Kaseya Community

I Need Improper shutdown system Event id in windows xp Operating system Details

  • Hi,

    Could anyone help me regarding improper shutdown system event id in windows xp operating system.


    Thanks & Regards,
    Ram Mohan.

    Legacy Forum Name: I Need Improper shutdown system Event id in windows xp Operating system Details,
    Legacy Posted By Username: Ram Mohan
  • I think it is event id 6008 according to my notes.

    Legacy Forum Name: Event Sets,
    Legacy Posted By Username: Chris T
  • Hi Chris

    I am using windows xp operating system,

    I manually unplugged the power chord in my system but i could not see the 6008 event id in system logs , Can you tell me what event id get windows xp operating system.

    In windows 2003 server i am able to see this event id 6008.

    Legacy Forum Name: Event Sets,
    Legacy Posted By Username: Ram Mohan
  • I dont think that unplugging the machine will produce an "imporper shutdown" but it may produce a power releated event... what does your even log show?

    Legacy Forum Name: Event Sets,
    Legacy Posted By Username: thirteentwenty
  • It is 6008, I rolled this set up too 1000 computers last week, this morning we still have 8 reguarly alerting of this event (mostly where users get impatient on a shutdown or restart), I have checked and a couple of these machines are WinXP.

    Here there is even some proof if you want it...

    ===================
    From Kaseya...
    ===================
    Computer Information
    Current User meld
    Domain/Workgroup: SANCTUARY (domain)
    Computer Name (ID): sanpc-25
    OS: XP
    Version: Professional Edition Service Pack 3 Build 2600
    RAM: 767MB
    CPU: (1) 1993 MHz Intel(R) Pentium(R) 4 CPU 2.00GHz, Model 2 Stepping 7

    ===================
    Kaseya Ticket...
    ===================
    System log generated Error Event 6008 on sanpc-25.cash-genie For more information see http://www.eventid.net/display.asp?eventid=6008&source=EventLog

    Log: System
    Type: Error
    Event: 6008
    Agent Time: 10:12:34 7-Apr-10
    Event Time: 09:12:34 7-Apr-10 UTC
    Source: EventLog
    Category: None
    Username: N/A
    Computer: sanpc-25
    Description: The previous system shutdown at 17:49:45 on 06/04/2010 was unexpected.
    ===================

    Hope this clarifies things for you.

    P.S. Sorry just noticed how old this thread is, god knows why it topped my forum view.

    Legacy Forum Name: Event Sets,
    Legacy Posted By Username: Hoe
  • In addition to event 6008 we also monitor on event 1003 (source: system error)
    This way we also get alarmed when a system had a BSOD

    Legacy Forum Name: Event Sets,
    Legacy Posted By Username: Martijn Frickel
  • Hi,

    Thanks For All.

    Legacy Forum Name: Event Sets,
    Legacy Posted By Username: Ram Mohan
  • Martijn Frickel
    In addition to event 6008 we also monitor on event 1003 (source: system error)
    This way we also get alarmed when a system had a BSOD


    Surely this would also alert to a 6008 as the BSOD was unexpected no?

    I have added it either way as it looks like there could be some useful information in there.

    Legacy Forum Name: Event Sets,
    Legacy Posted By Username: stu_u2k
  • On WinXP we don't see the 6008 events (at least not that i'm aware of).
    On other OS's the 6008 event also regularely shows after scheduled reboots.

    The 1003 event is a notification of a system crash, sure it's unexpected, never seen the 6008 after a 1003 event

    Legacy Forum Name: Event Sets,
    Legacy Posted By Username: Martijn Frickel
  • The example details I posted above is a 6008 on Win XP so it definitely logs them there.

    I have never seen 6008 for a scheduled reboot though I have never really looked, we have had these monitor sets in place for a week now and all the unexpected shut downs have been genuine thus far.

    As for 6008 after 1003, quite possible is does not get logged as it is covered under 6008 however logic (real logic not MS logic) would tell me a 1003 is also a 6008.

    I have added 1003 to our shut down set now and will keep an eye, if we start getting load of scheduled stuff back I will update the thread for others, but a week in having not received any yet (we usually have 3-10 servers scheduled for a reboot in anyone day) I think we could fairly safely say this is not an issue.

    Legacy Forum Name: Event Sets,
    Legacy Posted By Username: stu_u2k
  • Martijn Frickel
    On other OS's the 6008 event also regularely shows after scheduled reboots.


    In fact I bet I know why, our monitoring set is only checking for ERROR and WARNING on 6008 and not watching the rest, I am guessing any 6008 Scheduled alerts you have received would have been Informational.

    Legacy Forum Name: Event Sets,
    Legacy Posted By Username: stu_u2k
  • Just looked into the log of a 2008 sbs server that had a scheduled reboot yesterday.

    The event 6008 logged is an error, not informatical, implicating the reboot was unexpected.

    We also set the monitoring to only look at error and warning

    Legacy Forum Name: Event Sets,
    Legacy Posted By Username: Martijn Frickel
  • Martijn Frickel
    Just looked into the log of a 2008 sbs server that had a scheduled reboot yesterday.

    The event 6008 logged is an error, not informatical, implicating the reboot was unexpected.

    We also set the monitoring to only look at error and warning


    Interesting, I just took 1003 back out because we started receiving junk back from it like the example below...

    =========================================================
    System log generated Warning Event 1003 on ss-disks.secondsite.wallingford For more information see http://www.eventid.net/display.asp?eventid=1003&source=NfsSvr

    Log: System
    Type: Warning
    Event: 1003
    Agent Time: 14:37:34 8-Apr-10
    Event Time: 13:37:34 8-Apr-10 UTC
    Source: NfsSvr
    Category: None
    Username: N/A
    Computer: SS-DISKS
    Description: Mapping information could not be obtained from Username mapping. Another attempt will be made after 30 minutes.
    =========================================================

    Legacy Forum Name: Event Sets,
    Legacy Posted By Username: stu_u2k
  • [QUOTE=stu_u2k;56826]Interesting, I just took 1003 back out because we started receiving junk back from it like the example below...

    =========================================================
    System log generated Warning Event 1003 on ss-disks.secondsite.wallingford For more information see http://www.eventid.net/display.asp?eventid=1003&source=NfsSvr

    Log: System
    Type: Warning
    Event: 1003
    Agent Time: 14:37:34 8-Apr-10
    Event Time: 13:37:34 8-Apr-10 UTC
    Source: NfsSvr
    Category: None
    Username: N/A
    Computer: SS-DISKS
    Description: Mapping information could not be obtained from Username mapping. Another attempt will be made after 30 minutes.
    =========================================================[/QUOTE]

    Try setting it to look only at source: "system error" for event 1003

    Legacy Forum Name: Event Sets,
    Legacy Posted By Username: Martijn Frickel
  • Done, thanks.



    Just out of Interest have you used or tried to use the Ignore filter in Event Log monitoring?



    Only it turns out if you ignore say 6008 in set 1 that will actually mean 6008 is ignore in ALL SETS! Kaseya support have confirmed this for me as I logged a ticket with regard to a Symantec System Recovery monitoring problem I had, I posted it on the forum too if you want more details...

    http://community.kaseya.com/xsp/f/27/t/7265.aspx

    Legacy Forum Name: Event Sets,
    Legacy Posted By Username: stu_u2k