Windows Server 2016 shuts down randomly

Question

Hello,

we have a problem with two of our many Windows Server 2016 virtual servers, which at what seems random intervals go off.

In the event log there is an Information event at the time servers go off:

"

User32, eventid 1074

The process C:\WIndows\system32\winlogon.exe (RDS-PLANT1) has initiated the power off of computer RDS-PLANT1 on behalf of user NT AUTHORITY\SYSTEM for the following reason: No title for this reason could be found

Reason Code: 0x500ff

Shutdown Type: power off

Comment:

"

this happened at following times: 25th of June 17:01:17h, 14th of June 21:34:09h, 12th of June at 20:36:05h and 16:08:57h, on 11th of June 21:40:39h, and so on (in May it occurred 10 times, in April 6 times).

We have looked for any correlating events but did not find any clue as to why these power offs occur.

Other virtual servers running on the same physical hardware don't have this problem.

Any help/hint how to find the root cause would be very much appreciated.

Thanks,

Mladen

Answer 1

Hello,

According to the information queried, Event ID 1074 indicates that the system is powered off by the winlogon.exe process representing the system. The cause code 0x500ff usually indicates that the shutdown is due to a software or driver problem.

You can take the following steps to troubleshoot this problem:

1. Check whether the power Settings of the affected server are correct. Ensure that the server is not set to shut down or hibernate after a period of inactivity.
2. Make sure your Windows Server 2016 virtual machine is fully updated with the latest patches and updates from Microsoft.
3. Ensure that the firmware and drivers associated with the virtual environment (e.g., network drivers, storage drivers) are up to date, whether on the host or guest virtual machine.
4. Run a disk check on the affected server to ensure that the hard drive is healthy and error-free.

If the problem persists, take a closer look at the event logs, especially the application logs and system logs, for error messages related to the shutdown. Please enable the option before viewing.

I hope this helps.

Best regards

Answer 2

Hello Jacen,

Thank you for your reply and suggestions.

1. Power setting are set correctly i.e. all settings related to powering off display, putting computer to sleep, etc. are set to never. Power button is set to "do nothing" and we use the High Performance power plan.
2. We regularly install windows update and we already have the CU update for June installed.
3. We use supported drivers and firmware in the complete environment. Maybe we are not at the latest possible version, but they are not old either (last update was few months ago and we are planning to install newest very soon). In the virtual OS, everything is up-to-date.
4. We have performed chkdsk on the drive and it is healthy.

I will once again checked Event log with the option "Show analytic and debug logs" turned on.

The last shutdown happened yesterday at 21:26:35h and as you can see there is no error/warning before that event.

In the Application log there is also nothing suspicious:

Is there a way to turn on some debugging so that winlogon.exe writes some more information in the log about the reason why it requested power off?

BR,

Mladen

Answer 3

Hello,

I have updated everything on the RDS session host servers, but the problem remains and the servers still power off.

Is there a way to configure debugging or more detailed logging to see what exactly triggers the power off?

I have a suspicion on one custom built application since it is the only difference to other RDS session host servers and those other servers in the same RDS deployment don't have the problem of sudden and random power offs.

This application is started with user logon (using environment parameter) and when the user closes the app, they automatically get logged out.

If there is anyone with some idea how to further troubleshoot this I would be very gratefull.

Thanks,

Mladen

Answer 4

Hello,

I have updated everything on the RDS session host servers, but the problem remains and the servers still power off.

Is there a way to configure debugging or more detailed logging to see what exactly triggers the power off?

I have a suspicion on one custom built application since it is the only difference to other RDS session host servers and those other servers in the same RDS deployment don't have the problem of sudden and random power offs.

This application is started with user logon (using environment parameter) and when the user closes the app, they automatically get logged out.

If there is anyone with some idea how to further troubleshoot this I would be very gratefull.

Thanks,

Mladen

Answer 5

After a long time I came across an article where someone was suggesting to enable advanced auditing (process creation/termination), so I gave it a try.

I did not need to wait long time and my RDS server was powered off abruptly again.

Now I traced the security log around the time when the server was powered off and found one process calling "SlideToShutDown.exe" (found on the MS Windows Server 2016 in C:\windows\system32).

It turns out that an RDP client using a touch screen (there are many in our environment), probably trying to shutdown its own device, by a fault in the way this feature works, instead of just shutting down the local device shuts down the whole server. Even though none of the users have administrative rights on the server.

I have renamed this .exe file and expect that this won't happen again. However, I really don't understand what is the purpose of this file on a Windows Server machine? And that normal shutdown is prohibited for non-admin users, but slide to shutdown works.

Hopefully this can be helpful to someone that will have a similar or same problem.

BR