


 Resolution
-----------



An EC2 Windows instance can be stopped or rebooted either through AWS or through the Windows operating system. An EC2 Windows instance can be terminated only through AWS.



###  If the instance was stopped, rebooted, or terminated through AWS



You can stop, reboot, or terminate your instance through AWS from:


* The AWS Management Console
* The AWS Command Line Interface (AWS CLI)
* AWS Tools for PowerShell
* AWS APIs
* AWS SDK


If the event occurred in the last 90 days, then you can get more information about the event using [AWS CloudTrail logs](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events.html). To view the event on CloudTrail, follow these steps:


1. Open the [CloudTrail console](https://console.aws.amazon.com/cloudtrail/home).
2. In the navigation pane, choose **Event history**.
3. In the Lookup attributes dropdown menu, select **Event name**.
4. For Enter an event name, enter **StopInstances** if your instance was stopped. Enter **RebootInstances** if your instance was rebooted. Enter **TerminateInstances** if your instance was terminated.
5. To see more information about an event, choose the event name. On the **StopInstances**, **RebootInstances**, or **TerminateInstances** details page, you can see the user of the AWS Identity and Access Management (IAM) that initiated the event.



###  If the instance was stopped or rebooted within the Windows OS



If the instance wasn't stopped or rebooted through AWS, then the event was likely initiated within the Windows OS. To find more information about this event within the Windows OS, follow these steps while logged in to the instance:


1. Open **Event Viewer**.
2. On the navigation pane, expand **Windows Logs** and then choose **System**.
3. On the **Actions** pane, choose **Filter Current Log**.
4. In the **All Event IDs** field, enter **1074** or **1076**.
5. The event log indicates which user initiated the event in the **Source** field.


**Note:** An EC2 Windows stop or reboot can occur at the Windows OS level when:


* A user is logged into the instance and a Windows update reboots the OS.
* An unexpected hardware failure occurs.
* An AWS planned maintenance event stops or restarts the instance.
* A third-party tool issued the command.


AWS sends notifications about [planned instance retirements](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/instance-retirement.html) and unexpected hardware failure over email or on your [Personal Health Dashboard](https://phd.aws.amazon.com/phd/home#/event-log).





---








My Amazon Elastic Compute Cloud (Amazon EC2) Windows instance was unexpectedly stopped, rebooted, or terminated. How can I identify who stopped, restarted, or terminated the instance?

Identify who stopped, rebooted, or terminated an EC2 Windows instance

How can I find who stopped, rebooted, or terminated my EC2 Windows instance?

How can I find who stopped, rebooted, or terminated my EC2 Windows instance?

Resolution

If the instance was stopped, rebooted, or terminated through AWS

If the instance was stopped or rebooted within the Windows OS

Contenido relevante