Working with shutdown reason code

I’m probably not the only one who ever wondered how to translate the error code in event ID 1074 to something meaningful.

The following blog post sheds some lights on this topic: https://blogs.msdn.microsoft.com/oldnewthing/20100831-00/?p=12993

Far from being the brightest code I’ve ever produced, here’s a function that tries to convert the shutdown reason code to something meaningful 😀

Function Convert-ShutdownReason {
[CmdletBinding()]
Param(
    [Parameter(Mandatory,ValueFromPipeLine)]
    $InputObject
)
Begin {}
Process {
    $InputObject | ForEach-Object {
        $test = $_
        
        $Planned = $major = $reasonMajor = $minor = $reasonMinor = $null
        switch ($_) {
            { ($_ -band 0x80000000) -eq 0x80000000 } {
                $Planned = $true # system defined
                $major = $_ -bxor 0x80000000
                break
            }
            { ($_ -band 0x40000000) -eq 0x40000000 } {
                $Planned = $true # custom user defined
                $major = $_ -bxor 0x40000000
                break
            }
            default {
                $Planned = $false # flag not set
                $major = $_
            }
        }
        switch ($major) {
            { ($_ -band 0x70000) -eq 0x70000 } {
                $reasonMajor = 'LEGACY_API'
                $minor = $_ -bxor 0x70000
                break
            }
            { ($_ -band 0x60000) -eq 0x60000 } {
                $reasonMajor ='POWER'
                $minor = $_ -bxor 0x60000
                break
            }
            { ($_ -band 0x50000) -eq 0x50000 } {
                $reasonMajor ='SYSTEM'
                $minor = $_ -bxor 0x50000
                break
            }
            { ($_ -band 0x40000) -eq 0x40000 } {
                $reasonMajor ='APPLICATION'
                $minor = $_ -bxor 0x40000
                break
            }
            { ($_ -band 0x30000) -eq 0x30000 } {
                $minor = $_ -bxor 0x30000
                $reasonMajor ='SOFTWARE'
                break
            }
            { ($_ -band 0x20000) -eq 0x20000 } {
                $reasonMajor ='OPERATINGSYSTEM'
                $minor = $_ -bxor 0x20000
                break
            }
            { ($_ -band 0x10000) -eq 0x10000 } {
                $reasonMajor ='HARDWARE'
                $minor = $_ -bxor 0x10000
                break
            }
            default {
                $reasonMajor ='OTHER'
                $minor = $_ -bxor 0x0
            }
        }

        switch ($minor) {
            { ($_ -band 0xff) -eq 0xff } {
                $reasonMinor = 'NONE'
                break    
            }
            { ($_ -band 0x22) -eq 0x22 } {
                $reasonMinor = 'DC_DEMOTION'
                break    
            }
            { ($_ -band 0x21) -eq 0x21 } {
                $reasonMinor = 'DC_PROMOTION'
                break    
            }
            { ($_ -band 0x20) -eq 0x20 } {
                $reasonMinor = 'TERMSRV'
                break    
            }
            { ($_ -band 0x19) -eq 0x19} {
                $reasonMinor ='MMC'
                break
            }
            { ($_ -band 0x18) -eq 0x18 } {
                $reasonMinor ='SECURITYFIX_UNINSTALL'
                break
            }
            { ($_ -band 0x17) -eq 0x17 } {
                $reasonMinor ='HOTFIX_UNINSTALL'
                break
            }
            { ($_ -band 0x16) -eq 0x16 } {
                $reasonMinor ='SERVICEPACK_UNINSTALL'
                break
            }
            { ($_ -band 0x15) -eq 0x15 } {
                $reasonMinor ='WMI'
                break
            }
            { ($_ -band 0x14) -eq 0x14 } {
                $reasonMinor ='NETWORK_CONNECTIVITY'
                break
            }
            { ($_ -band 0x13) -eq 0x13 } {
                $reasonMinor ='SECURITY'
                break
            }
            { ($_ -band 0x12) -eq 0x12 } {
                $reasonMinor ='SECURITYFIX'
                break
            }
            { ($_ -band 0x11) -eq 0x11} {
                $reasonMinor ='HOTFIX'
                break
            }
            { ($_ -band 0x10) -eq 0x10 } {
                $reasonMinor ='SERVICEPACK'
                break
            }
            { ($_ -band 0xf) -eq 0xf } {
                $reasonMinor ='BLUESCREEN'
                break
            }
            { ($_ -band 0xe) -eq 0xe } {
                $reasonMinor ='OTHERDRIVER'
                break
            }
            { ($_ -band 0xd) -eq 0xd } {
                $reasonMinor ='HARDWARE_DRIVER'
                break
            }
            { ($_ -band 0xc) -eq 0xc } {
                $reasonMinor ='ENVIRONMENT'
                break
            }
            { ($_ -band 0xb) -eq 0xb } {
                $reasonMinor ='CORDUNPLUGGED'
                break
            }
            { ($_ -band 0xa) -eq 0xa } {
                $reasonMinor ='POWER_SUPPLY'
                break
            }
            { ($_ -band 0x9) -eq 0x9 } {
                $reasonMinor ='NETWORKCARD'
                break
            }
            { ($_ -band 0x8) -eq 0x8 } {
                $reasonMinor ='PROCESSOR'
                break
            }
            { ($_ -band 0x7) -eq 0x7 } {
                $reasonMinor ='DISK'
                break
            }
            { ($_ -band 0x6) -eq 0x6 } {
                $reasonMinor ='UNSTABLE'
                break
            }
            { ($_ -band 0x5) -eq 0x5 } {
                $reasonMinor ='HUNG'
                break
            }
            { ($_ -band 0x4) -eq 0x4 } {
                $reasonMinor ='RECONFIG'
                break
            }
            { ($_ -band 0x3) -eq 0x3 } {
                $reasonMinor ='UPGRADE'
                break
            }
            { ($_ -band 0x2) -eq 0x2 } {
                $reasonMinor ='INSTALLATION'
                break
            }
            { ($_ -band 0x1) -eq 0x1 } {
                $reasonMinor ='MAINTENANCE'
                break
            }
            { ($_ -band 0x0) -eq 0x0 } {
                $reasonMinor ='OTHER'
                break
            }
            default {
            }
        }

        [PSCustomObject]@{
            Reason = '0x{0:X}' -f $test
            Text = '{0}: {1}' -f $reasonMajor,$reasonMinor
            Planned = $Planned
        }
    }
}
End {}
}

Here a a the most frequent shutdown reason codes I’ve encountered:

0x80020010,0x80070015,0x500ff,0x0,0x80030002,0x80030003 | 
Convert-ShutdownReason

convert-shutdown-reason-01

The shutdown reason code can be extracted from the event logs and directly piped into the function like this:

(Get-WinEvent -FilterHashtable @{ LogName = 'system';ProviderName='User32' ; Id = 1074} -MaxEvents 100) | 
Select -First 2 | Foreach-Object {
 ($_.Properties[3].Value) -as [int32]
}| 
Convert-ShutdownReason

convert-shutdown-reason-02

Advertisements

2 thoughts on “Working with shutdown reason code

  1. Hello Emin,

    Hope you are doing well.

    I am a newbie to powershell and a serial Copy/paster. I tried to run the command Convert-ShutdownReason

    And got the following:

    Convert-ShutdownReason : The term ‘Convert-ShutdownReason’ is not recognized as the name of a cmdlet, function, script
    file, or operable program.

    Can you please explain, what i am doing wrong.

    Thank you

    Kevin

    • Hello,

      Yes, the function I proposed on my blog post isn’t built-in PowerShell.
      The error message says it doesn’t recognize it because it actually wasn’t loaded into memory by any means.
      There are many ways to actually load ‘external’ code (vs. built-in/native cmdlets/functions/modules…).
      Before loading code, you should understand what it does. If you’re confident and trust the code, you can copy the code of the function (what’s between the ‘function’ keyword and the last ‘}’, including these) and paste it into your shell.
      You’ll load it as if you’ve typed it.

      To review the code, I usually first paste it into the Windows PowerShell ISE to see if there’s a copy/paste problem thanks to the syntax colors.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s