On what basis a reboot initiated through InitiateSystemShutdownEx gets marked as Unexpected in a Windows server machine?

Question

On what basis a reboot initiated through InitiateSystemShutdownEx gets marked as Unexpected in a Windows server machine?

george st 5

A shutdown initiated through our internal tool was getting marked as "Unexpected Reboot" in the Windows Event Viewer.

We are using

InitiateSystemShutdownW from our tool to initiate Shutdown in the with the following arguments:

lpMachineName - NULL
lpMessage - Shutdown message for Event Viewer
dwTimeout - 0
bForceAppsClosed - true
bRebootAfterShutdown - Shutdown or Reboot based on the operation

We would like to know the behavior of the API used and also whether the Shutdowns initiated through it will be marked as "Unexpected" or not? If so, We need to know at what cases the shutdown will be marked as "Unexpected" with respect to the API used. From our research, we saw that the shutdown is usually graceful and if Windows did not respond within 30 seconds, it is converted to a force reboot. Is this applicable to the Shutdown initiated using the above API as well?
We are facing this issue intermittently in multiple versions of Windows servers.

Xiaopo Yang - MSFT 12,731 Reputation points Microsoft External Staff

2023-08-04T06:13:23.58+00:00

As InitiateSystemShutdownW said,

To record a reason for the shutdown in the event log, call the InitiateSystemShutdownEx function.

You can also define your own shutdown reasons and add them to the registry.
Xiaopo Yang - MSFT 12,731 Reputation points Microsoft External Staff

2023-08-11T02:22:00.41+00:00

It could be caused by bForceAppsClosed.

If this parameter is TRUE, applications with unsaved changes are to be forcibly closed. Note that this can result in data loss.

But you can record a reason for the shutdown in the event log with calling the InitiateSystemShutdownEx function.

@george st, any update?
george st 5 Reputation points

2023-08-11T06:40:56.5333333+00:00

But you can record a reason for the shutdown in the event log with calling the InitiateSystemShutdownEx function.

You mean that if we record a reason for the shutdown, even if the shutdown was made forced, it would not be marked as "Unexpected" by Windows? In that case, let me make the change in our tool as such and check.
george st 5 Reputation points

2023-08-11T06:45:24.6066667+00:00

I'll get back after making the change and try reproducing the case. Thank you for the assistance.
Xiaopo Yang - MSFT 12,731 Reputation points Microsoft External Staff

2023-08-11T06:48:26.5466667+00:00

NO and probably not. I mean you can record a reason for the Unexpected Reboot/Shutdown.
george st 5 Reputation points

2023-08-14T12:27:18.3566667+00:00

Okay. Can you please confirm if the "Unexpected Reboot" is because of the hardware or software state of the machine during the shutdown and has nothing to do with how we initiate it, right? I mean, the reboots are not getting marked as unexpected because of the Windows API but rather because of the state in which the machine was in when the shutdown was initiated? i.e, it has more to do with Windows than our internal tool?
Xiaopo Yang - MSFT 12,731 Reputation points Microsoft External Staff

2023-08-15T08:07:02.29+00:00

Is it still marked as unexpected when bForceAppsClosed is false?
Anonymous

2023-08-22T02:50:28.1333333+00:00

Any updates about this issue?
george st 5 Reputation points

2023-08-22T10:03:24.7733333+00:00

We are about to deploy the changes tomorrow. Will update here after monitoring it for a week

1 answer

Your answer

Xiaopo Yang - MSFT 12,731 Reputation points Microsoft External Staff

2023-08-04T06:13:23.58+00:00

As InitiateSystemShutdownW said,

To record a reason for the shutdown in the event log, call the InitiateSystemShutdownEx function.

You can also define your own shutdown reasons and add them to the registry.
Xiaopo Yang - MSFT 12,731 Reputation points Microsoft External Staff

2023-08-11T02:22:00.41+00:00

It could be caused by bForceAppsClosed.

If this parameter is TRUE, applications with unsaved changes are to be forcibly closed. Note that this can result in data loss.

But you can record a reason for the shutdown in the event log with calling the InitiateSystemShutdownEx function.

@george st, any update?
george st 5 Reputation points

2023-08-11T06:40:56.5333333+00:00

But you can record a reason for the shutdown in the event log with calling the InitiateSystemShutdownEx function.

You mean that if we record a reason for the shutdown, even if the shutdown was made forced, it would not be marked as "Unexpected" by Windows? In that case, let me make the change in our tool as such and check.
george st 5 Reputation points

2023-08-11T06:45:24.6066667+00:00

I'll get back after making the change and try reproducing the case. Thank you for the assistance.
Xiaopo Yang - MSFT 12,731 Reputation points Microsoft External Staff

2023-08-11T06:48:26.5466667+00:00

NO and probably not. I mean you can record a reason for the Unexpected Reboot/Shutdown.
george st 5 Reputation points

2023-08-14T12:27:18.3566667+00:00

Okay. Can you please confirm if the "Unexpected Reboot" is because of the hardware or software state of the machine during the shutdown and has nothing to do with how we initiate it, right? I mean, the reboots are not getting marked as unexpected because of the Windows API but rather because of the state in which the machine was in when the shutdown was initiated? i.e, it has more to do with Windows than our internal tool?
Xiaopo Yang - MSFT 12,731 Reputation points Microsoft External Staff

2023-08-15T08:07:02.29+00:00

Is it still marked as unexpected when bForceAppsClosed is false?
Anonymous

2023-08-22T02:50:28.1333333+00:00

Any updates about this issue?
george st 5 Reputation points

2023-08-22T10:03:24.7733333+00:00

We are about to deploy the changes tomorrow. Will update here after monitoring it for a week

Answer 1

Hello there,

In Windows, when a system reboot is initiated through the InitiateSystemShutdownEx function or any other method, the system determines whether the reboot is "Expected" or "Unexpected" based on various factors. An "Expected" reboot is one that was planned and initiated intentionally, while an "Unexpected" reboot is one that occurred due to a crash or some other unforeseen event. The determination of whether a reboot is marked as "Unexpected" involves analyzing system state, logs, and various conditions. Here are some key factors that can influence this determination:

Clean Shutdown vs. Crash: If the system goes through a clean shutdown process, where running applications and services are properly terminated, it's more likely to be marked as an "Expected" shutdown. On the other hand, if the system crashes or experiences a sudden power loss, it's more likely to be considered an "Unexpected" reboot.

Event Logs: Windows maintains event logs that record various system events, including shutdowns and reboots. These logs are analyzed to determine the reason for the shutdown. If the event log indicates that the system shutdown was initiated by software (such as through the InitiateSystemShutdownEx function), it's more likely to be marked as "Expected."

Blue Screen of Death (BSOD): If the system encounters a critical error that leads to a BSOD, this is generally considered an "Unexpected" reboot. The presence of a BSOD memory dump or crash dump file can indicate that the system didn't shut down gracefully.

I used AI provided by ChatGPT to formulate part of this response. I have verified that the information is accurate before sharing it with you.

Hope this resolves your Query !!

--If the reply is helpful, please Upvote and Accept it as an answer–

Share via

On what basis a reboot initiated through InitiateSystemShutdownEx gets marked as Unexpected in a Windows server machine?

1 answer

Your answer