Colleague of mine has received request to check why did the SCCM client (server OS) rebooted during office hours and more details about the reboot (who initiated etc.). I started looking at this request to find out whether the client was rebooted due to windows patching or any applications pushed by SCCM.
During my troubleshooting ,I went through several client logs ,event viewer,SQL Query,PowerShell script etc .
In this blog post, I will try to list down the steps that went through to identify who rebooted the SCCM Client (server OS).
1. First and foremost that anyone would look at is ,event viewer to find out who rebooted the server (whether it was SCCM Client or any user).
Go to event viewer –> Windows logs –-> system ,right click and select filter current log ,enter 1074 (Event ID:1074 for reboot) as shown below.
Event ID:1074 –>This event is written when an application causes the system to restart, or when the user initiates a restart or shutdown by clicking Start or pressing CTRL+ALT+DELETE, and then clicking Shut Down. This event is written to the system log only when the Shutdown Event Tracker group policy setting is enabled or not configured.
You will see lot of entries with 1074 event ID ,of which ,we only look at the recent one .
From the above screen, the recent restart was initiated by SMS agent host (ccmexec) on 10/31/2016 05:45:10 PM due to applications or software update installation. This doesn’t tell you the username as the restarted was initiated by system account (NT AUTHORITY\SYSTEM)
The process C:\Windows\CCM\CcmExec.exe (ComputerName) has initiated the restart of computer ComputerName on behalf of user NT AUTHORITY\SYSTEM for the following reason: No title for this reason could be found
Reason Code: 0x80020001
Shutdown Type: restart
Comment: Your computer will restart at 10/31/2016 05:45:10 PM to complete the installation of applications and software updates.
Now ,we need to find out ,what was installed on the server during the reboot time/before and does client have enough maintenance window to reboot .
2. Lets check what is the available maintenance window for the server ,that might help to analyze any installation that has pending reboot with enough maintenance window allowed reboot or not.
I use the following SQL query to check the available maintenance window for specific client.
DECLARE @file varchar(5000);
SET @file='Server Name'
select MW.[Collection Name],MW.[MW Name],MW.Description,convert(nvarchar(26),MW.StartTime,100)[StartTime],MW.Duration
select fcm.CollectionId, coll.Name [Collection Name],s.Name [MW Name],s.Description,s.StartTime,s.Duration
from dbo.v_R_System sys
Right JOIN dbo.fn_SplitString(@file,',' ) AS fss ON sys.Name0 = fss.substring
join dbo.v_FullCollectionMembership FCM on sys.ResourceID = fcm.ResourceID
join dbo.v_Collection coll on Coll.CollectionID = fcm.CollectionID
left join v_ServiceWindow S on s.CollectionID=fcm.CollectionID
where MW.[MW Name] not like ''
I have used @file is basically to pipe large number of clients that I wanted to query for. If you want to list the MW for more than 1 client ,your @file should be @file=’server1,server2,server3,server4’
With above SQL query ,I do not see any maintenance window available for server to reboot that time (server rebooted time ).
3. Now ,we will go back to problem server ,login to see what was Installed by SCCM during the reboot time or before the reboot.
we will try to look at AppEnforce.log (for applications),execmgr.log (for packages) and windows update logs (WUAHandler.log,UpdatesHandler.log) and other logs that you suspect.
From appenforce.log, there was an application that installed silently without any reboot (Matched exit code 3010 to a PendingSoftReboot entry in exit codes table.)
So the application doesn’t have any force reboot option and for sure,something else is caused the reboot .
4. Now ,take a look at the RebootCoordinator.log and MaintenanceCoordinator.log if that helps to reveal some information about reboot behavior.
From above log,I see couple of entries related to server reboot which help my job to identify the root cause.
User S-1-5-21-1009845188-1641970364-1010270793-4361695 is getting pending reboot information
ServiceWindowsManager has not allowed us to Reboot
MTC allowed us to reboot
Notified UI grace period start with 900 grace seconds and 300 final seconds.
System reboot request succeeded.
As you see from the log, user SID is getting pending reboot information which means, someone logged into the server during the reboot of the server.
How to find who is that user ? Well ,you can find it using event viewer security logs or PowerShell script that converts SID to User name.
I have used below PowerShell script that convert SID Value to User Name
$objSID = New-Object System.Security.Principal.SecurityIdentifier ("S-1-5-21-1009845188-1641970364-1010270793-4361695")
$objUser = $objSID.Translate( [System.Security.Principal.NTAccount])
copy the script ,change the SID Value and run the PowerShell script on the problem server to find the user name.
Now I got the user name ,who logged into the server during the reboot, but I cannot take this information as granted and confirm that this user initiated the reboot.
Well, RebootCoordinator.log doesn’t confirm if logged user restarted the server .So what next ?
In SCCM Configmgr 2012 and above, there are logs for users as well.These logs records the activity for notifying users about software for the specified user.
These user notify logs named with SCNotify_<domain>@<username>_1.log
open the log for the user (_SCNotify_<domain>@<Username>_2.log) who logged into the server during the server reboot if he/she initiated .
From this log,found lot of useful information of which ,found below entry that confirm user allowed to restart system.
RestartCountdownDialog: IsRestartSystemAllowed - user is allowed to restart system (Microsoft.SoftwareCenter.Client.Pages.RestartCountdownDialog at .ctor)
Notification is for a logoff/restart required or logoff/restart countdown. (Microsoft.SoftwareCenter.Client.Notification.NotifyObjectBase at ShowBalloonTip)
Number of total seconds in countdown is 900; starting value is 2; seconds til restart is 898, system will restart at 5:45:09 PM (utc end time = 9:45:10 AM) (Microsoft.SoftwareCenter.Client.Pages.RestartCountdownDialog at .ctor)
This confirm that, user who logged into the server has initiated the reboot and nothing from SCCM client.
If you have any other possible methods to identify who initiated the reboot, post it via comments section.