Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net. The EventId.Net for Splunk Add-on assumes that Splunk is collecting information from Windows servers and workstation via the Splunk Universal Forwarder.
The process <process> has initiated the restart of <computer name> for the following reason: No title for this reason could be found.
Minor Reason: <reason>
Shutdown Type: <type>
|English: This information is only available to subscribers. An example of English, please!|
Reason: Operating System: Recovery (Planned) - EV100497 (Machine restarted automatically last night) indicates a situation where the computer is rebooted when Windows updates are distributed through a group policy.
As a general statement, this event records a system shutdown or restart in order for the administrators of that system to have a better understanding on how often and for what reasons the computer is shutdown or restarted. The event contains details about the process (the program) that performed this task, the computer that was affected and when applicable, the reason for the restart or shutdown. Also, the type of operation is recorded: restart when a user or an application initiates a system restart, shutdown when the system is sent a shutdown request or power off when the power button is pressed (and that initiates a shutdown).
The process listed in the event provides an important clue as to who or what initiated the shutdown or the restart. Processes related the user's environment such as Exlorer.exe or Winlogon indicate that the shutdown was initiated by a user while other type of processes such as svchost.exe.
The comment shown in the event description is something that can be specified by the process that initiates the shutdown. For example, if an application is installed and the installer script requires a restart one may see a comment like "The Windows Installer initiated a system restart to complete or continue the configuration of <application name here>". Users of shutdown.exe command can also specify a text to be recorded as comment.
- Proccess: Lsass.exe - In my case, ME818080 helped me solve the problem.
- Process: Lsass.exe - See ME897648, ME911185 and ME915335 for three hotfixes applicable to Microsoft Windows Server 2003.
- Reason: 0x2 - I received this event after the automatic installation of KB900485 through Windows Update Agent. Therefore, this can be translated to: updates that require reboot were installed.
I am using Microsoft SUS (Software Update Services) to push Windows updates and this message is generated when a machine is automatically rebooted, once an update that requires a reboot is installed.
Anne Jan Elsinga
This also happens when you manually kill the process "Remote Procedure Calls" also know as svchost.
- Process: Explorer.exe - As per Microsoft: "Shutdown Event Tracker is a Microsoft Windows Server 2003 and Microsoft Windows XP feature that you can use to consistently track the reason for system shutdowns. You can then use this information to analyze shutdowns and to develop a more comprehensive understanding of your system environment. Shutdown Event Tracker logs events that are similar to this one in the system event log". See ME293814 and MSW2KDB for more details.
This error may be contributed to security issue identified, or virus known as W32.Blaster.Worm. The Virus brodcasts from the local machine, and may cause a buffer overrun in RPC, allowing code execution, or RCP may terminate unexpectedly.
See the link to the Symantec Virus information and removal tool, MS03-026 and RPC DCOM WORM (MSBLASTER).
|Private comment: Subscribers only. See example of private comment|
|Links: Symantec Virus information and removal tool, MS03-026, RPC DCOM WORM (MSBLASTER)|
|Search: Google - Bing - Microsoft - Yahoo - EventID.Net Queue (0) - More links...|
|Custom search for *****: Google - Bing - Microsoft - Yahoo|
Send comments or solutions
- Notify me when updated