4

A computer in domain is randomly shut down by someone (he was caught once)!

He uses shutdown /s /f /t 0 /m \\computername in windows command line to accomplish this.

After the incident some computers randomly shut down several times a week, but maybe not by the same person.

Now the question is: Is it possible to detect / monitor if a computer was shut down remotely, and by who? (eg in Event Viewer)

Improve this question
2
  • 1
    Maybe you can take a look in System Event log? I think it should contain some details about which process initiated the shutdown.
    – Eugene S
    Commented Mar 19, 2013 at 8:56
  • @EugeneS - the system log does not contain any info related to shutdowns.
    – armen
    Commented Mar 27, 2013 at 14:47

1 Answer 1

Reset to default
2

Try filtering the System log with the User32 event source, and 1074 Event ID (see more).

Unless you have enabled the Shutdown Event Tracker the "Other (Unplanned)" reason, is normal.

Improve this answer
1
  • we are running Windows XP Pro on all machines, and the article says "This feature is not included in Windows XP Professional."
    – armen
    Commented Apr 1, 2013 at 6:30

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .