Investigate when a Windows Server Lost Power CodeUnit 09 JAN 2010

Our server room went down the other day and I was called upon to investigate at what time more or less did the room actually lose power.

Now the easiest way to figure this one out is to investigate on the Windows 2003 Server machine, making use more specifically of the Windows built in Event Viewer tool.

Now Windows uses a number of unique event codes to identify system shutdown and startup events, the most useful of these being:

  • 6006 – this code indicates a “graceful” shutdown, in other words a shutdown initiated by an authorized user of the system.
  • 6008 – this code indicates a system failure of some kind.
  • 6005 – this code indicates the resumption of event logging, meaning that the system has probably been rebooted and has now returned to operational state.

To get the latest time of failure, you simply right click on the System item in the left hand pane of the event viewer and scroll to the View context menu option. From here click on the Filter… submenu option. On the resulting dialog window, fill in 6008 in the Event ID input box and hit Apply and then Okay to close the modal dialog. The event viewer should now refresh and only display 6008 event codes in its listing.

From here it’s a matter of sorting the events by date (click on the date column header for a quick sort) and clicking on the latest 6008 log. Opening it up, you should have a description that reads something like this:

“The previous system shutdown at x:xx:xx AM on x/x/xxx was unexpected”.

Obviously this then tells you exactly when the machine happened to fall over.

If you want to know for how long the machine was down for, simply compare the timestamp of the shutdown to the latest 6005 code timestamp – the difference being the amount of time the machine was offline.

So now you know.

About Craig Lotter

Software developer, husband and dad to two little girls. Writer behind An Exploring South African. I don't have time for myself any more.