Unexpected Windows Server 2016 Shutdown: winlogon, NT AUTHORITY\SYSTEM, 0x500ff
We have a fleet of AWS EC2 instances running Windows Server. Since moving from Windows Server 2012r2 to 2016, we've encountered an issue where a server is shut down for unknown reasons. After an exhaustive inspection of event logs, the only consistency appears to be the following:
The process C:\Windows\system32\winlogon.exe ([computername]) has initiated the power off of computer [computername] on behalf of user NT AUTHORITY\SYSTEM for the following reason: No title for this reason could be found
Reason Code: 0x500ff
Shutdown Type: power off
We've considered and theoretically ruled out the following:
-
Windows Updates issue
- No updates were running according to event logs or Get-WindowsUpdateLog. Sconfig > "Windows Update Settings" is set to DownloadOnly
-
Power button toggle, or hardware/battery issue
- This is an AWS EC2 instance and we've never experienced this with any 2012r2 or 2012 servers. If it was hardware related surely it would affect all server versions.
-
Windows Server license expiration
- These servers are licensed correctly according to "slmgr.vbs /dlv", and the shutdowns have happened at 39, 62, and 188 days after their initial turn-on.
-
With old versions of mstsc there is a power button displayed on the logon screen, which can be used to turn off the system in this manner
- This theory is largely based on this post but to be clear that is for a 2012 server, and we're on 2016. I have also not been able to repro this at all.
Does anyone have any idea what could be causing this shutdown? Or, any idea how we could go about finding more information? I've looked through every log file and event log I can find. There is also no dmp file corresponding to the time of shutdown.
Solution 1:
The Reason Code says that it's a BlueScreen (SHTDN_REASON_MAJOR_SYSTEM | SHTDN_REASON_MINOR_BLUESCREEN)
Reference: https://docs.microsoft.com/fr-fr/windows/desktop/Shutdown/system-shutdown-reason-codes
You should check that your drivers/softwares are up-to-date. Don't forget to check your antivirus too, because it's possible that an outdated third-party antivirus can lead to bluescreens.
You can use BlueScreenView to help you analyzing BSOD memory dumps (if any).