Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 1074 Source: USER32

Source
Level
Description
The process <process> has initiated the restart of <computer name> for the following reason: No title for this reason could be found.
Minor Reason: <reason>
Shutdown Type: <type>
Comments
 
Reason: Operating System: Recovery (Planned) - EV100497 (Machine restarted automatically last night) indicates a situation where the computer is rebooted when Windows updates are distributed through a group policy.
As a general statement, this event records a system shutdown or restart in order for the administrators of that system to have a better understanding on how often and for what reasons the computer is shutdown or restarted. The event contains details about the process (the program) that performed this task, the computer that was affected and when applicable, the reason for the restart or shutdown. Also, the type of operation is recorded: restart when a user or an application initiates a system restart, shutdown when the system is sent a shutdown request or power off when the power button is pressed (and that initiates a shutdown).

The process listed in the event provides an important clue as to who or what initiated the shutdown or the restart. Processes related the user's environment such as Exlorer.exe or Winlogon indicate that the shutdown was initiated by a user while other type of processes such as svchost.exe.

The comment shown in the event description is something that can be specified by the process that initiates the shutdown. For example, if an application is installed and the installer script requires a restart one may see a comment like "The Windows Installer initiated a system restart to complete or continue the configuration of <application name here>". Users of shutdown.exe command can also specify a text to be recorded as comment.
- Proccess: Lsass.exe - In my case, ME818080 helped me solve the problem.
- Process: Lsass.exe - See ME897648, ME911185 and ME915335 for three hotfixes applicable to Microsoft Windows Server 2003.
- Reason: 0x2 - I received this event after the automatic installation of KB900485 through Windows Update Agent. Therefore, this can be translated to: updates that require reboot were installed.


I am using Microsoft SUS (Software Update Services) to push Windows updates and this message is generated when a machine is automatically rebooted, once an update that requires a reboot is installed.
This also happens when you manually kill the process "Remote Procedure Calls" also know as svchost.
- Process: Explorer.exe - As per Microsoft: "Shutdown Event Tracker is a Microsoft Windows Server 2003 and Microsoft Windows XP feature that you can use to consistently track the reason for system shutdowns. You can then use this information to analyze shutdowns and to develop a more comprehensive understanding of your system environment. Shutdown Event Tracker logs events that are similar to this one in the system event log". See ME293814 and MSW2KDB for more details.
This error may be contributed to security issue identified, or virus known as W32.Blaster.Worm. The Virus brodcasts from the local machine, and may cause a buffer overrun in RPC, allowing code execution, or RCP may terminate unexpectedly.

See the link to the Symantec Virus information and removal tool, MS03-026 and RPC DCOM WORM (MSBLASTER).

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...