Sorry to that, I've searched out Event viewer and cannot find out items related to "4625".
How to further identify what reason is leading to server down? It has been down for 2 times since yesterday night.
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hi,
Win 2016 server does get down by itself recently. Where to check the root reason of this? I can see Audit failure below
How to check any hack (or improper action) that could lead to server shutdown unexpectedly?
Sorry to that, I've searched out Event viewer and cannot find out items related to "4625".
How to further identify what reason is leading to server down? It has been down for 2 times since yesterday night.
Hi,
Thank you for posting in Q&A!
According to the microsoft official document, event 4625 might occurred under these situations
This same issue has been discussed before, you can refer to this thread for more suggestions:
https://serverfault.com/questions/690770/how-to-find-source-of-4625-event-id-in-windows-server-2012
Hope you have a nice day : )
Gloria
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
https://learn.microsoft.com/en-us/answers/articles/67444/email-notifications.html
Hi,
What is the same option on Win 2016 server? I do not see Display Shutdown Event Tracker below.
Hi @Peter_1985
Description of the Shutdown Event Tracker
which lists these event ids to monitor (quoted but edited and reformatted from article):
Event ID 6005 (alternate): “The event log service was started.” This is synonymous to system startup.
Event ID 6006 (alternate): “The event log service was stopped.” This is synonymous to system shutdown.
Event ID 6008 (alternate): "The previous system shutdown was unexpected." Records that the system started after it was not shut down properly.
Event ID 6009 (alternate): Indicates the Windows product name, version, build number, service pack number, and operating system type detected at boot time.
hacking activity against windows server
Please don’t forget to Accept the answer
and up-vote
wherever the information provided helps you, this can be beneficial to other community members.