Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net. The EventId.Net for Splunk Add-on assumes that Splunk is collecting information from Windows servers and workstation via the Splunk Universal Forwarder.
The previous system shutdown at <time> on <date> was unexpected.
|English: This information is only available to subscribers. An example of English, please!|
If the Information Store service on an Exchange 2000 server stops unexpectedly because of an application exception, the whole server may stop unexpectedly with a Stop error a short time later. After the server restarts, this event is logged. See ME811458 for a hotfix applicable to Microsoft Exchange 2000.
This problem can occur if Winlogon does not log off the user, and because of this, the screensaver continues. After this occurs, a proper shutdown is not initiated. See ME304742 for a hotfix applicable to Microsoft Windows NT Workstation 4.0, ME883635 for a hotfix applicable to Microsoft Windows 2000 Server and ME916719 for a hotfix applicable to Microsoft Windows Server 2003.
As per Microsoft: "This problem occurs because the SYSPREP utility does not shut down the system gracefully after completing the mini setup". See ME216071 for more information.
This issue can occur if a user with administrative privileges modifies the computer policy to permit shutdown from authentication. When this feature is enabled, any client that is connected to the Terminal Server has the capability of restarting the Terminal Server. See ME243848 for more information about this problem.
According to Microsoft a remote shutdown problem using the InitiateSystemShutdown function was fixed in Windows NT 4.0, Terminal Server Edition, Service Pack 4 (SP4). This fix can cause this problem. See ME241840 for more information about this issue.
See the links to "Citrix Support Document ID: CTX484963" for additional information about this event.
Check ME196452 to see why WinNT Reports 6005, 6006, 6008, and 6009 event log entries.
If you are using a Windows evaluation copy, this error means that the evaluation period has expired. See ME250920 for more details.
Hardware issues could also cause this error. Several users reported that their problems were fixed after replacing a hardware component (mostly the power supply).
According to Microsoft this event indicates that an inconsistency exists between the Browser service and the server service. See MSW2KDB for additional information on this event.
As per Microsoft: "When the Event Log service starts (and it is one of the first services to start when you start the computer), event 6005 is generated in the system log. When the Event Log service shuts down gracefully, such as when the administrator shuts down the system, event 6006 is logged. When the system restarts unexpectedly, event 6008 is logged. These events are logged automatically; no configuration is needed to turn them on, and they cannot be turned off except by disabling the Event Log service". See the link to "Monitoring and Auditing for End Systems" for additional information.
In my case, it was a defective graphics adapter that could not return from suspend mode and so the server shut down.
If you have Win2K SP4 installed on your DCís and your server suddenly restarts you should check your "Directory service" log. When you find two warning messages id 1173 a few minutes before your server posts the "Previous shutdown was unexpected" message in your system log, it means that one of your clients requested information from AD which crashed the Lsass process that in turn crashed your machine. Microsoft has a not yet published the hotfix for this problem. If you experience this problem you should contact Microsoft in your country and ask them for this hotfix. See ME824226.
See Microsoft article ME326564. "A supported fix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Apply it only to computers that are experiencing this specific problem. This fix may receive additional testing. Therefore, if you are not severely affected by this problem, Microsoft recommends that you wait for the next Windows 2000 service pack that contains this fix. To resolve this problem immediately, contact Microsoft Product Support Services to obtain the fix."
I get the error sometimes when I restart the Windows 2000 Advanced Server from inside a terminal services session.
This event occasionally occurs with Windows 2000 SP3 during or after a manual shutdown, which otherwise appears proceed without any malfunction or mishap. It appears that there may be at least one service (possibly Norton Antivirus Enterprise Edition 7.5x) which is not shutting down correctly, though the rest of the machine does so.
It may also appear in the event log if the user clicks the "OK" button in response to the "Service pack installation is completed. Your machine needs to be restarted. Would you like to restart now?" dialog box that appears after installing most Windows service packs and Updates.
If a server is powered off without a proper shutdown this event will be generated when the computer is restarted. In some circumstances, when various utilites are used to shut down the system (i.e. shutdown.exe) Windows NT still reports this error. This was fixed in SP 4.
|Private comment: Subscribers only. See example of private comment|
|Links: Monitoring and Auditing for End Systems|
|Search: Google - Bing - Microsoft - Yahoo - EventID.Net Queue (0) - More links...|
|Custom search for *****: Google - Bing - Microsoft - Yahoo|
Send comments or solutions
- Notify me when updated