How do I find out why my Amazon EC2 Windows instance shut down or rebooted unexpectedly?

6 minutos de lectura
1

I want to know why my Amazon Elastic Compute Cloud (Amazon EC2) Windows instance shut down or rebooted unexpectedly.

Short description

Windows EC2 instances might shut down or restart because of these actions:

  • A user shut down the instance locally or remotely,
  • System events such as application, drivers, or Windows operating system crash.
  • Windows update rebooted the instance to apply a cumulative update.
  • Scheduled events initiated from a script or task scheduler.
  • Application installations locally or remotely.
  • Scheduled or manual backup operations.

Resolution

Use Windows PowerShell, Windows command prompt, or the Event Viewer to see details on the date, time, and additional information for shutdown or reboot events.

Windows event IDs related to operating system shutdown or reboots

Event IDDescription
41The system has rebooted without cleanly shutting down first.
1074The system has been shut down by a user or process.
6006The Event Log service was stopped.
6008The previous system shutdown was unexpected.
6605The Event Log service was started.

Windows PowerShell

Open Windows PowerShell. Then, copy and paste this command:

Get-EventLog System -Newest 10000 | 
 Where EventId -in 41, 1074, 6006, 6605, 6008 | 
Format-Table TimeGenerated,EventId,UserName,Message -AutoSize -wrap

Example output:

TimeGenerated        EventID UserName            Message                                                                             
-------------        ------- --------            -------                                                                             
9/15/2023 6:16:03 PM    6006                     The Event log service was stopped.                                                  
9/15/2023 6:14:10 PM    1074 NT AUTHORITY\SYSTEM The process C:\Windows\system32\shutdown.exe (EC2AMAZ-8D2NOGJ) has initiated the    
                                                 restart of computer EC2AMAZ-8D2NOGJ on behalf of user NT AUTHORITY\SYSTEM for the   
                                                 following reason: No title for this reason could be found                           
                                                  Reason Code: 0x800000ff                                                            
                                                  Shutdown Type: restart                                                             
                                                  Comment:                                                                           
8/24/2023 2:11:27 PM    1074 NT AUTHORITY\SYSTEM The process C:\Windows\system32\winlogon.exe (EC2AMAZ-8D2NOGJ) has initiated the    
                                                 power off of computer EC2AMAZ-8D2NOGJ on behalf of user NT AUTHORITY\SYSTEM for the 
                                                 following reason: No title for this reason could be found                           
                                                  Reason Code: 0x500ff                                                               
                                                  Shutdown Type: power off                                                           
                                                  Comment:                                                                           
8/24/2023 2:11:27 PM    6006                     The Event log service was stopped.                                                  
8/24/2023 2:07:44 PM    1074 NT AUTHORITY\SYSTEM The process C:\Windows\system32\winlogon.exe (EC2AMAZ-8D2NOGJ) has initiated the    
                                                 power off of computer EC2AMAZ-8D2NOGJ on behalf of user NT AUTHORITY\SYSTEM for the 
                                                 following reason: No title for this reason could be found                           
                                                  Reason Code: 0x500ff                                                               
                                                  Shutdown Type: power off                                                           
                                                  Comment:                                                                           
8/24/2023 2:07:45 PM    6006                     The Event log service was stopped.                                                  
8/24/2023 1:17:34 PM      41 NT AUTHORITY\SYSTEM The description for Event ID '41' in Source 'Microsoft-Windows-Kernel-Power' cannot 
                                                 be found.  The local computer may not have the necessary registry information or    
                                                 message DLL files to display the message, or you may not have permission to access  
                                                 them.  The following information is part of the event:'0', '0x0', '0x0', '0x0',     
                                                 '0x0', '0', '0', '0', '0', 'false', '0', '0', 'false', '0', '0', 'false'            
8/24/2023 1:17:36 PM    6008                     The previous system shutdown at 1:16:09 PM on ‎8/‎24/‎2023 was unexpected.          
8/24/2023 1:16:07 PM      41 NT AUTHORITY\SYSTEM The description for Event ID '41' in Source 'Microsoft-Windows-Kernel-Power' cannot 
                                                 be found.  The local computer may not have the necessary registry information or    
                                                 message DLL files to display the message, or you may not have permission to access  
                                                 them.  The following information is part of the event:'0', '0x0', '0x0', '0x0',     
                                                 '0x0', '0', '0', '0', '0', 'false', '0', '0', 'false', '0', '0', 'false'            
8/24/2023 1:16:09 PM    6008                     The previous system shutdown at 1:15:32 PM on ‎8/‎24/‎2023 was unexpected.          
8/24/2023 1:14:17 PM      41 NT AUTHORITY\SYSTEM The description for Event ID '41' in Source 'Microsoft-Windows-Kernel-Power' cannot 
                                                 be found.  The local computer may not have the necessary registry information or    
                                                 message DLL files to display the message, or you may not have permission to access  
                                                 them.  The following information is part of the event:'0', '0x0', '0x0', '0x0',     
                                                 '0x0', '0', '0', '0', '0', 'false', '0', '0', 'false', '0', '0', 'false'            
8/24/2023 1:14:21 PM    6008                     The previous system shutdown at 1:13:17 PM on ‎8/‎24/‎2023 was unexpected.          


Windows command prompt

Open a Windows command prompt as an administrator. Then, copy and paste this command:

wevtutil qe System /q:"*[System[(EventID=41) or (EventID=1074) or (EventID=6006) or (EventID=6005) or (EventID=6008)]]" /c:3 /f:text /rd:true

Note: You can modify the "/c:3" option with a different number to get more or fewer events.

Example output:

C:\>wevtutil qe System /q:"*[System[(EventID=41) or (EventID=1074) or (EventID=6006) or (EventID=6005) or (EventID=6008)]]" /c:3 /f:text /rd:true
Event[0]
  Log Name: System
  Source: Microsoft-Windows-Kernel-Power
  Date: 2023-08-29T09:50:39.7130000Z
  Event ID: 41
  Task: N/A
  Level: Critical
  Opcode: Info
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: CPT111800524726.ant.amazon.com
  Description:
The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.

Event Viewer

Check the Event Viewer logs to determine why the server was shut down or rebooted.

  1. Choose Start on your Windows operating system.
  2. Choose Event Viewer.
  3. In the navigation pane, expand Windows Logs, and then choose System.
  4. In the Actions pane, choose Filter Current Log.
  5. In the Filter Current Log dialog box, in the All Event IDs field, enter 41, 1074, 6006, 6605, 6008, and then choose OK.

The event logs show the date, time, and possible reason for the shutdown or reboot. For example, blue screen, crash, Windows Update, and so on. You can also use the Windows tool WinDbg to analyze crash dump files. For instructions, see Analyze crash dump files by using WinDbg on the Microsoft website.

View AWS CloudTrail events history

If the instance event happened in the last 90 days, then use AWS CloudTrail Event history to get more information about the event. To see your instance event in CloudTrail, follow these steps:

  1. Open the CloudTrail console.
  2. In the navigation pane, choose Event history.
  3. In the Lookup attributes dropdown list, choose Event name.
  4. For the Event name text box, enter RebootInstances.

You can also create an Amazon CloudWatch alarm that automatically recovers Windows EC2 instances that experience issues after a reboot. For more information, see Recover your instance.

Related information

How can I find the user who stopped, rebooted, or terminated my EC2 Windows instance?

How can I use EC2Rescue to troubleshoot issues with my Amazon EC2 Windows instance?

OFICIAL DE AWS
OFICIAL DE AWSActualizada hace un año