If you're seeing the Shutdown Event Tracker dialog pop up after every RDP login to your Windows Server 2019 machine - even when no actual shutdown occurred - you're not alone. This behavior typically indicates a stuck shutdown flag in the system registry.
Before making changes, verify this isn't a legitimate shutdown event:
# Check system events for unexpected shutdowns
Get-EventLog -LogName System -EntryType Error,Warning -After (Get-Date).AddDays(-1) |
Where-Object {$_.EventID -eq 6008 -or $_.Message -like "*unexpected shutdown*"}The most reliable fix involves modifying the registry to clear the shutdown flag:
# PowerShell script to disable the persistent shutdown tracker
$registryPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability"
$name = "ShutdownFlag"
$value = 0
# Check if the key exists first
if (Test-Path $registryPath) {
Set-ItemProperty -Path $registryPath -Name $name -Value $value -Type DWord
Write-Host "Shutdown flag has been reset successfully."
} else {
Write-Host "Registry path not found - may need to create it."
}For domain-joined servers, you might prefer using Group Policy:
# GPO path to modify:
# Computer Configuration -> Administrative Templates -> System -> Display Shutdown Event TrackerAfter making changes, test by logging out and back in via RDP. The dialog should only appear after actual shutdown events.
- Always back up the registry before making changes
- Consider creating a system restore point
- Document the change in your server maintenance logs
Many Windows Server 2019 administrators report seeing the Shutdown Event Tracker dialog appear after every RDP session login, despite no actual server restarts occurring. The system seems to maintain a false positive shutdown flag in its internal state tracking.
Before implementing any solutions, verify these key points through PowerShell:
# Check last shutdown events (should return empty if no actual restarts)
Get-WinEvent -FilterHashtable @{LogName='System'; ID=1074,6008} -MaxEvents 5 | Format-Table -AutoSize
# Verify current tracker settings
Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Reliability" -Name "ShutdownReasonOn"
The most effective permanent fix involves modifying the Windows Registry:
# Disable shutdown tracker completely (not recommended for production)
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Reliability" -Name "ShutdownReasonOn" -Value 0
# Alternative: Reset the tracker cache
Remove-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability" -Name "LastAliveStamp" -ErrorAction SilentlyContinue
Remove-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability" -Name "TimeStampInterval" -ErrorAction SilentlyContinue
For domain-joined servers, implement through GPO:
- Open
gpedit.msc - Navigate to: Computer Configuration → Administrative Templates → System
- Enable "Display Shutdown Event Tracker" and set to "Disabled"
After applying changes:
# Force policy update
gpupdate /force
# Create monitoring scheduled task
$action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "Get-EventLog -LogName System -After (Get-Date).AddHours(-1) | Where-Object {$_.EventID -eq 1074 -or $_.EventID -eq 6008}"
$trigger = New-ScheduledTaskTrigger -AtLogOn
Register-ScheduledTask -TaskName "ShutdownMonitor" -Action $action -Trigger $trigger -User "SYSTEM"
When Splunk Universal Forwarder is installed, check its inputs.conf:
[WinEventLog://System]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
whitelist = 1074,6008
Consider adjusting the polling interval if it coincides with RDP session initiations.
Create a logon script to reset tracker flags:
# Save as ResetTracker.ps1
$key = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability"
if (Test-Path $key) {
Remove-ItemProperty -Path $key -Name "LastAliveStamp" -ErrorAction SilentlyContinue
Remove-ItemProperty -Path $key -Name "DirtyShutdown" -ErrorAction SilentlyContinue
}