How to Diagnose Unexpected Server Reboots: Logs, Windows Updates, and Crash Analysis


1 views

Server reboots can be disruptive, especially when they happen unexpectedly. Whether it's due to manual intervention, Windows updates, or system crashes, identifying the root cause is crucial for maintaining system stability. This guide will walk you through the key logs and tools to investigate server reboots effectively.

The Windows Event Viewer is your first stop. Look for these critical event IDs:


# PowerShell command to filter reboot-related events
Get-WinEvent -LogName System | Where-Object {
    $_.Id -eq 1074 -or   # Manual shutdown/restart
    $_.Id -eq 6008 -or   # Unexpected shutdown
    $_.Id -eq 41        # Kernel power (crash)
} | Format-Table -AutoSize

For manual reboots, check Event ID 1074 which includes the user account that initiated the action. The description field often contains valuable context.

Automatic updates are a common reboot trigger. Check these locations:


# Check Windows Update history
Get-WinEvent -LogName "Microsoft-Windows-WindowsUpdateClient/Operational" | 
Where-Object {$_.Id -eq 19} | Select-Object TimeCreated,Message

# Alternative via WMI
Get-CimInstance -ClassName Win32_ReliabilityRecords | 
Where-Object {$_.Message -like "*update*"} | 
Select-Object TimeGenerated,Message

For BSOD-related reboots, analyze memory dumps:


:: Check for existing dump files
dir %SystemRoot%\MEMORY.DMP
dir %SystemRoot%\Minidump\*.dmp

:: Install Debugging Tools (if needed)
wget https://aka.ms/windbg -OutFile windbg.appinstaller

Use WinDbg to analyze dump files with these commands:


!analyze -v
lmvm nt

Create a PowerShell script to monitor reboot causes:


# Monitor-Reboots.ps1
$lastBoot = (Get-CimInstance -ClassName Win32_OperatingSystem).LastBootUpTime
$events = Get-WinEvent -FilterHashtable @{
    LogName = 'System'
    StartTime = $lastBoot
    ID = 1074,6008,41,19
}

$events | ForEach-Object {
    [PSCustomObject]@{
        Time = $_.TimeCreated
        EventID = $_.Id
        Source = $_.ProviderName
        Message = $_.Message -replace "rn"," "
    }
} | Export-Csv -Path "C:\logs\reboot_history.csv" -NoTypeInformation

Check system uptime and recent shutdowns:


systeminfo | find "System Boot Time"
wevtutil qe System /q:"*[System[(EventID=6008)]]" /rd:true /f:text

Configure these Group Policy settings to gain more control:


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"NoAutoRebootWithLoggedOnUsers"=dword:00000001
"RebootRelaunchTimeoutEnabled"=dword:00000001
"RebootRelaunchTimeout"=dword:00000384

When a server unexpectedly reboots, the Windows Event Viewer should be your first stop. Focus on these critical log sources:


# PowerShell command to filter recent system events
Get-WinEvent -LogName System -MaxEvents 100 | 
Where-Object { $_.Id -in (41,1074,6005,6006,6008) } |
Format-Table TimeCreated,Id,Message -AutoSize -Wrap

Key event IDs to investigate:

  • Event ID 41: Kernel power event (unexpected shutdown)
  • Event ID 1074: User-initiated shutdown/restart
  • Event ID 6005-6006: Event log service start/stop times
  • Event ID 6008: Previous improper shutdown

Recent updates can trigger reboots. Check update history with:


# Command to list recent updates
Get-WinEvent -LogName "Microsoft-Windows-WindowsUpdateClient/Operational" |
Where-Object { $_.Id -eq 19 } |
Sort-Object TimeCreated -Descending |
Select-Object -First 5

For potential blue screen events, examine memory dumps:


# Analyzing mini dumps with WinDbg (run as admin)
cd C:\Windows\Minidump
windbg -y SymbolPath -i ImagePath -z MinidumpFile.dmp

Common crash analysis commands in WinDbg:


!analyze -v
lm
kv

To track who might have initiated a reboot, enable process auditing:


# Enable shutdown privilege auditing
auditpol /set /subcategory:"Audit privilege use" /success:enable /failure:enable

Then check Security logs for Event ID 4688 with process name "shutdown.exe"

For proactive monitoring, create a PowerShell script to log reboot events:


$RebootEvents = Get-WinEvent -FilterHashtable @{
    LogName='System'
    ID=41,1074,6005,6006,6008
    StartTime=(Get-Date).AddHours(-24)
}

$Report = $RebootEvents | ForEach-Object {
    [PSCustomObject]@{
        Time = $_.TimeCreated
        EventID = $_.Id
        Message = $_.Message
    }
}

$Report | Export-Csv -Path "C:\Monitoring\RebootReport.csv" -NoTypeInformation

For potential hardware-related reboots, examine:

  • IPMI logs (for physical servers)
  • Temperature monitoring tools
  • RAID controller logs

# Example for Dell servers
Get-WinEvent -LogName "Dell OpenManage" -MaxEvents 20