Server issue

Peter_1985 2,486 Reputation points
2021-01-19T02:12:32.337+00:00

Hi,
Win 2016 server does get down by itself recently. Where to check the root reason of this? I can see Audit failure below
57850-1l.png
How to check any hack (or improper action) that could lead to server shutdown unexpectedly?

Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,370 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,115 questions
Windows Server Management
Windows Server Management
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Management: The act or process of organizing, handling, directing or controlling something.
421 questions
0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. SUNOJ KUMAR YELURU 13,926 Reputation points MVP
    2021-01-19T03:23:12.197+00:00

    Hi @Peter_1985

    Description of the Shutdown Event Tracker

    which lists these event ids to monitor (quoted but edited and reformatted from article):

    Event ID 6005 (alternate): “The event log service was started.” This is synonymous to system startup.
    Event ID 6006 (alternate): “The event log service was stopped.” This is synonymous to system shutdown.
    Event ID 6008 (alternate): "The previous system shutdown was unexpected." Records that the system started after it was not shut down properly.
    Event ID 6009 (alternate): Indicates the Windows product name, version, build number, service pack number, and operating system type detected at boot time.

    hacking activity against windows server

    Please don’t forget to Accept the answer and up-vote wherever the information provided helps you, this can be beneficial to other community members.

    0 comments
  2. Peter_1985 2,486 Reputation points
    2021-01-19T04:02:52.063+00:00

    Hi,
    What is the same option on Win 2016 server? I do not see Display Shutdown Event Tracker below.
    57958-1m.png

  3. Gloria Gu 3,891 Reputation points
    2021-01-19T08:44:50.363+00:00

    Hi,

    Thank you for posting in Q&A!

    According to the microsoft official document, event 4625 might occurred under these situations
    58057-11.png

    This same issue has been discussed before, you can refer to this thread for more suggestions:
    https://serverfault.com/questions/690770/how-to-find-source-of-4625-event-id-in-windows-server-2012

    Hope you have a nice day : )
    Gloria

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
    https://learn.microsoft.com/en-us/answers/articles/67444/email-notifications.html

    0 comments
  4. Peter_1985 2,486 Reputation points
    2021-01-19T15:25:41.487+00:00

    Sorry to that, I've searched out Event viewer and cannot find out items related to "4625".

    How to further identify what reason is leading to server down? It has been down for 2 times since yesterday night.