Why did my box reboot? Getting Reboot information from the System and SCCM Reboot Coordinator logs
One of my customer's servers rebooted unexpectedly and they wanted to understand why. Here's a couple of leads on how to hunt that down.
Events in the System event log will tell us if there was a graceful reboot (through the UI or by an application) or a crash (e.g. Power Failure or BSOD) respectively.
To view these, open the Event Viewer (run Eventvwr.exe) >> Windows Logs >> System. Filter this log, and in the event IDs box enter 1074,6008. Here’s an example of what that looks like.
These events are extremely helpful in determining the cause of the reboot.
The 1074 events are graceful restarts. A user-initiated (Start > Power Button Icon > Restart) reboot through Windows (on my Windows 11 system) looks like this.
The 6008 events show ungraceful reboots, e.g. from a BSOD or power failure. They look like this:
A SCCM initiated reboot, on systems managed by SCCM, should be recorded in the SCCM Reboot Coordinator log. The default location for this is c:\windows\CCM\logs\RebootCoordinator.log
This log is in XML format and difficult to read. The built-in cmtrace tool makes this much
more legible. Run c:\windows\ccm\cmtrace.exe
c:\windows\CCM\logs\RebootCoordinator.log to view it.
I don’t have an example of a reboot I can screenshot from this log, but the
things I’d look for in this file are:
- “requested
from” – this will tell you what requested a reboot managed by the Reboot
coordinator.
- “Scheduled
reboot from”
- “allowed
us to reboot”
- “System
reboot request succeeded”
EG
Comments