Server 2012 shuts down or reboots for no reason

by on June 16, 2015

We have a hosted desktop platform which runs Server 2012. We started having very odd problems whereby the VM would simply stop. We’d have to manually start the server up again.

The odd part was that it was a clean shut down every time. The event log showed no errors, each time there was simply the following entries in the system event log:

The process LogonUI.exe has initiated the restart of computer ---------- on behalf of user NT AUTHORITY\SYSTEM for the following reason: Other (Unplanned)
 Reason Code: 0x5000000
 Shutdown Type: restart
 Comment:
The process C:\WINDOWS\system32\winlogon.exe (---------- ) has initiated the restart of computer ---------- on behalf of user NT AUTHORITY\SYSTEM for the following reason: No title for this reason could be found
 Reason Code: 0x500ff
 Shutdown Type: restart
 Comment:
The process C:\WINDOWS\system32\winlogon.exe (---------- ) has initiated the power off of computer ---------- on behalf of user NT AUTHORITY\SYSTEM for the following reason: No title for this reason could be found
 Reason Code: 0x500ff
 Shutdown Type: power off
 Comment:
The process LogonUI.exe has initiated the shutdown of computer ---------- on behalf of user NT AUTHORITY\SYSTEM for the following reason: Other (Unplanned)
 Reason Code: 0x5000000
 Shutdown Type: shutdown
 Comment:

A bit of searching around reveals nothing much about these ‘errors’ as they are pretty much stock-standard power down logs. Usually they are triggered by the power button on a PC being pressed.

Eventually we found the problem:

  • In server 2012, there is an option on the ‘lock’ screen to shut down / restart the server.
  • This is controlled by the security policy: “Allow system to be shut down without having to log on.” which is located in: “Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options”
  • By default, this policy is set to ‘Not configured’ which allows the user to shut down or reboot the server.
  • Setting the policy to ‘disabled’ removes the shut down option.
  • This ‘lock’ screen may also be accessed if the user is accessing the server from a very old version of remote desktop which doesn’t prompt for the password before connecting to the console.
  • The users were able to shut down or restart the server in this fashion, even if these permissions were not granted to them. We tested this by running shutdown /r as a user, and were denied.

In our case, a remote user would leave their PC for 30 minutes, and when they returned it had gone to ‘sleep’. They would wake the PC up and be presented with a “Locked” screen – the RDP session.

Not knowing what to do, they would simply click the familiar ‘power off’ button, which shut down the server!

Hope this helps some other sysadmins out there scratching their heads!

Comments

Came across this in my search, though if you look at the explanation of that policy item is says:

“Default on workstations: Enabled.
Default on servers: Disabled.”

So should be disabled by default already if you’re running a terminal server?

Hi Dan
I’m not sure – I haven’t looked into it any further, however the server in question was running some multi-tenant software (managed by our upstream) which allowed for shared resources while maintaining server separation. IE You can see that 15gb of memory is in use, but your users are only using 4gb. Perhaps this contributed to this odd behavior.

Leave a Reply

Your email address will not be published. Required fields are marked *