How can I find who stopped, rebooted, or terminated my EC2 Windows instance?

3 minute read

My Amazon Elastic Compute Cloud (Amazon EC2) Windows instance was unexpectedly stopped, rebooted, or terminated. How can I identify who stopped, restarted, or terminated the instance?

Resolution

An EC2 Windows instance can be stopped or rebooted either through AWS or through the Windows operating system. An EC2 Windows instance can be terminated only through AWS.

If the instance was stopped, rebooted, or terminated through AWS

You can stop, reboot, or terminate your instance through AWS from:

The AWS Management Console
The AWS Command Line Interface (AWS CLI)
AWS Tools for PowerShell
AWS APIs
AWS SDK

If the event occurred in the last 90 days, then you can get more information about the event using AWS CloudTrail logs. To view the event on CloudTrail, follow these steps:

Open the CloudTrail console.
In the navigation pane, choose Event history.
In the Lookup attributes dropdown menu, select Event name.
For Enter an event name, enter StopInstances if your instance was stopped. Enter RebootInstances if your instance was rebooted. Enter TerminateInstances if your instance was terminated.
To see more information about an event, choose the event name. On the StopInstances, RebootInstances, or TerminateInstances details page, you can see the user of the AWS Identity and Access Management (IAM) that initiated the event.

If the instance was stopped or rebooted within the Windows OS

If the instance wasn't stopped or rebooted through AWS, then the event was likely initiated within the Windows OS. To find more information about this event within the Windows OS, follow these steps while logged in to the instance:

Open Event Viewer.
On the navigation pane, expand Windows Logs and then choose System.
On the Actions pane, choose Filter Current Log.
In the All Event IDs field, enter 1074 or 1076.
The event log indicates which user initiated the event in the Source field.

Note: An EC2 Windows stop or reboot can occur at the Windows OS level when:

A user is logged into the instance and a Windows update reboots the OS.
An unexpected hardware failure occurs.
An AWS planned maintenance event stops or restarts the instance.
A third-party tool issued the command.

AWS sends notifications about planned instance retirements and unexpected hardware failure over email or on your Personal Health Dashboard.

Topics

Compute

Relevant content

EC2 instance rebooted unexpectedly
rePost-User-8825234
asked 3 months ago
EC2 Windows Server 2016 Rebooted in Safe Mode with Networking
MaximoMiller
asked 2 years ago
EC2 Windows instance stops automatically
subhasish
asked 2 months ago
How does AWS know whether an EC2 instance rebooted "cleanly"?
MK
asked 6 months ago
My Website stopped working after I rebooted the EC 2 instance
rePost-User-tax14
asked a month ago
How are Amazon EC2 instance-hours billed?
AWS OFFICIALUpdated 2 years ago
How do I resize my EC2 Windows instance or change the EC2 Windows instance type?
AWS OFFICIALUpdated 2 years ago
How can I find out if the CPU on my T2 or T3 EC2 Windows instance is being throttled?
AWS OFFICIALUpdated 2 months ago
How do I run a command on an existing EC2 Windows instance when I reboot or start the instance?
AWS OFFICIALUpdated 2 years ago
Enabling TLS 1.2 Client Side Support on EC2 Windows Server 2012 to 2022
EXPERT
Jonathan_D
published 18 days ago