How Shutdown Event Tracker Works
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
How Shutdown Event Tracker Works
In this section
Terms and Definitions
Shutdown Event Tracker Architecture
Shutdown Event Tracker Protocols
Shutdown Event Tracker Interfaces
Shutdown Event Tracker Processes and Interactions
Network Ports Used by Shutdown Event Tracker
Related Information
Shutdown Event Tracker is a feature of the Microsoft Windows Server 2003 operating systems that provides a way for IT professionals to consistently track why users restart or shut down their computers. Shutdown Event Tracker captures the reasons users give for restarts and shutdowns to help create a comprehensive picture of an organization’s system environment. It does not document why users choose other options, such as Log off and Hibernate.
In a more active sense, Shutdown Event Tracker also provides IT professionals with a specific tool, Remote Shutdown (Shutdown.exe), for restarting or shutting down both local and remote computers, while at the same time supplying reasons for doing so. In addition, users can employ Remote Shutdown to hibernate a local computer and cancel delayed shutdowns.
Shutdown Event Tracker is enabled by default and is a routine part of the computer shutdown process.
The following sections provide an in-depth view of how Shutdown Event Tracker works in an optimal environment. An optimal environment for Shutdown Event Tracker is defined as follows:
Windows Server 2003 is correctly installed and Shutdown Event Tracker is enabled.
All other dependencies are in place, properly designed and deployed, and functioning normally.
Server hardware is sized appropriately and there are no disk, CPU, memory, or network bottlenecks that affect the performance of the technology.
Terms and Definitions
The following terms are associated with Shutdown Event Tracker*.*
Expected Restarts and Shutdowns
Expected restarts and shutdowns can be either planned or unplanned. These shutdown types are explained as follows:
A planned shutdown is one in which both the user and the computer fully anticipate the shutdown. For example, as a matter of either policy or habit, a user might shut down his or her computer at the end of each day. When a user has control over the timing of a restart or shutdown, the task is planned.
An unplanned shutdown is one in which the user does not anticipate the shutdown, but has time to perform the shutdown in a normal manner. For example, if an application becomes unresponsive, the user might be forced to restart or shut down the computer. When a user does not have control over the exact timing of a restart or shutdown, the task is unplanned.
Note
- For the purpose of this topic, shutting down the system in a “normal manner” is defined as the user clicking Start and then Shutdown, or pressing CTRL+ALT+DELETE and then clicking Shutdown, or utilizing Remote Shutdown (Shutdown.exe), a tool specific to Shutdown Event Tracker. These methods call the InitiateSystemShutdownEx application programming interface (API), which in turn spawns a number of related events. To find more information about these events, see “Shutdown Event Tracker Architecture.”
Unexpected Restarts and Shutdowns
Unexpected shutdowns are shutdowns that the computer does not anticipate, and that the user may or may not anticipate. For example, the computer abruptly loses power and immediately shuts down. In this instance, neither the computer nor the user could have anticipated the shutdown. However, in another example, the user shuts down the computer by holding down the power button. In this instance, the user did, in fact, anticipate the shutdown but the computer, as in the first example, did not. It is important to understand that in both instances shutdown did not occur in a normal manner and that therefore the two shutdowns must be classified as “unexpected.”
Shut Down Windows (Expected Shutdown) Dialog Box
The Shut Down Windows (expected shutdown) dialog box appears when users restart or shut down the operating system in a normal manner. This dialog box differs from other Windows shutdown dialog boxes (for example, in earlier versions of Windows, or when Shutdown Event Tracker has been disabled) in that it prompts users to supply a reason and a comment to explain the action. In addition, since both planned and unplanned shutdowns are performed in a normal manner, the Shut Down Windows (expected shutdown) dialog box appears in either instance.
Note
- Though titled as Shut Down Windows, this dialog box functions, in essence, as the expected shutdown dialog box.
Shutdown Event Tracker (Unexpected Shutdown) Dialog Box
When an unexpected shutdown occurs the user is not given the opportunity to perform the shutdown in a normal manner, and the Shut Down Windows (expected shutdown) dialog box does not appear at the time of shutdown. Instead, the Shutdown Event Tracker (unexpected shutdown) dialog box appears to the first person with the Shutdown the system user right or with administrative credentials who logs on to the computer after the restart or shutdown. Like the Shut Down Windows (expected shutdown) dialog box, it prompts this user to supply a reason and a comment for the shutdown.
Notes
Though titled as Shutdown Event Tracker, this dialog box functions, in essence, as the unexpected shutdown dialog box.
It is important to realize that a person with administrative credentials automatically has the Shutdown the system user right, but that it is possible for another person to have only this one right and not have administrative credentials.
Shutdown Event Tracker Architecture
From an architectural standpoint, Shutdown Event Tracker is divided into three areas:
The Shutdown Event Tracker interface (the expected shutdown dialog and the unexpected shutdown dialog)
Other Windows technologies with which Shutdown Event Tracker interacts (Windows Base Services; Event Log; Registry; Group Policy; System State Data feature; Windows Error Reporting [WER]; Poolmon.exe or Memory Pool Monitor)
Tools specific to Shutdown Event Tracker (Remote Shutdown [Shutdown.exe]; SSDFormat or System State Data Formatter; Custom Reason Editor)
The following figure shows the components within these three areas and how the areas and components interact.
Shutdown Event Tracker Architectural Diagram
.gif "Shutdown Event Tracker Architectural Diagram")
The following table lists the components in the first of the three areas described previously.
Shutdown Event Tracker Components: Interface
| Component | Description |
|---|---|
Shut Down Windows (expected shutdown) dialog box |
Appears at shutdown if shutdown occurs in a normal manner. To find more information about the Shut Down Windows (expected shutdown) dialog box, see “Terms and Definitions" earlier in this section. |
Shutdown Event Tracker (unexpected shutdown) dialog box |
Appears at logon if DirtyShutdown key is present in the registry. To find more information about the Shutdown Event Tracker (unexpected shutdown) dialog box, see “Terms and Definitions" earlier in this section. |
The following table lists the components in the second of the three areas described previously.
Shutdown Event Tracker Components: Associated Windows Technologies
| Technology | Description |
|---|---|
Windows Base Services |
The base services functions give applications access to the resources of the computer and the features of the underlying operating system, such as memory, file systems, devices, processes, and threads. An application uses these functions to manage and monitor the resources it needs to complete its work. For Shutdown Event Tracker, Windows Base Services hosts components that log events to the event log; reads and interprets configuration information; and provides the public interface for initiating shutdowns. |
Event log |
The repository to which shutdown events are written by the expected shutdown dialog, the unexpected shutdown dialog, and Shutdown.exe. |
Registry |
Stores configuration data associated with Shutdown Event Tracker. Interacts with Custom Reason Editor, expected shutdown dialog (in providing custom reasons), unexpected shutdown dialog (in determining if a previous shutdown was unexpected), Shutdown.exe, and the System State Data feature. |
Group Policy |
Specifies configurations for groups of users and computers. These groups include software policies, scripts, user documents and configurations, application deployment, and security configurations. To find more information about how Shutdown Event Tracker uses Group Policy, see “Shutdown Event Tracker Tools and Settings" in “Shutdown Event Tracker Tools and Settings.” |
System State Data feature |
Gathers information for root-cause analysis of unplanned shutdowns. System state data is recorded in a log file when a user who has the Shutdown the system user right or administrative credentials specifies an unplanned reason for shutting down a computer. |
Windows Error Reporting (WER) |
WER is a set of technologies that captures product failure (also known as crash) data, enables end users to report failure information, and enables software and hardware vendors to analyze and respond to these problems. WER is used by the System State Data feature to transmit shutdown data to Microsoft or other designated recipient. To find more information about Windows Error Reporting, click “Windows Server 2003 Resource Kit Tools Help” in Tools and Settings Collection. |
Memory Pool Monitor (Poolmon.exe) |
Displays data that the operating system collects about memory allocations from the system paged and nonpaged kernel pools. This information can be used to find kernel mode memory leaks. Poolmon can also be used to confirm findings made by the System State Data feature that are suggestive of memory leaks. To find more information about Poolmon.exe, see the Microsoft Knowledge Base. |
The following table lists the components in the third of the three areas described previously.
Shutdown Event Tracker Components: Tools Specific to the Feature
| Tool | Description |
|---|---|
Remote Shutdown (Shutdown.exe) |
Enables users to restart or shut down a local computer or one or more remote computers by either of two means: 1) the graphical user interface (GUI), invoked by typing Shutdown /i at the command prompt, or 2) the same Shutdown command used in combination with various other command-line parameters (for example, Shutdown /s, which causes the computer to shut down after a short interval). Users can also employ Remote Shutdown to hibernate local computers and to cancel delayed shutdowns from the command prompt. In addition, IT professionals can perform remote bulk annotations of unexpected shutdowns. To find more information about Shutdown Event Tracker command-line parameters, see “Command Line References” in Tools and Settings Collection. To find more information about bulk annotations, see, “Shutdown Event Tracker Processes and Interactions" later in this section. |
System State Data Formatter (SSDFormat.exe) |
A command-line tool that creates a formatted copy of a system state data log file. SSDFormat.exe opens a system state data log file, adds an XSL file header to format the data, fixes any characters from the original file that are not legitimate XML characters, and saves the changes to a new XML file. When the user opens the XML file created by SSDFormat in any XML-capable viewer, such as Microsoft Internet Explorer, the XSL style sheet formats the data into tabular form. To find more information about SSDFormat, click “Windows Server 2003 Resource Kit Tools Help” in Tools and Settings Collection. |
Custom Reason Editor (CustomReasonEdit.exe) |
A command-line and graphical user interface (GUI) tool that allows users to add, modify, and delete custom shutdown reasons for Shutdown Event Tracker. To find more information about Custom Reason Editor, click “Windows Server 2003 Resource Kit Tools Help in Tools and Settings Collection.” After downloading Windows Resource Kit Tools, click Start, All Programs, Windows Resource Kit Tools, and then Windows Resource Kit Tools Read Me. |
Shutdown Event Tracker Protocols
Shutdown Event Tracker uses the following protocols:
RPC (remote procedure call), when communicating with a remote server
HTTPS (Hypertext Transfer Protocol over Secure Sockets Layer), which is used by Windows Error Reporting (WER)
Both RPC and HTTPS reside at the application layer of the OSI (Open Systems Interconnection) model.
Shutdown Event Tracker Interfaces
The following APIs are associated with Shutdown Event Tracker.
Shutdown Event Tracker APIs
| API Name | Description |
|---|---|
InitiateSystemShutdown |
Initiates a shutdown and optional restart of the specified computer. Does not support Shutdown Event Tracker and the use of shutdown reason options. Should not be used by a developer who wishes to utilize Shutdown Event Tracker functionality. |
InitiateSystemShutdownEx |
Initiates a shutdown and optional restart of the specified computer. Supports Shutdown Event Tracker and the use of shutdown reason options. Should be used by a developer who wishes to utilize Shutdown Event Tracker functionality. |
ExitWindowsEx |
Either logs off the current user and shuts down the system, or shuts down and restarts the system. It sends the WM_QUERYENDSESSION message to all applications to determine if they can be terminated. In the unlikely event that ExitWindowsEx fails to shut down the system, or the shutdown is cancelled by the user, it writes an event to the event log. |
To find more information about Shutdown Event Tracker interfaces, see MSDN and type the appropriate key words in the “Search for” text box.
Shutdown Event Tracker Processes and Interactions
The following is a general description of how Shutdown Event Tracker functions at a basic level.
As stated earlier, Shutdown Event Tracker provides a simple and standard mechanism for IT professionals to consistently document the reasons for shutting down or restarting computers. The information captured can then be used to analyze the root causes of shutdowns and to develop a more complete understanding of the system environment.
To record a restart or shutdown reason, users enter the reason into either the Shut Down Windows (expected shutdown) dialog box or the Shutdown Event Tracker (unexpected shutdown) dialog box. The Shut Down Windows dialog box is displayed when shutdown occurs in a normal manner (an expected shutdown); the Shutdown Event Tracker dialog box appears when shutdown does not occur in a normal manner (an unexpected shutdown). In each instance, Windows provides users with a list of predefined shutdown reasons from which to choose. Users can also employ reason options that they have created using the Custom Reason Editor. The information that users provide is recorded in the system log in Event Viewer.
For these processes and interactions to work as described, Shutdown Event Tracker should reside in an optimal environment. An optimal environment for Shutdown Event Tracker is defined as follows:
Windows Server 2003 is correctly installed and Shutdown Event Tracker is enabled.
All other dependencies are in place, properly designed and deployed, and functioning normally.
Server hardware is sized appropriately and there are no disk, CPU, memory, or network bottlenecks that affect the performance of the technology.
Shutdown Event Tracker Technologies
The following is a more detailed description of specific technologies that either form a part of, or are closely identified with, Shutdown Event Tracker.
Remote Shutdown
Remote Shutdown (Shutdown.exe) enables users to restart or shut down a local computer or one or more remote computers by either of two means: 1) the graphical user interface (GUI), invoked by typing Shutdown /i at the command prompt, or 2) the same Shutdown command used in combination with various other command-line parameters (for example, Shutdown -m [\\ComputerName], which specifies the computer that the user wants to shut down).
Note
- Although Remote Shutdown can be used to restart or shut down both local and remote computers, its primary purpose is to control the shutdown behavior of remote computers.
IT professionals can also use this tool to perform remote bulk annotations of unexpected shutdowns, an alternative to the time-consuming task of logging on to each computer to record a reason for an unexpected shutdown. For example, a thousand computers in a datacenter all shut down at the same time because there is a catastrophic loss of power to the entire facility. In this circumstance, a user with administrative credentials can later record the same shutdown reason (power loss) in a single place (Remote Shutdown) for all one thousand computers, and is not required to log on to each computer to perform the same function over and over again.
In addition, users can employ Remote Shutdown to hibernate local computers and to cancel delayed shutdowns from the command prompt.
To find more information about Shutdown Event Tracker command-line parameters, see “Command Line References” in Tools and Settings Collection.
System State Data feature
The System State Data feature gathers information for root-cause analysis of expected but unplanned shutdowns, and of unexpected shutdowns.
System state data is written to a log file when a user who has the Shutdown the system user right or administrative credentials specifies an “unplanned” reason for shutting down the computer in the case of an expected, but unplanned, shutdown. This file is stored in the %windir%\system32\LogFiles\Shutdown\ directory. The first user with administrative credentials who logs on to the computer after the shutdown will see a dialog box notification that reads, “The system has restarted after an unplanned shutdown. A log of this event has been created.” From this dialog box, the administrator can navigate to a more detailed description of the system state data file, its contents, and the Microsoft privacy policy for data collection on the Web. The administrator can choose whether to send the system state data file to Microsoft by clicking either the Send Error Report or Don’t Send button.
System State Data Formatter
System State Data Formatter (SSDFormat.exe) is a command-line tool that creates a formatted copy of a system state data log file. SSDFormat.exe opens a system state data log file, adds an XSL file header to format the data, fixes any characters from the original file that are not legitimate XML characters, and saves the changes to a new XML file. When the user opens the XML file created by System State Data Formatter in any XML-capable viewer, such as Internet Explorer, the XSL style sheet formats the data into tabular form.
To find more information about System State Data Formatter, click “Windows Server 2003 Resource Kit Tools Help” in Tools and Settings Collection.
Custom Reason Editor
Custom Reason Editor (CustReasonEdit.exe) is a command-line and GUI tool that enables users to add, modify, and delete custom shutdown reasons. Users can employ command-line functionality to perform basic importing and exporting of custom reasons to a registry file, or they can use the GUI to perform all other types of custom reason editing. CustReasonEdit includes a set of sample reasons as a guide to new users.
To find more information about Custom Reason Editor, click “Windows Server 2003 Resource Kit Tools Help” in Tools and Settings Collection. After downloading Windows Resource Kit Tools, click Start, All Programs, Windows Resource Kit Tools, and then Windows Resource Kit Tools Read Me.
Other Processes and Interactions
The following is a brief description of other processes and interactions associated with Shutdown Event Tracker.
Enabling or Disabling Shutdown Event Tracker
The user can employ either Group Policy or the registry to enable or disable Shutdown Event Tracker on the user’s system.
When Shutdown Event Tracker is enabled, the Shut Down Windows (expected shutdown) dialog box appears when the user clicks Start and then clicks Shutdown, or when the user presses CTRL+ALT+DELETE and then clicks Shutdown. If an unexpected restart or shutdown occurs, the Shutdown Event Tracker (unexpected shutdown) dialog box will appear to the first person with the Shutdown the system user right or with administrative credentials who logs on to the computer.
When Shutdown Event Tracker is disabled, the standard Windows shutdown dialog box appears. It provides a way to restart or shut down the users computer, although it does not provide a way to record whether or not the event is planned or unplanned, or a way to record a reason for it. If an unexpected restart or shutdown occurs under these circumstances, the Shutdown Event Tracker (unexpected shutdown) dialog box will not appear to the first person with the Shutdown the system user right who logs on to the computer.
To find more information about enabling or disabling "Shutdown Event Tracker, see “Shutdown Event Tracker Tools and Settings" in “Shutdown Event Tracker Tools and Settings.” See also “Shutdown Event Tracker Tools and Settings" in “Shutdown Event Tracker Tools and Settings.”
Using Shutdown Event Tracker with Non-English Versions of Windows Server 2003
Users can configure Shutdown Event Tracker to display standard and custom shutdown reasons in languages other than English by modifying the registry.
For example, to display the standard shutdown reasons in Romanian, the system version must be Romanian, and the user locale must be set to Romanian as well.
To display custom shutdown reasons in Romanian (or another language), users must employ the Custom Reason Editor, which writes custom shutdown reasons to the registry.
To find more information about Custom Reason Editor, click “Windows Server 2003 Resource Kit Tools Help” in Tools and Settings Collection. After downloading Windows Resource Kit Tools, click Start, All Programs, Windows Resource Kit Tools, and then Windows Resource Kit Tools Read Me.
Network Ports Used by Shutdown Event Tracker
The following table lists the port assignments for transmitting data collected by Shutdown Event Tracker.
Port Assignments for Shutdown Event Tracker
| Service Name | User Datagram Protocol (UDP) | Transmission Control Protocol (TCP) |
|---|---|---|
Windows Error Reporting (WER) |
Not applicable |
443 |
Remote Procedure Call (RPC) |
Not applicable |
445 and 139 |
Windows Error Reporting (WER) is a set of technologies built into Windows Server 2003 that captures product failure (also know as crash) data, enables end users to report failure information, and enables software and hardware vendors to analyze and respond to these problems.
When the Report unplanned shutdown events policy setting is enabled, error reporting will include unplanned shutdown events. When this policy setting is disabled, unplanned shutdown events will not be included in error reporting.
If this policy setting is not configured, the user is able to control unplanned shutdown reporting using Control Panel, which is set to upload unplanned shutdown events by default.
The System State Data feature uses Windows Error Reporting to transmit shutdown data to Microsoft or other designated recipient.
Note
- Data will not be submitted to the designated recipient unless users click Send Report when presented with the Windows Error Reporting dialog box.
Related Information
The following resources contain additional information that is relevant to this section.
To find more information about Custom Reason Editor, click “Windows Server 2003 Resource Kit Tools Help” in Tools and Settings Collection. After downloading Windows Resource Kit Tools, click Start, All Programs, Windows Resource Kit Tools, and then Windows Resource Kit Tools Read Me.
To find more information about System State Formatter (SSDFormat), click “Windows Server 2003 Resource Kit Tools Help” in Tools and Settings Collection.
To find more information about Windows Error Reporting (WER), click “Windows Server 2003 Resource Kit Tools Help” in Tools and Settings Collection.
To find more information about Poolmon.exe, click “Windows Server 2003 Resource Kit Tools Help” in Tools and Settings Collection.
To find more information about InitiateSystemShutdown, InitiateSystemShutdownEx, and ExitWindowsEx (the shutdown APIs), see MSDN and type the appropriate key words in the “Search for” text box.
To find more information about Shutdown Event Tracker command-line parameters, see “Command Line References” in Tools and Settings Collection.
To find more information about Shutdown Event Tracker Group Policy settings, click “Group Policy Settings Reference for Windows Server 2003” in Tools and Settings Collection.