How do I find out why my Amazon EC2 Windows instance shut down or rebooted unexpectedly?
I want to know why my Amazon Elastic Compute Cloud (Amazon EC2) Windows instance shut down or rebooted unexpectedly.
Short description
Windows EC2 instances might shut down or restart because of these actions:
- A user shut down the instance locally or remotely,
- System events such as application, drivers, or Windows operating system crash.
- Windows update rebooted the instance to apply a cumulative update.
- Scheduled events initiated from a script or task scheduler.
- Application installations locally or remotely.
- Scheduled or manual backup operations.
Resolution
Use Windows PowerShell, Windows command prompt, or the Event Viewer to see details on the date, time, and additional information for shutdown or reboot events.
Windows event IDs related to operating system shutdown or reboots
Event ID | Description |
41 | The system has rebooted without cleanly shutting down first. |
1074 | The system has been shut down by a user or process. |
6006 | The Event Log service was stopped. |
6008 | The previous system shutdown was unexpected. |
6605 | The Event Log service was started. |
Windows PowerShell
Open Windows PowerShell. Then, copy and paste this command:
Get-EventLog System -Newest 10000 | Where EventId -in 41, 1074, 6006, 6605, 6008 | Format-Table TimeGenerated,EventId,UserName,Message -AutoSize -wrap
Example output:
TimeGenerated EventID UserName Message ------------- ------- -------- ------- 9/15/2023 6:16:03 PM 6006 The Event log service was stopped. 9/15/2023 6:14:10 PM 1074 NT AUTHORITY\SYSTEM The process C:\Windows\system32\shutdown.exe (EC2AMAZ-8D2NOGJ) has initiated the restart of computer EC2AMAZ-8D2NOGJ on behalf of user NT AUTHORITY\SYSTEM for the following reason: No title for this reason could be found Reason Code: 0x800000ff Shutdown Type: restart Comment: 8/24/2023 2:11:27 PM 1074 NT AUTHORITY\SYSTEM The process C:\Windows\system32\winlogon.exe (EC2AMAZ-8D2NOGJ) has initiated the power off of computer EC2AMAZ-8D2NOGJ on behalf of user NT AUTHORITY\SYSTEM for the following reason: No title for this reason could be found Reason Code: 0x500ff Shutdown Type: power off Comment: 8/24/2023 2:11:27 PM 6006 The Event log service was stopped. 8/24/2023 2:07:44 PM 1074 NT AUTHORITY\SYSTEM The process C:\Windows\system32\winlogon.exe (EC2AMAZ-8D2NOGJ) has initiated the power off of computer EC2AMAZ-8D2NOGJ on behalf of user NT AUTHORITY\SYSTEM for the following reason: No title for this reason could be found Reason Code: 0x500ff Shutdown Type: power off Comment: 8/24/2023 2:07:45 PM 6006 The Event log service was stopped. 8/24/2023 1:17:34 PM 41 NT AUTHORITY\SYSTEM The description for Event ID '41' in Source 'Microsoft-Windows-Kernel-Power' cannot be found. The local computer may not have the necessary registry information or message DLL files to display the message, or you may not have permission to access them. The following information is part of the event:'0', '0x0', '0x0', '0x0', '0x0', '0', '0', '0', '0', 'false', '0', '0', 'false', '0', '0', 'false' 8/24/2023 1:17:36 PM 6008 The previous system shutdown at 1:16:09 PM on 8/24/2023 was unexpected. 8/24/2023 1:16:07 PM 41 NT AUTHORITY\SYSTEM The description for Event ID '41' in Source 'Microsoft-Windows-Kernel-Power' cannot be found. The local computer may not have the necessary registry information or message DLL files to display the message, or you may not have permission to access them. The following information is part of the event:'0', '0x0', '0x0', '0x0', '0x0', '0', '0', '0', '0', 'false', '0', '0', 'false', '0', '0', 'false' 8/24/2023 1:16:09 PM 6008 The previous system shutdown at 1:15:32 PM on 8/24/2023 was unexpected. 8/24/2023 1:14:17 PM 41 NT AUTHORITY\SYSTEM The description for Event ID '41' in Source 'Microsoft-Windows-Kernel-Power' cannot be found. The local computer may not have the necessary registry information or message DLL files to display the message, or you may not have permission to access them. The following information is part of the event:'0', '0x0', '0x0', '0x0', '0x0', '0', '0', '0', '0', 'false', '0', '0', 'false', '0', '0', 'false' 8/24/2023 1:14:21 PM 6008 The previous system shutdown at 1:13:17 PM on 8/24/2023 was unexpected.
Windows command prompt
Open a Windows command prompt as an administrator. Then, copy and paste this command:
wevtutil qe System /q:"*[System[(EventID=41) or (EventID=1074) or (EventID=6006) or (EventID=6005) or (EventID=6008)]]" /c:3 /f:text /rd:true
Note: You can modify the "/c:3" option with a different number to get more or fewer events.
Example output:
C:\>wevtutil qe System /q:"*[System[(EventID=41) or (EventID=1074) or (EventID=6006) or (EventID=6005) or (EventID=6008)]]" /c:3 /f:text /rd:true Event[0] Log Name: System Source: Microsoft-Windows-Kernel-Power Date: 2023-08-29T09:50:39.7130000Z Event ID: 41 Task: N/A Level: Critical Opcode: Info Keyword: N/A User: S-1-5-18 User Name: NT AUTHORITY\SYSTEM Computer: CPT111800524726.ant.amazon.com Description: The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.
Event Viewer
Check the Event Viewer logs to determine why the server was shut down or rebooted.
- Choose Start on your Windows operating system.
- Choose Event Viewer.
- In the navigation pane, expand Windows Logs, and then choose System.
- In the Actions pane, choose Filter Current Log.
- In the Filter Current Log dialog box, in the All Event IDs field, enter 41, 1074, 6006, 6605, 6008, and then choose OK.
The event logs show the date, time, and possible reason for the shutdown or reboot. For example, blue screen, crash, Windows Update, and so on. You can also use the Windows tool WinDbg to analyze crash dump files. For instructions, see Analyze crash dump files by using WinDbg on the Microsoft website.
View AWS CloudTrail events history
If the instance event happened in the last 90 days, then use AWS CloudTrail Event history to get more information about the event. To see your instance event in CloudTrail, follow these steps:
- Open the CloudTrail console.
- In the navigation pane, choose Event history.
- In the Lookup attributes dropdown list, choose Event name.
- For the Event name text box, enter RebootInstances.
You can also create an Amazon CloudWatch alarm that automatically recovers Windows EC2 instances that experience issues after a reboot. For more information, see Recover your instance.
Related information
How can I find the user who stopped, rebooted, or terminated my EC2 Windows instance?
How can I use EC2Rescue to troubleshoot issues with my Amazon EC2 Windows instance?
Contenido relevante
- OFICIAL DE AWSActualizada hace 2 años
- OFICIAL DE AWSActualizada hace 2 años
- OFICIAL DE AWSActualizada hace 2 años
- OFICIAL DE AWSActualizada hace 2 años