Unexpected Windows Server 2016 Shutdown: winlogon, NT AUTHORITY\SYSTEM, 0x500ff

Question

We have a fleet of AWS EC2 instances running Windows Server. Since moving from Windows Server 2012r2 to 2016, we've encountered an issue where a server is shut down for unknown reasons. After an exhaustive inspection of event logs, the only consistency appears to be the following:

The process C:\Windows\system32\winlogon.exe ([computername]) has initiated the power off of computer [computername] on behalf of user NT AUTHORITY\SYSTEM for the following reason: No title for this reason could be found
Reason Code: 0x500ff
Shutdown Type: power off

We've considered and theoretically ruled out the following:

1. Windows Updates issue

   • No updates were running according to event logs or Get-WindowsUpdateLog. Sconfig > "Windows Update Settings" is set to DownloadOnly

2. Power button toggle, or hardware/battery issue

   • This is an AWS EC2 instance and we've never experienced this with any 2012r2 or 2012 servers. If it was hardware related surely it would affect all server versions.

3. Windows Server license expiration

   • These servers are licensed correctly according to "slmgr.vbs /dlv", and the shutdowns have happened at 39, 62, and 188 days after their initial turn-on.

4. With old versions of mstsc there is a power button displayed on the logon screen, which can be used to turn off the system in this manner

   • This theory is largely based on this post but to be clear that is for a 2012 server, and we're on 2016. I have also not been able to repro this at all.

Does anyone have any idea what could be causing this shutdown? Or, any idea how we could go about finding more information? I've looked through every log file and event log I can find. There is also no dmp file corresponding to the time of shutdown.

Answer 1

The Reason Code says that it's a BlueScreen (SHTDN_REASON_MAJOR_SYSTEM | SHTDN_REASON_MINOR_BLUESCREEN)

Reference: https://docs.microsoft.com/fr-fr/windows/desktop/Shutdown/system-shutdown-reason-codes

You should check that your drivers/softwares are up-to-date. Don't forget to check your antivirus too, because it's possible that an outdated third-party antivirus can lead to bluescreens.

You can use BlueScreenView to help you analyzing BSOD memory dumps (if any).

Answer 2

We followed advice from the comment of @HarryJohnston and created a GPO to disable the option to shutdown a server from the lock screen. The specific policy is:

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options > Shutdown: Allow system to be shut down without having to log on > Disabled

Since doing this a month ago we have seen no unexpected shutdowns (and were seeing about one per week previously). It is still strange to me that AWS's default Windows Server 2016 AMI would have this option enabled, and that it would actually be accessible from somewhere, but that seems to have been the case.

Answer 3

Just wondering if this issue ever happened after you put this group policy in place?

I have the exact same issue, we have EC2 instances, two of them were shutdown, we spoke with AWS they said no API calls were made to shutdown, we have connectwise control but it doesn't show any one logging in.

I was able to get the exact same event id when i shutdown the server without authentication via connectwise control however there was no one logged in at that time.

We also have Royal TS from where we access the servers. Not sure if you had any of these products.

I opened a case with Microsoft and they are not able to find it either.

I would really appreciate if you can please let me know if the issue went away after you put the group policy inplace.

thanks