Hi, Hopefully someone on this forum will be able to help me with this question. I'm trying to work out how Windows 2008 R2 determines that an unexpected Shutdown has occured. The way I understood in working in Windows 2003 R2 was that a regkey HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability\lastAliveStamp was updated with a current timestamp periodically while the server was running. (By default every minute). During an expected shutdown that timestamp is cleared so if the server detects a value in that key during startup in assumes an unexpected shutdown occured at the timestamp and logs a 6008 event in the system log. If I run Process Monitor on a 2003 server I can see the timestamp being updated every minute. This behaviour seems to have changed in 2008 R2. While the lastAliveStamp is still present in is no longer updated and just has a static hex value. Running Process Monitor, I can't see any other regkeys being updated with timestamps every minute. However, if I set Process Monitor for Boot Logging and reset the server I can see a key called DirtyShutdownTime being created in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability\ and populated with what appears to be the correct timestamp for when the server was reset. This key is read later in the boot process and then deleted. Since this key does not exist when the server is running I don't understand where the last alive timestamp is being stored. I've consulted the Windows internals book but it doesn't cover the unexpected shutdown process and although Technet has a pretty good flowchart of the process from 2003, it isn't specific to 2008 r2 If anyone can give me a detailed description how unexpected Shutdowns are tracked in 2008 r2 including what Regkey's are used, it would be greatly appreciated Thanks in advance Pillay

Hi, As far as I know, you may analyze the dump files to trace the unexpected shutdown. You may also analyze them with Debugging Tools by yourself. You can install it and it’s Symbol Packages from the following link: http://www.microsoft.com/whdc/Devtools/Debugging/default.mspx WinDbg will tell you the possible cause. For more information, please read Microsoft KB article below: How to read the small memory dump files that Windows creates for debugging http://support.microsoft.com/kb/315263 If no clue can be found, you may contact Microsoft Customer Service and Support (CSS) via telephone so that a dedicated Support Professional can assist with your request. To troubleshoot this kind of kernel crash issue, we need to debug the crashed system dump. Unfortunately, debugging is beyond what we can do in the forum. Please be advised that contacting phone support will be a charged call. To obtain the phone numbers for specific technology request please take a look at the web site listed below: http://support.microsoft.com/default.aspx?scid=fh;EN-US;OfferProPhone#faq607 Regards,Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi Arthur, Thanks for the response. There's not actually a dump fille as this is not the result of bluescreen. This is a situation where I don't believe an unexpected shutdown has occured and at first glance the 6008 event seems to be logged during a normal shutdown. Therefore i'm trying to understand what the underlying process is that's happening so I can troubleshoot. If this were a 2003 box i would think there might be a problem clearing the lastAliveStamp key and I'd investigate in that area but i don't understand how it works in 2008 Thanks Pillay

Hi, Based on the current situation, would you please try to test the issue in Safe Mode and Clean Boot to determine if the possible cause is hardware or software conflicts. For the detailed steps of how to boot into Clean Boot, please refer to the following Microsoft KB article: How to troubleshoot a problem by performing a clean boot in Windows Vista or in Windows 7 http://support.microsoft.com/kb/929135 Regards, Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.