Skip to main content
Server Fault

Return to Question

added 87 characters in body
Source Link
TheCleaner
TheCleaner
  • 33.1k
  • 29
  • 142
  • 196

17:34:23 - ID 523, 576, 538 - User1 unlocks workstation (logon type 7 - they are on via RDP session)

17:34:44 - ID 26 - Application popup - Other people are logged onto this system. Shutting down this computer .....

17:34:46 - ID 551 - User1 initiates logoff

17:34:49 - ID 551 - User2 initiates logoff

17:34:53 - ID 538 - User1 logged off

17:34:53 - ID 1517 - Cannot unload User2 profile

17:34:53 - ID 1516 - Profile for User2 unloaded

17:35:10 - ID 513 - Shutting Down

17:34:23 - ID 523, 576, 538 - User1 unlocks workstation (logon type 7

  • they are on via RDP session)

17:34:44 - ID 26 - Application popup - Other people are logged onto this system. Shutting down this computer .....

17:34:46 - ID 551 - User1 initiates logoff

17:34:49 - ID 551 - User2 initiates logoff

17:34:53 - ID 538 - User1 logged off

17:34:53 - ID 1517 - Cannot unload User2 profile

17:34:53 - ID 1516 - Profile for User2 unloaded

17:35:10 - ID 513 - Shutting Down

16:25:32 - ID 523, 576, 538 - User1 unlocks workstation (logon type 7 - they are on via RDP session)

16:25:54 - ID 26 - Application popup - Other people are logged onto this system. Shutting down this computer .....

16:25:56 - ID 551 - User1 initiates logoff

16:25:58 - ID 551 - User2 initiates logoff

16:25:32 - ID 523, 576, 538 - User1 unlocks workstation (logon type 7

  • they are on via RDP session)

16:25:54 - ID 26 - Application popup - Other people are logged onto this system. Shutting down this computer .....

16:25:56 - ID 551 - User1 initiates logoff

16:25:58 - ID 551 - User2 initiates logoff

10:45:29 - ID - User1 logon via RDP (logon type 10)

11:09:47 - ID 523, 576, 538 - User1 unlocks workstation (logon type 7)

11:38:11 - ID 26 - Application popup - Other people are logged onto this system. Shutting down this computer .....

11:38:17 - ID 551 - User1 initiates logoff

11:38:17 - ID 538 - User1 logoff

11:38:32 - ID 513 - Shutting down

10:45:29 - ID - User1 logon via RDP (logon type 10)

11:09:47 - ID 523, 576, 538 - User1 unlocks workstation (logon type 7)

11:38:11 - ID 26 - Application popup - Other people are logged onto this system. Shutting down this computer .....

11:38:17 - ID 551 - User1 initiates logoff

11:38:17 - ID 538 - User1 logoff

11:38:32 - ID 513 - Shutting down

17:34:23 - ID 523, 576, 538 - User1 unlocks workstation (logon type 7 - they are on via RDP session)

17:34:44 - ID 26 - Application popup - Other people are logged onto this system. Shutting down this computer .....

17:34:46 - ID 551 - User1 initiates logoff

17:34:49 - ID 551 - User2 initiates logoff

17:34:53 - ID 538 - User1 logged off

17:34:53 - ID 1517 - Cannot unload User2 profile

17:34:53 - ID 1516 - Profile for User2 unloaded

17:35:10 - ID 513 - Shutting Down

16:25:32 - ID 523, 576, 538 - User1 unlocks workstation (logon type 7 - they are on via RDP session)

16:25:54 - ID 26 - Application popup - Other people are logged onto this system. Shutting down this computer .....

16:25:56 - ID 551 - User1 initiates logoff

16:25:58 - ID 551 - User2 initiates logoff

10:45:29 - ID - User1 logon via RDP (logon type 10)

11:09:47 - ID 523, 576, 538 - User1 unlocks workstation (logon type 7)

11:38:11 - ID 26 - Application popup - Other people are logged onto this system. Shutting down this computer .....

11:38:17 - ID 551 - User1 initiates logoff

11:38:17 - ID 538 - User1 logoff

11:38:32 - ID 513 - Shutting down

17:34:23 - ID 523, 576, 538 - User1 unlocks workstation (logon type 7

  • they are on via RDP session)

17:34:44 - ID 26 - Application popup - Other people are logged onto this system. Shutting down this computer .....

17:34:46 - ID 551 - User1 initiates logoff

17:34:49 - ID 551 - User2 initiates logoff

17:34:53 - ID 538 - User1 logged off

17:34:53 - ID 1517 - Cannot unload User2 profile

17:34:53 - ID 1516 - Profile for User2 unloaded

17:35:10 - ID 513 - Shutting Down

16:25:32 - ID 523, 576, 538 - User1 unlocks workstation (logon type 7

  • they are on via RDP session)

16:25:54 - ID 26 - Application popup - Other people are logged onto this system. Shutting down this computer .....

16:25:56 - ID 551 - User1 initiates logoff

16:25:58 - ID 551 - User2 initiates logoff

10:45:29 - ID - User1 logon via RDP (logon type 10)

11:09:47 - ID 523, 576, 538 - User1 unlocks workstation (logon type 7)

11:38:11 - ID 26 - Application popup - Other people are logged onto this system. Shutting down this computer .....

11:38:17 - ID 551 - User1 initiates logoff

11:38:17 - ID 538 - User1 logoff

11:38:32 - ID 513 - Shutting down

Source Link
pauby
pauby
  • 121
  • 1
  • 3

Windows Server 2003 R2 - Who has shutdown this server?

I'm hoping somebody can help me out here. I have a server that has been shutdown on 3 separate occassions but I cannot definitively determine who. I'm hoping somebody can help me figure out the mysteries of the Windows Event Logs.

This is a Windows Server 2003 64 buit server without Shutdown Tracker turned on.

I have the following events:

Day 1.

17:34:23 - ID 523, 576, 538 - User1 unlocks workstation (logon type 7 - they are on via RDP session)

17:34:44 - ID 26 - Application popup - Other people are logged onto this system. Shutting down this computer .....

17:34:46 - ID 551 - User1 initiates logoff

17:34:49 - ID 551 - User2 initiates logoff

17:34:53 - ID 538 - User1 logged off

17:34:53 - ID 1517 - Cannot unload User2 profile

17:34:53 - ID 1516 - Profile for User2 unloaded

17:35:10 - ID 513 - Shutting Down

Day 2.

16:25:32 - ID 523, 576, 538 - User1 unlocks workstation (logon type 7 - they are on via RDP session)

16:25:54 - ID 26 - Application popup - Other people are logged onto this system. Shutting down this computer .....

16:25:56 - ID 551 - User1 initiates logoff

16:25:58 - ID 551 - User2 initiates logoff

Day 3.

10:45:29 - ID - User1 logon via RDP (logon type 10)

11:09:47 - ID 523, 576, 538 - User1 unlocks workstation (logon type 7)

11:38:11 - ID 26 - Application popup - Other people are logged onto this system. Shutting down this computer .....

11:38:17 - ID 551 - User1 initiates logoff

11:38:17 - ID 538 - User1 logoff

11:38:32 - ID 513 - Shutting down

To me this looks like generally the user unlocking their workstation, shutting down, saying yes to the piopup and then it logging him off and shutting the server down.

I know this isn't a lot to go on, but it's all I've got.

So what I'm asking is this looking like what I think it is and do I need more information or could this be anything and I definitely need more information.