Windows event logs - server crash

windows-server-2003

System Event Log, event ID 6008.

Sample event looks like:

Source: EventLog Event ID: 6008 Description: The previous system shutdown at H:MM:SS PM on DD/MM/YYYY was unexpected.


I usually look for the messages that show up when the system starts. Then simply backtrack a bit. Depending on how the system crashed

For example a good one to look for is from the source eventlog with an id of 6005 (The event log service was started). The eventlog service usually only starts/stops when the system starts.


Have a look in the System log for event ID 1000 with source "Save Dump".


The most reliable Event ID to look for is a 6005, which notifies when the Event Log started (after the restart). Then look back to the previous handful of events to determine the time the server stopped, and started. There will usually (in the case of physical boxes) be a gap in the time of events logged.

Although technically the 6008 event is a more accurate event for a genuine hard-reboot/crash, it isn't logged in the case that some software restarted the server (an admin logged in and clicked Yes when the software requested a reboot) or when an admin accidentally rebooted the machine. The latter happens here occasionally, and the rest of us are left thinking "oh, the server crashed..."

Related

Can I limit my SSH Tunneling Speed?
Hardened PHP deployment on Ubuntu
Migrating from Sql Server Express 2005 to express 2008
Finding out the Version of Lotus Domino Server from Lotus Notes Client
What server monitoring tools will scale to 10K-100K nodes? [closed]
Is it possible to access a vm from Hyper-V server locally?
debian python2.6 as default?
How to redirect https://domain.com to https://www.domain.com using IIS?
Replace SATA controller without re-installing Windows
PostgreSQL: Permission to execute function (that inserts into a table) but no permission to insert directly
How can I determine how much memory a process is using in AIX?
Daily Activity Report On Linux [closed]