Shutdown
Event viewer code for user shutdown 1074
SHUTDOWN.exe
Shutdown the computer
Syntax
SHUTDOWN [shutdown_options] [/m \\Computer] [other_options]
shutdown_options:
/i Display the GUI (must be the first option)
/l Log off. This cannot be used with /m or /d option.
/s Shutdown.
/sg Shutdown and on the next boot restart any registered applications.
/r Shutdown and Restart.
/g Shutdown and Restart, after restarting restart any registered applications.
/a Abort a system shutdown during the time-out period.
/p Turn off the local computer with no time-out or warning
(only with /d)
/h Hibernate the local computer (can be used with /f )
/e Document the reason for an unexpected shutdown of a computer.
/hybrid Perform a shutdown of the computer and prepare it for fast startup. Windows 10
Must be used with /s (shutdown) option.
/f Force running applications to close.
This will not prompt for File-Save in any open applications.
so will result in a loss of any unsaved data.
/soft Perform a 'soft' shutdown/restart/logoff. Windows 10
This will ask programs to close and wait for them to end.
/fw Combine with a shutdown option to cause the next boot to go to the
firmware user interface. Windows 10
/o Go to the advanced boot options menu and restart the computer.
Must be used with /r option. Windows 10
other_options:
/m \\Computer A remote computer to shutdown or restart.
/t xxx Time until system shutdown in seconds.
The valid range for xxx is 0-315360000 seconds (10 years) [default=30]
The /f parameter is implied when a value greater than 0 is specified for /t
/c "Hello" An optional shutdown message [Max 127 chars]
This will appear onscreen before the shutdown, and in the Windows event log comment.
/d [u][p] :xx:yy
List the reason code for the shutdown or restart. The following table lists the different values.
p will list a Planned reason code.
u will list a User Defined reason code.
If neither p nor u is specified the restart or shutdown is unplannEd.
xx = The Major reason code (0-255) see below.
yy = The Minor reason code (0-65535)
For a User defined Reason the Major reason code must be in the range 64-255,
(If not it will be ignored and logged as unplannEd.)
Alert Messages to logged in users
Shutdown will display one or two alert messages to the user depending on the delay (set with /t) as follows:
Delay
< 3 minutes - A custom popup alert appears immediately (default).
>=3 mins and <=10 mins - A custom popup alert immediately and then a generic popup alert 2 mins before shutdown.
> 10 mins and < 11 mins - A system tray alert (with custom message) appears immediately, and then nothing else.
>=11 mins - A system tray alert (with custom message) appears immediately, and then a generic popup alert 10 mins before shutdown.
System Tray alerts can be disabled/hidden by the user.
Also, if the computer goes to sleep (due to Power management) before the shutdown actually occurs, then the countdown will resume after the machine is re-awakened - so the delay is running time not clock time.
For these reasons, setting a delay longer than 10 minutes (600 seconds) is not recommended.
If the computer is manually restarted before the schedule set with Shutdown.exe, the scheduled shutdown will be aborted.
If two shutdown commands are issued against the same computer, the first command will run and the second will fail with errorlevel 1190. If you need to make a change, abort the first command with shutdown /a
Restarting Registered Applications
The Windows Restart Manager, introduced in Windows Vista, supports restarting applications after a system shutdown if they have been registered for restart with the RegisterApplicationRestart API.
If the application is forcefully shutdown, (not a standard gracefull termination) then the Restart Manager will not attempt to restart the application.
This functionality is used by Windows Update, Microsoft Office, IE/Edge, Visual Studio, and many other recent applications
Event Log
Just before the computer is shutdown, shutdown.exe will record the shutdown event in the Windows SYSTEM Event log with a Source=User32 and event ID 1074 along with any custom message & reason code.
The event log is the only way to tell that a reboot triggered from Shutdown.exe is pending. It also records the username and date/time when the shutdown command was issued.
When using Shutdown.exe to reboot a server, the shutdown process will normally allow 30 seconds to ensure each running service has time to stop. Services are shutdown in alphabetical order. Halting the services manually in a specific order with NET STOP or SC can be slightly faster.
Reason codes
E = unplannEd 0x10000000
U = Unexpected 0x00000000
P = Planned 0x80000000
C = customer defined 0x40000000 (for these, specify your own Major reason # in the range 64-255)
Type Major Minor Title
U 0 0 Other (Unplanned)
E 0 0 Other (Unplanned)
E P 0 0 Other (Planned)
U 0 5 Other Failure: System Unresponsive
E 1 1 Hardware: Maintenance (Unplanned)
E P 1 1 Hardware: Maintenance (Planned)
E 1 2 Hardware: Installation (Unplanned)
E P 1 2 Hardware: Installation (Planned)
P 2 3 Operating System: Upgrade (Planned)
E 2 4 Operating System: Reconfiguration (Unplanned)
E P 2 4 Operating System: Reconfiguration (Planned)
P 2 16 Operating System: Service pack (Planned)
2 17 Operating System: Hot fix (Unplanned)
P 2 17 Operating System: Hot fix (Planned)
2 18 Operating System: Security fix (Unplanned)
P 2 18 Operating System: Security fix (Planned)
E 4 1 Application: Maintenance (Unplanned)
E P 4 1 Application: Maintenance (Planned)
E P 4 2 Application: Installation (Planned)
E 4 5 Application: Unresponsive
E 4 6 Application: Unstable
U 5 15 System Failure: Stop error
E 5 19 Security issue
U 5 19 Security issue
E P 5 19 Security issue
E 5 20 Loss of network connectivity (Unplanned)
U 6 11 Power Failure: Cord Unplugged
U 6 12 Power Failure: Environment
P 7 0 Legacy API shutdown
The reason codes, specified with /d are logged in the Windows System Event Log as System Shutdown Reason Codes (in Hex).
Shutdown.exe will also accept options prefixed with dashes instead of forward slashes: -s -f etc
Examples
Shutdown the local system in one second from now:
SHUTDOWN.exe /s /f /t 1
Restart the remote system server64 in 60 seconds time and specify the reason "Application: Installation (Planned)" [0x80040002]:
SHUTDOWN.exe /r /f /m \\Server64 /t 60 /d P:4:2
To shut down the local machine in 30 seconds time, force running applications to close, restart the computer after shutdown, indicate a user code, indicate that the shutdown is planned, log major/minor reason codes and a comment:
shutdown /r /f /c "Demo of Shutdown" /d up:125:1
Restart the remote system server64 and specify the reason "Security Fix, Planned"
shutdown /r /f /m \\server64 /d P:2:17
Using PowerShell, remotely restart a list of computers from a text file of computer names.
$msg = "Due to network maintenance, this computer must be restarted. You have 5 minutes to save your work"
$delay = 300 # seconds
$computers = get-content E:\work\MachineNames.txt
foreach ($computer in $computers)
{
& 'C:\Windows\System32\SHUTDOWN.exe' "-m \\$computer -r -c $msg -t $delay"
}
“I shall go the way of the open sea, To the lands I knew before you came,
And the cool ocean breezes shall blow from me, The memory of your name” ~ Laurence Hope
Related:
LOGOFF - Log off a user.
PsShutdown - Shutdown/reboot/logoff one or multiple computers.
SCHTASKS - Schedule a command to run at a specific time.
EVENTCREATE - Add a message to the Windows event log
PowerShell: Stop-Computer / Restart-Computer