Kaseya Community

Monitor unexpected shutdowns

This question is not answered

Hi there,

I am looking to set up some monitoring on devices for our company estate running Windows XP professional SP3 to be able to report on occurrences of unexpected shutdowns, for example; when a user holds down the power button to turn off the device rather than performing a software shutdown.

The problem I have is that when this action is performed, the expected event log entry, 6008, is not recorded. The system shows the other event logs round about this stage, such as 6005 and 6009 when it starts up again, but there is no 'flag' to say the shutdown was unexpected.

Can anyone suggest any alternative methods of monitoring this kind of scenario using Kaseya?

Many thanks,

All Replies
  • What you want is to be able to alert on a scenario... when event 6009 (Microsoft (R) Windows (R) processor free)  + 6005 (event log start) occurs and eventlog 6006 can not be found prior.

    (Event 6006 is logged when the event log service is shut down properly before system shutdown.)

    I´m not sure if this can be set up though. I guess you would have to build your own procedure to accomplish something like that.

    I've never heard of event id 6008 NOT logging when an unexpected shutdown occurs though.

    We monitor event 6008 in computers for unexpected reboots.

  • Hi Jon and and Andrew

    I use the ability to monitor and report on "Unexpected Shutdown" as a great selling point for using Kaseya. It have seldom failed. However, I had a customer with this logging feature disabled. Read more here:http://support.microsoft.com/kb/555541

    To audit the actual registry settings start with collecting the current settings. In Audit, add a Custom Field called "ShutdownReasonUI" and audit the machines by Agent Procedure. Use the script below.

    <ScriptExport xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://www.kaseya.com/vsa/2008/12/Scripting">
    <Procedure name="Custom Field - Audit - Shutdown Event Tracker" treePres="3" id="1355902746" folderId="655911543572286" treeFullPath="myProcedures - ronny.Reitan Convenience.Generic Procedures">
    <Body description="">
    <Statement name="GetVariable" continueOnFail="false" osType="NT4|2000|XP|2003|Vista|2008">
    <Parameter xsi:type="EnumParameter" name="VariableType" value="RegistryValue"/>
    <Parameter xsi:type="StringParameter" name="SourceContent" value="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Reliability\ShutdownReasonUI"/>
    <Parameter xsi:type="StringParameter" name="VariableName" value="ShutdownReasonUI"/>
    </Statement>
    <Statement name="WriteScriptLogEntry" continueOnFail="true" osType="NT4|2000|XP|2003|Vista|2008">
    <Parameter xsi:type="StringParameter" name="Comment" value="#ShutdownReasonUI#"/>
    </Statement>
    <Statement name="UpdateSystemInfo" continueOnFail="true" osType="NT4|2000|XP|2003|Vista|2008">
    <Parameter xsi:type="StringParameter" name="ColumnName" value="ShutdownReasonUI"/>
    <Parameter xsi:type="StringParameter" name="Value" value="#ShutdownReasonUI#"/>
    </Statement>
    </Body>
    </Procedure>
    </ScriptExport>
    
    



    [edited by: Ronny Tunfjord at 8:25 AM (GMT -7) on Apr 2, 2013] spelling
  • Hi Ronny,

    thanks for your reply. I had a look and tested this registry key change but even with a value of 1 in ShutdownReasonUI the error code 6008 is not written to the windows event log upon experiencing an unexpected shutdown. Still a mystery I'm afraid!

    Looks like my best bet currently will be to go down the route suggested by Jon and monitor for occurrences of 6005 and 6009 which are not proceeded by 6006.

  • Hi Andrew and Ronny,

    Andrew, did you locate this key in the registry? ("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability\ShutdownReasonUI" )

    It does not seem to be a default registered key so you might have to create it yourself. (At least I have not located it on the Windows machines i checked regedit so far)

    What Ronny suggested seems like a good way to go.  Allthough I can not find the registry key you mentioned in your script Ronny ("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Reliability\ShutdownReasonUI"). Is it OS specific?

    On Windows 7, 2008 R2 and Windows 8 I cant seem to find it.

    Did find another key though, that seems to be used to log last shutdown reason.

    "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability\shutdown\ReasonCode"

    There seems to be a vast number of reason codes to pick from.  You can find the listings here. msdn.microsoft.com/.../aa376885(VS.85).aspx

  • Hi Jon,

    I found the reg key Ronny was referring to, however this turns on the extra options when you initiate a shutdown to give a reason and comments etc, but has not made windows start writing error code 6008.

    Strangely enough, I am unable to find the reg key you have mentioned on our machines, they do not have the Reliability\shutdown sub-folder.

    Regards,