Problem
Windows 2012 R2 server shut down. You need to find who shut it down immediately
Cause
User with elevated privileges shut down by “accident“.
Solution
Log into the server, open event manager (go to run command and type eventvwr and click ok)
Click on the system logs, right click and choose filter current log.
Type 1074 in the event id section and click ok
From the log determine which user performed the shutdown e.g.:
The process C:\Windows\system32\winlogon.exe (ServerName) has initiated the restart of computer ServerName on behalf of user YourDomain\thatcrazyuser for the following reason: No title for this reason could be found
Shutdown Type: power off
You may also note that the shutdown type could be “restarted”
Tested Platform
Windows 2012 Server R2
Hits: 130