Microsoft Windows Registry Guide, Second Edition

Shutdown Event Tracker

Shutdown Event Tracker is a feature of Windows Server 2003 that provides a way for IT professionals to track why users restart or shut down their computers. The feature captures the reasons users give for restarts and shutdowns to help create a comprehensive picture of an organization's system environment. It does not document why users choose other options, such as Log off or Hibernate. In Windows Server 2003, Shutdown Event Tracker is enabled by default, and its tracking is a routine part of the computer shutdown process. This section describes the registry settings that you can use to configure the feature.

More Info

For more information about the tools you can use with Shutdown Event Tracker, see http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/techref/en-us/Default.asp?url=/Resources/Documentation/windowsserv/2003/all/techref/en-us/w2k3tr_set_tools.asp.

Shutdown Event Tracker interacts with the registry in the following ways:

• The expected shutdown dialog box reads custom shutdown reasons from the registry.

• Remote Shutdown (Shutdown.exe) reads custom shutdown reasons from the registry. It also writes bulk annotations to the registry and deletes keys from the registry.

• Custom Reason Editor (CustReasonEdit.exe) writes custom shutdown reasons to the registry.

• The unexpected shutdown dialog box reads from the registry to determine if the previous shutdown was unexpected.

• The Event Log service writes the Shutdown Event Tracker heartbeat to the registry and then deletes it just before a normal shutdown occurs. Upon restarting, it verifies whether the heartbeat is present and, if so, writes the DirtyShutdown key to the registry. Heartbeat is a time stamp interval, written once a minute, that indicates that Shutdown Event Tracker is still enabled.

The following list describes the values that Shutdown Event Tracker uses. (Unless otherwise noted, these values are in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability.)

• BugcheckString

  This value contains the bug check string information that is used to fill in the unexpected shutdown dialog box comment field (which appears at logon after an unexpected shutdown) if the previous shutdown was caused by a system failure (also know as a system crash).

• DirtyShutdown

  This value is set during event log startup. It indicates whether a previous shutdown was expected.

• LastAliveStamp

  This value is cleared during shutdown. It indicates the date and time of the previous unexpected shutdown if it is present during startup.

• ReliabilityGUID

  This value enables a GUID to be written to the system state data file in order to uniquely identify the computer this file came from. It is not possible to physically identify the computer using this GUID, but it is possible to see how many different computers sent files and how many distinct reports were submitted by each computer. If the GUID is deleted from the registry, a new GUID is generated when a new system state data (.xml) file is created in the %SystemRoot%\System32\LogFiles\Shutdown\ directory at the time of an unplanned shutdown.

• ShutdownIgnorePredefinedReasons

  This value prevents the predefined or built-in shutdown reasons from being displayed. If at least one custom reason is defined in the registry and this key is set to 0x01, the built-in reasons are not displayed.

• TimeStampInterval

  This value defines how often LastAliveStamp (or heartbeat) is written to the registry. By default, it is written every minute in Windows Server 2003.

• UserDefined

  This subkey contains custom reasons stored as values. To add custom reasons, the user must define one value for each reason. Each reason has a major and minor code that uniquely identifies the reason.

  More Info

  For more information about Custom Reason Editor, see the Microsoft Windows Resource Kit Tools Read Me.

• ShutdownReasonUI

  Shutdown Event Tracker references the Group Policy key for this value first. If the Group Policy key is not present, then this key can be configured as 0x00 (off) or 0x01 (on). If the Group Policy key is not present and this key is invalid or missing, then Shutdown Event Tracker is off.

  NOTE

  You can use Group Policy to manage Shutdown Event Tracker. Its Group Policy settings are in Computer Configuration\Administrative Templates\System.