Sometimes a system just goes offline or reboots and we cannot catch it in the debugger or it is not a stop error (bugcheck) so that machine just reboots from underneath you. One technique you can use is to set a breakpoint on nt!NtSetSystemPowerState. This function is the last thing called during ANY type of reboot. So you will see the calling function by using this.
Most of the time when I use this its a system that is stuck in a reboot loop on boot and it keeps loading the OS and then reboots again. I think the last time I hit this it was because someone copied over an x64 binary onto an x86 system for NTDSAI.dll so LSASS was tanking.
Here's an example:
kd> bp nt!NtSetSystemPowerState //Set the BP
kd> gBreakpoint 0 hitnt!NtSetSystemPowerState:809c7c84 68bc000000 push 0BChkd> kChildEBP RetAddrf6667d44 809b297d nt!NtSetSystemPowerStatef6667d58 808234cb nt!NtShutdownSystem+0x32f6667d58 7c8285ec nt!KiFastCallEntry+0xf80134ff74 7c827b9b ntdll!KiFastSystemCallRet0134ffb8 77e64829 ntdll!ZwShutdownSystem+0xc0134ffa0 0101f1ce kernel32!BaseThreadStart+0x34kd> .reloadConnected to Windows Server 2003 3790 x86 compatible target, ptr64 FALSELoading Kernel Symbols..........................................................................................Loading User Symbols..........................................................................Loading unloaded module list...................kd> kChildEBP RetAddrf6667d44 809b297d nt!NtSetSystemPowerStatef6667d58 808234cb nt!NtShutdownSystem+0x32f6667d58 7c8285ec nt!KiFastCallEntry+0xf80134ff74 7c827b9b ntdll!KiFastSystemCallRet0134ff78 0102ad63 ntdll!ZwShutdownSystem+0xc0134ffa0 0101f1ce winlogon!ShutdownThread+0x18c0134ffb8 77e64829 winlogon!LogoffThreadProc+0x360134ffec 00000000 kernel32!BaseThreadStart+0x34
kd> !pcrKPCR for Processor 0 at ffdff000: Major 1 Minor 1 NtTib.ExceptionList: f666764c NtTib.StackBase: 00000000 NtTib.StackLimit: 00000000 NtTib.SubSystemTib: 80042000 NtTib.Version: 0002492d NtTib.UserPointer: 00000001 NtTib.SelfTib: 7ffa5000
SelfPcr: ffdff000 Prcb: ffdff120 Irql: 00000000 IRR: 00000000 IDR: ffff24f0 InterruptMode: 00000000 IDT: 8003f400 GDT: 8003f000 TSS: 80042000
CurrentThread: 82aa03a8 NextThread: 00000000 IdleThread: 8089fd80
DpcQueue:kd> !thread 82aa03a8 //Looks like this instance it was Winlogon that was shutting the system down.THREAD 82aa03a8 Cid 0160.046c Teb: 7ffa5000 Win32Thread: e1032868 RUNNING on processor 0Not impersonatingDeviceMap e1001358Owning Process 82b36548 Image: winlogon.exeWait Start TickCount 176590 Ticks: 0Context Switch Count 175 LargeStackUserTime 00:00:00.000KernelTime 00:00:00.290Win32 Start Address winlogon!LogoffThreadProc (0x0101f198)Start Address kernel32!BaseThreadStartThunk (0x77e617ec)Stack Init f6668000 Current f6667a84 Base f6668000 Limit f6663000 Call 0Priority 15 BasePriority 13 PriorityDecrement 0ChildEBP RetAddr Args to Childf6667d44 809b297d 00000005 00000004 c0000004 nt!NtSetSystemPowerState (FPO: [Non-Fpo])f6667d58 808234cb 00000001 0134ffa0 7c8285ec nt!NtShutdownSystem+0x32 (FPO: [Non-Fpo])f6667d58 7c8285ec 00000001 0134ffa0 7c8285ec nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ f6667d64)0134ff74 7c827b9b 0102ad63 00000001 00002000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])0134ff78 0102ad63 00000001 00002000 0007ab38 ntdll!ZwShutdownSystem+0xc (FPO: [1,0,0])0134ffa0 0101f1ce 0134ffc0 00000000 00000000 winlogon!ShutdownThread+0x18c (FPO: [Non-Fpo])0134ffb8 77e64829 00003907 00000000 00000000 winlogon!LogoffThreadProc+0x36 (FPO: [Non-Fpo])0134ffec 00000000 0101f198 012ffa68 00000000 kernel32!BaseThreadStart+0x34 (FPO: [Non-Fpo])