Auto system reboot of Windows Server 2008 (1 Viewer)

youyiyang

Registered User.
Local time
Today, 16:07
Joined
Apr 7, 2009
Messages
49
Hi, everyone,

i am a Chinese user of Windows Server 2008 R2. And i noticed the auto-reboot of this server on around 8:45 am everyday recently. This server is for file-serving for my company and for financial database too.
The event log of this auto-reboot is as follows:

Log Name: System
From: EventLog
Date: 2016-07-20 08:45:44
Event ID: 6008
Task Category: none
Class: Error
Key Word: Classic
User: none
Computer: HFGKserver.hfgk.com.cn
Description:
上一次系统的 8:43:38 在 ‎2016/‎7/‎20 上的关闭是意外的。
(It is exceptional for last system shutdown on 8:43:38 2016/7/20)
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="EventLog" />
<EventID Qualifiers="32768">6008</EventID>
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2016-07-20T00:45:44.000000000Z" />
<EventRecordID>96218</EventRecordID>
<Channel>System</Channel>
<Computer>HFGKserver.hfgk.com.cn</Computer>
<Security />
</System>
<EventData>
<Data>8:43:38</Data>
<Data>‎2016/‎7/‎20</Data>
<Data>
</Data>
<Data>
</Data>
<Data>385</Data>
<Data>
</Data>
<Data>
</Data>
<Binary>E00707000300140008002B0026008003E00707000300140000002B00260080033C0000003C000000000000000000000000000000000000000100000000000000</Binary>
</EventData>
</Event>

日志名称: System
来源: Microsoft-Windows-Kernel-Power
日期: 2016-07-19 08:47:53
事件 ID: 41
任务类别: (63)
级别: 关键
关键字: (2)
用户: SYSTEM
计算机: HFGKserver.hfgk.com.cn
描述:
系统在未首先正常关机的情况下重新启动。当系统停止响应、出现故障或意外断电时,会发生此错误。
事件 Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Kernel-Power" Guid="{331C3B3A-2005-44C2-AC5E-77220C37D6B4}" />
<EventID>41</EventID>
<Version>2</Version>
<Level>1</Level>
<Task>63</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000002</Keywords>
<TimeCreated SystemTime="2016-07-19T00:47:53.406250000Z" />
<EventRecordID>95657</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="8" />
<Channel>System</Channel>
<Computer>HFGKserver.hfgk.com.cn</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="BugcheckCode">0</Data>
<Data Name="BugcheckParameter1">0x0</Data>
<Data Name="BugcheckParameter2">0x0</Data>
<Data Name="BugcheckParameter3">0x0</Data>
<Data Name="BugcheckParameter4">0x0</Data>
<Data Name="SleepInProgress">false</Data>
<Data Name="PowerButtonTimestamp">0</Data>
</EventData>
</Event>


日志名称: System
来源: Microsoft-Windows-Kernel-Power
日期: 2016-07-18 08:44:15
事件 ID: 41
任务类别: (63)
级别: 关键
关键字: (2)
用户: SYSTEM
计算机: HFGKserver.hfgk.com.cn
描述:
系统在未首先正常关机的情况下重新启动。当系统停止响应、出现故障或意外断电时,会发生此错误。
事件 Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Kernel-Power" Guid="{331C3B3A-2005-44C2-AC5E-77220C37D6B4}" />
<EventID>41</EventID>
<Version>2</Version>
<Level>1</Level>
<Task>63</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000002</Keywords>
<TimeCreated SystemTime="2016-07-18T00:44:15.625000000Z" />
<EventRecordID>95401</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="8" />
<Channel>System</Channel>
<Computer>HFGKserver.hfgk.com.cn</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="BugcheckCode">0</Data>
<Data Name="BugcheckParameter1">0x0</Data>
<Data Name="BugcheckParameter2">0x0</Data>
<Data Name="BugcheckParameter3">0x0</Data>
<Data Name="BugcheckParameter4">0x0</Data>
<Data Name="SleepInProgress">false</Data>
<Data Name="PowerButtonTimestamp">0</Data>
</EventData>
</Event>

日志名称: System
来源: EventLog
日期: 2016-07-18 08:44:56
事件 ID: 6008
任务类别: 无
级别: 错误
关键字: 经典
用户: 暂缺
计算机: HFGKserver.hfgk.com.cn
描述:
上一次系统的 8:43:04 在 ‎2016/‎7/‎18 上的关闭是意外的。
事件 Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="EventLog" />
<EventID Qualifiers="32768">6008</EventID>
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2016-07-18T00:44:56.000000000Z" />
<EventRecordID>95394</EventRecordID>
<Channel>System</Channel>
<Computer>HFGKserver.hfgk.com.cn</Computer>
<Security />
</System>
<EventData>
<Data>8:43:04</Data>
<Data>‎2016/‎7/‎18</Data>
<Data>
</Data>
<Data>
</Data>
<Data>1526</Data>
<Data>
</Data>
<Data>
</Data>
<Binary>E00707000100120008002B0004008502E00707000100120000002B00040085023C0000003C000000000000000000000000000000000000000100000000000000</Binary>
</EventData>
</Event>

日志名称: System
来源: EventLog
日期: 2016-07-15 08:43:54
事件 ID: 6008
任务类别: 无
级别: 错误
关键字: 经典
用户: 暂缺
计算机: HFGKserver.hfgk.com.cn
描述:
上一次系统的 8:41:15 在 ‎2016/‎7/‎15 上的关闭是意外的。
事件 Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="EventLog" />
<EventID Qualifiers="32768">6008</EventID>
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2016-07-15T00:43:54.000000000Z" />
<EventRecordID>95062</EventRecordID>
<Channel>System</Channel>
<Computer>HFGKserver.hfgk.com.cn</Computer>
<Security />
</System>
<EventData>
<Data>8:41:15</Data>
<Data>‎2016/‎7/‎15</Data>
<Data>
</Data>
<Data>
</Data>
<Data>81227</Data>
<Data>
</Data>
<Data>
</Data>
<Binary>E007070005000F00080029000F002401E007070005000F00000029000F0024013C0000003C000000000000000000000000000000000000000100000000000000</Binary>
</EventData>
</Event>

And i tried to translated the first log from English to Chinese, and hope you could understand.
So, how to solve this problem?
Any suggestions would very appreciated!
 

youyiyang

Registered User.
Local time
Today, 16:07
Joined
Apr 7, 2009
Messages
49
Thank you @sneuberg!
You gave me abundant information from these 2 links. At first i felt there would be hackers outside to cause the problem due to the Event Log message showing TermDD error message with ipv6 address.

and we use Remote Destop utility to log onto the server from other computers while leaving Guest account open. Also in the first days when this auto reboot occurs, the server rebooted frequently. So i guess there could be hacker attacks.
Then i disabled all the incoming TCP and UDP ports to the server from the router. Before doing it, i use anti-virus software to scan and delete viruses completely. Shamed to say that our server have no anti-virus software installed before. And scanned and deleted 51 viruses that are mainly office worm viruses.
After that, the server reboot once a time at morning at around 8:45. Now it is about 9:00 am. So strange! i would sit in server room at 8:30 am and see what would happen when the server reboot. Also i would install process-explorer or Procmon into it to see the statics when it reboot.
 

youyiyang

Registered User.
Local time
Today, 16:07
Joined
Apr 7, 2009
Messages
49
At 8:30am Yesterday morning,before i went to the server room, i used Remote Desktop to connect to the server to see whether it was running properly, but i couldn't get connection with it. So i went to room and was told that the server was down by my colleague. i asked her when it was down? She said just when you came to the room. Then i checked the server and tried to start it, but i was failed. So i had to take it to the PC mall to repair it. And it was CPU failure that caused it down. After replacing the CPU, i would wait to see if it would be OK in the next week.
i think the time, around 8:45 am or 9:00 am, that the server restarts or being down may be caused by the printing directives or something else like Remote Desktop connection. Before that time the server is "dying" that cannot do anything.
 

sneuberg

AWF VIP
Local time
Today, 01:07
Joined
Oct 17, 2014
Messages
3,506
Thanks for keeping us in the loop on your progress.
 

youyiyang

Registered User.
Local time
Today, 16:07
Joined
Apr 7, 2009
Messages
49
Today is Friday. i feel not good that it is only Tuesday that the server is OK. Monday, Wednesday and Thursday, the server rebooted around 8:35 am.
So i entered the server room at around 8:25 am and waited to see what would happen.
The server is just a PC without UPS connecting. i had installed process monitor onto it but i could not find any clues about the reboot.
At about 8:31 am, i stretched my body and my feet contacted the power supply socket on the floor that connecting to the server, the server shut down. At first, i thought there could be a remote desktop connection by other people, but after i firmly re-plugged the socket, i could start the server again.
Just then my company's cleaner comes to room to mop the floor. Then i suddenly understand why this server rebooted or shut down around 8:30 - 9:00 am this month. The room opens around 8:30 am and it is the cleaner's mop touching the loose socket that makes the server reboot or shut down!
So funny that i always check the software and system first and even not bend my head to check the hardware or socket on the floor!
 

sneuberg

AWF VIP
Local time
Today, 01:07
Joined
Oct 17, 2014
Messages
3,506
That's funny. Thanks for sharing that. You should consider submitting this story to Reader's Digest.
 
Last edited:

youyiyang

Registered User.
Local time
Today, 16:07
Joined
Apr 7, 2009
Messages
49
This week is normal. So the problem is just that loose socket. @sneuberg : The link you provided had mentioned this kind of problem, "Make sure you don't have young children with itchy hands around your pc :D"
And maybe i would submit this story to my country's Reader's Digest. It is sad that my country's magazine had to renamed to "Readers" after trademark litigation failure by US's counterpart.
 

Users who are viewing this thread

Top Bottom