if (ms) blog++;

Random bits of (hopefully) useful technical information on Windows, with a focus on understanding and troubleshooting.

"The previous shutdown was unexpected"

"The previous shutdown was unexpected"

  • Comments 8
  • Likes

In the event where Windows encounters a problem in the kernel (memory corruption, null pointer reference, explicit call to KeBugCheckEx, etc.), the "Blue Screen of Death" (BSoD) is observed.

This, we all know.

The BSoD is actually your friend - it's there to halt the system as soon as a problem is detected so that further damage is avoided, and in an ideal world Windows is also set up to produce a memory dump which can be run through a debugger to try to figure out what happened.

But even if the memory dump option is not set, information is recorded in the page file to allow Windows during restart to put an entry in the event log to indicate (roughly) what the problem was.

 

The STOP (or "bugcheck") code along with its parameters is logged with the event so we know why the server restarted.

But sometimes we get only a 6008 event: "the previous shutdown was unexpected" and no further information to indicate what happened... why would this be?

 

4 main causes spring to mind:

A) The power button was pressed (and possibly had to be held in for 4 seconds)

B) The power supply was interrupted (brownout, UPS failure, power cable yanked, etc.)

C) The physical disk holding the boot volume vanished

D) An ASR occurred

 

Hopefully the first scenario one would be aware of, and the second would either affect multiple machines or be detected by some other health-monitoring system.

 

The disk "vanishing" at the hardware level would make Windows unable to satisfy hard fault requests - this probably ends up being a STOP 0x77 (KERNEL_STACK_INPAGE_ERROR) or similar - if this was purely a software (driver) issue then we should still get a memory dump or access to the disk as we access the device without drivers when a bugcheck occurs.

Where a bugcheck is occurring but we are not getting a memory dump (and the settings indicate we ought to), then you should clear the “Automatically restart” option in the “Startup and Recovery” settings from the Advanced tab of System Properties:

 automatically-restart

Now if a bugcheck occurs, regardless of whether or not we wrote a dump file, the blue screen will remain displayed until the server is reset manually.

 

This brings me to the topic I wanted to discuss...

ASR stands for either "Automatic Server Restart" (IBM) or "Automatic Server Recovery" (HP) and is basically a ticking bomb configured in the hardware and controlled by agents running in the OS.

The countdown ticks away constantly and so long as the agent is getting CPU cycles it is able to reset the countdown, but if the OS hangs, the CPU load is at 100% for a period of time or the agent has a fault then the countdown can hit zero.

The ASR feature then effectively emulates a press of the reset button, assuming the server to be in a hung state and is an attempt to recover from the situation.

 

As the ASR relies on the agent running in the OS, when a bugcheck occurs and we effectively freeze everything else and do a dump of physical memory to the swap file, we can end up with a reboot in the middle of this process and end up with a corrupt (and useless) dump file.

ASR events are often logged in the OS by the agent and/or recorded in the BIOS/EFI - management tools such as the IBM Director or HP Insight Manager can query the agents remotely to display these events.

 

So if you have a server which is getting "unexpected shutdowns" with no record of a bugcheck occurring, it is definitely worth considering disabling any ASR feature (consult your server documentation) so that the "real" problem is uncovered.

If the server really is hanging then we want to know about it, not sweep the symptom under the carpet - and if it's only a massive CPU load for a period of time (e.g. a backup or large batch job) then interrupting this with a warm reset could be potentially devastating.

Comments
  • I am not sure what the above commentary has to do with my search for a solution to the brand new problem.  Running Windows Vista Home Premium, installed by HP on my M8330F computer, I rebooted.  When the reboot was complete, I got two messages.

    1) Windows - No Disk.  Exception Processing Message 0xc0000013 Parameters 0x76292A0 0x00000004 0x761292A0.  No matter how many times I punch the 'cancel' or 'x' buttons, this window will not close.  All software seems to work.

    2) 'Definition Update for Windows Defender - KB915597 (Definition 1.49.1123.0) Successfully installed 12/31/2008.

    So I ask, what is Windows Defender?  How can I remove this virus?  It is killing my computer!!!!  Otherwise, what other operating systems can I use & how do I install them without losing my current data & applications?  

    I just checked on the BLOG and nothing from M/S addresses corrective actions.  The M/S help services says to pay $59/hr to sit on the hold line, or to call HP about something that they did not install.

    This is FRUSTRATING on a high powered computer!!!  Please help me.

  • Hi, the symptoms you describe above are not related to the content of my blog post at all - you have 1 problematic symptom which is a pop-up message referring to some process wanting to access a drive which has no disk in it (floppy, CD, USB) and "will not take no for an answer".

    The other message you saw once is just an informational popup that Windows Defender has updated its definitions - it is a free security product from Microsoft (but is not anti-virus):

    http://www.microsoft.com/windows/products/winfamily/defender/default.mspx

    If your machine was prebuilt by HP and Vista came preinstalled then they are your OEM and your first port of call for support for Windows issues.

    The error code 0xc0000013 means STATUS_NO_MEDIA_IN_DEVICE (hence the "No disk" message that won't go away).

    I would hazard a guess that you have something in the Startup folder or in the registry that is launching a process which is trying to access one of the removable storage drives - Autoruns is a great tool for seeing what processes are running automatically on startup/logon to help diagnose these kinds of issues:

    http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

    I would personally go down the route of checking:

    1. Does it occur if you start in Safe Mode?

    2. Does it occur if you create a new user account and log on as that user?

    3. Are there devices in Device Manager which have warning symbols on them?

    4. Is there any device (i.e. DVD drive) emulation software installed?

    Hope that helps!

  • Awesome article Paul, this was the best answer for this event i got in years !!!!!

  • Hey my computer keeps shutting off randomly when it tries to load games in high graphics and stuff. I.E When i try to run Fallout: New Vegas on High Graphics it shuts off right as the game is about to load, like, it'll sit at the loading screen, then after a few seconds, BAM! It shuts off. I literally have NO clue how this is happening but i looked at the event log and saw the 6008 event and googled it and it led me here, so Paul Adams i would GREATLY appreciate if you could contact me in any way. I'll check back here for replies.

  • Hi Neil,

    Reproducible issues like that where the machine shuts off completely triggered by a specific (type of) action would indicate to me one of two possibilites:

    1. The system is overheating (CPU or GPU)

    2. The sudden power demand by the (graphics) device is greater than the PSU can provide

    I would rule out (1) as the problem occurs on launch, and overheating tends to build up over time.

    Also, systems shutting down due to heat often refuse to power back on for a period of time, or until the temperature has dropped back to a safe level (I had this recently when the power cable for my 2 case fans failed, so after playing Crysis 2 for a while the whole PC just turned off and would not respond to the power button for a few minutes).

    (2) sounds much more likely as modern graphics cards have biiiig power demands - so I would focus on verifying either the card itself being faulty (pulling too much power) or the PSU not being up to scratch (the rating is the _peak_ wattage, so don't just assume that "it should handle it, the number on the side says X").

    The easiest method for troubleshooting this is to test swapping out one of the items and see if the problem goes away (or test the graphics card in another system and put it under load).

    Cheers,

    Paul

  • Paul, outstanding article. Any indication as to whether or not Dell participates in ASR, or ASR like features?  I would like to disable and am having difficulties locating the agent.

  • Not that I have heard of - HP/Compaq servers have had it for sure and I have needed to turn it off  several times to avoid problems, but I've not much experience with Dell (or other physical) servers I'm afraid.

    Cheers, Paul

  • Being a Microsoft rep; the blog that you have posted helped me a lot to convince customers what does unexpected shutdown means. So while I am pointing to another customer now; just thought of dropping you a thanks.. :)

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment