTEM
> Computer: MYSERVER
> Description:
> The process svchost.exe has initiated the restart of MYSERVER for the
> following reason: No title for this reason could be found
> =C2=A0Minor Reason: 0x80070020
> =C2=A0Shutdown Type: power off
> =C2=A0Comment:
>
> For more information, see Help and Support Center athttp://go.microsoft.c=
om/fwlink/events.asp.
> Data:
> 0000: 20 00 07 80 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0=
.=2E=E2=82=AC
>
> What puzzles me is that these events don't mention "on behalf of" what us=
er
> the shutdown was triggered. =C2=A0Does anyone know how to dig further int=
o the
> cause of this?
>=20
> Thank you very much


Posted by Roger Abell [MVP] on December 3, 2006, 10:51 am
Please log in for more thread options
I agree. It looks like someone manually initiated the shutdown.

You need to have Audit Privelege Use turn on to trace who shutdown the
server.
If you have Audit Privilege Use turn on, check security log for use of
SeShutdownPrivilege privilege to identify who shutdown the server.

> Hello,
>
> I'm investigating a server that recently shut down and it is unclear what
> or
> who shut it down. I have the following events:
>
> Event Type: Information
> Event Source: USER32
> Event Category: None
> Event ID: 1074
> Date: 29-11-2006
> Time: 18:19:33
> User: S-1-5-21-2718388043-1283238250-2015309376-500
> Computer: MYSERVER
> Description:
> The process Explorer.EXE has initiated the restart of MYSERVER for the
> following reason: Hardware: Maintenance (Planned)
> Minor Reason: 0x84010001
> Shutdown Type: shutdown
> Comment:
>
> For more information, see Help and Support Center
> athttp://go.microsoft.com/fwlink/events.asp.
> Data:
> 0000: 01 00 01 84 ..."
>
> Event Type: Information
> Event Source: USER32
> Event Category: None
> Event ID: 1074
> Date: 29-11-2006
> Time: 18:24:20
> User: NT AUTHORITY\SYSTEM
> Computer: MYSERVER
> Description:
> The process svchost.exe has initiated the restart of MYSERVER for the
> following reason: No title for this reason could be found
> Minor Reason: 0x80070020
> Shutdown Type: power off
> Comment:
>
> For more information, see Help and Support Center
> athttp://go.microsoft.com/fwlink/events.asp.
> Data:
> 0000: 20 00 07 80 ..?
>
> What puzzles me is that these events don't mention "on behalf of" what
> user
> the shutdown was triggered. Does anyone know how to dig further into the
> cause of this?
>
> Thank you very much



Similar ThreadsPosted
Port requirements for remote shutdown using 'shutdown -s -m \servername' June 24, 2006, 6:15 am
Domain logoff vs. shutdown April 30, 2007, 10:24 am
Super Fast Shutdown November 29, 2007, 6:26 pm
"Force shutdown from a remote system" October 13, 2006, 3:26 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap