From 29da149af497bad2915f28d4055df30b5dfab4d3 Mon Sep 17 00:00:00 2001 From: Teresa-Motiv Date: Thu, 26 Dec 2019 16:31:11 -0800 Subject: [PATCH 01/16] Create troubleshoot-event-id-41-restart.md --- .../troubleshoot-event-id-41-restart.md | 116 ++++++++++++++++++ 1 file changed, 116 insertions(+) create mode 100644 windows/client-management/troubleshoot-event-id-41-restart.md diff --git a/windows/client-management/troubleshoot-event-id-41-restart.md b/windows/client-management/troubleshoot-event-id-41-restart.md new file mode 100644 index 0000000000..36f16e5e74 --- /dev/null +++ b/windows/client-management/troubleshoot-event-id-41-restart.md @@ -0,0 +1,116 @@ +--- +title: Advanced troubleshooting for Event ID 41 "The system has rebooted without cleanly shutting down first" +description: Describes the circumstances that cause a computer to generate Event ID 41, and provides guidance for troubleshooting the issue +author: Teresa-Motiv +ms.author: v-tea +ms.date: 12/26/2019 +ms.prod: W10 +ms.topic: article +ms.custom: +- CI 111437 +- CSSTroubleshooting +audience: ITPro +ms.localizationpriority: medium +keywords: +manager: kaushika + +--- + +# Advanced troubleshooting for Event ID 41 "The system has rebooted without cleanly shutting down first" + +> **Home users** +> This article is intended for use by support agents and IT professionals. If you're looking for more information about blue screen error messages, please visit [Troubleshoot blue screen errors](https://support.microsoft.com/help/14238/windows-10-troubleshoot-blue-screen-errors). + +The preferred way to shut down Windows is to select **Start**, and then select an option to turn off or shut down the computer. Then the operating system closes all files and notifies the running services and applications so that they can write any data to disk and flush any caches. + +If your computer shuts down unexpectedly, Windows logs an event that resembles the following the next time the computer starts: + +> Event ID: 41 +> Description: The system has rebooted without cleanly shutting down first. + +This event indicates that something unexpected happened that prevented Windows from shutting down correctly. Causes for such a shutdown include an interruption in the power supply or a Stop error. If feasible, Windows records any error codes as it shuts down. During the [kernel phase](advanced-troubleshooting-boot-problems.md#kernel-phase) of the next Windows startup, Windows checks for these codes and, if they are present, includes them in the event data of Event ID 41. + +## How to use Event ID 41 when troubleshooting an unexpected shutdown or restart + +By itself, Event ID 41 might not contain sufficient information to explicitly define what happened. Typically, you have to also consider what was happening at the time of the unexpected shutdown (for example, whether the power supply failed). Use the information in this article to identify a troubleshooting approach that is appropriate for your circumstances: + +- [Scenario 1](#scen1): The computer restarts because of a Stop error, and Event ID 41 contains a bug check code +- [Scenario 2](#scen2): The computer restarts because you pressed and held the power button +- Scenario 3: The computer restarts randomly or becomes completely unresponsive, and Event ID 41 is missing or does not include error code information + +### Scenario 1: The computer restarts because of a Stop error, and Event ID 41 contains a bug check code + +When a computer shuts down or restarts because of a Stop error, Windows includes the Stop error data in Event ID 41 as part of the additional event data. This information includes the Stop error code (also called a bug check code), as shown in the following example: + +> EventData +> BugcheckCode 159 +> BugcheckParameter1 0x3 +> BugcheckParameter2 0xfffffa80029c5060 +> BugcheckParameter3 0xfffff8000403d518 +> BugcheckParameter4 0xfffffa800208c010 +> SleepInProgress false +> PowerButtonTimestamp 0Converts to 0x9f (0x3, 0xfffffa80029c5060, 0xfffff8000403d518, 0xfffffa800208c010) + +> [!NOTE] +> Event ID 41 includes the bug check code in decimal format. Most documentation on Stop error codes reference the code as a hexadecimal value instead of a decimal value. To convert decimal to hexadecimal, follow these steps: +> +> 1. Select **Start**, and then type **calc** in the **Search** box. +> 1. In the Calculator window, select **View** > **Programmer**. +> 1. On the left side of calculator, make sure that **Dec** is selected. +> 1. Use the keyboard to enter the decimal value of the **BugcheckCode** parameter. +> 1. On the left side of the calculator, select **Hex**. +> The value that the calculator displays is now the hexadecimal code. +> +> In the case of the example event data in this article, "159" converts to 0x0000009f. When a BugcheckCode entry is converted to a hexadecimal format, it should have eight digits. For example, 0x9F is typically documented as 0x0000009f, and 0xA is documented as 0x0000000A. + +After you identify the hexadecimal value, use the following references to continue troubleshooting: + +- [Advanced troubleshooting for Stop error or blue screen error issue](troubleshoot-stop-errors.md). +- [Bug Check Code Reference](https://docs.microsoft.com/windows-hardware/drivers/debugger/bug-check-code-reference2). This page lists links to documentation for different bug check codes. +- [How to Debug Kernel Mode Blue Screen Crashes (for beginners)](https://blogs.technet.microsoft.com/askcore/2008/10/31/how-to-debug-kernel-mode-blue-screen-crashes-for-beginners/). + +### Scenario 2: The computer restarts because you pressed and held the power button + +Because this method of restarting the computer interferes with Windows shutdown operations, we recommend only using this method if you have no alternative. For example, you might have to use this approach if your computer is not responding. When you restart the computer by pressing and holding the power button, the resulting Event ID 41 includes a non-zero value for the PowerButtonTimestamp entry. + +For help with troubleshooting an unresponsive computer, see [Windows Help](https://support.microsoft.com/hub/4338813/windows-help?os=windows-10). Consider searching for assistance by using keywords such as "hang," "responding," or "blank screen." + +For more information about a specific situation in which a computer may stop responding, see KB 974476, [The computer stops responding when an USB device resumes from the USB Selective Suspend state in Windows 7 or in Windows Server 2008 R2](https://support.microsoft.com/help/974476/the-computer-stops-responding-when-an-usb-device-resumes-from-the-usb). + +### Scenario 3: The computer is unresponsive or randomly restarts, and Event ID 41 is missing or lists error code values of zero + +This scenario includes the following circumstances: + +- You shut off power to an unresponsive computer, then start it again. + To verify that a computer is unresponsive, press the CAPS LOCK key on the keyboard. If the CAPS LOCK light on the keyboard does not change when you press the CAPS LOCK key, the computer might be completely unresponsive (also called a hard hang). +- The computer restarts, but does not generate Event ID 41. +- The computer restarts and generates Event ID 41, but the **BugcheckCode** and **PowerButtonTimestamp** values are zero. + +In such cases, something prevents Windows from generating error codes or from writing error codes to disk. Something might block write access to the disk (as in the case of an unresponsive computer) or the computer might shut down too quickly to write the error codes or even detect an error. + +The information in Event ID 41 provides some indication of where to start checking for problems: + +- **Event ID 41 is missing or the bug check code is zero**. This behavior might indicate a power supply problem. If the power supply to a computer is interrupted, the computer might shut down without generating a Stop error. If it does generate a Stop error, it might not finish writing the error codes to disk. The next time the computer starts, it might not log Event ID 41, or if it does, the bug check code is zero. Conditions such as the following might be the cause: + - In the case of a portable computer, the battery was removed or completely drained. + - In the case of a desktop computer, the computer was unplugged or was subject to a power outage. + - The power supply might be underpowered or faulty. + +- **The PowerButtonTimestamp value is zero**. This behavior might result if you disconnected power to a computer that was not responding to input. Conditions such as the following might be the cause: + - A Windows process blocked write access to the disk, and you shut down the computer by pressing and holding the power button for at least four seconds. + - You disconnected power to an unresponsive computer. + +Typically, the symptoms that this scenario describes indicate a hardware problem. To help isolate the problem, do the following: + +- **Disable overclocking**. If the computer has overclocking enabled, disable it. Verify whether the issue occurs when the system runs at the correct speed. +- **Check the memory**. Use a memory checker to verify the memory health and configuration. Verify that each memory chip is the same speed and that it is configured correctly in the system. +- **Check the power supply**. Make sure that the power supply has enough wattage to appropriately handle the installed devices. If you added memory, installed a newer processor, installed additional drives, or added external devices, such devices can require more energy than the current power supply can provide consistently. If the computer logged Event ID 41 because power to the computer was interrupted, consider obtaining an uninterruptible power supply (UPS) such as a battery backup power supply. +- **Overheating**. Examine the internal temperature of the hardware to verify that the system is not overheating. + +If you perform these checks and still cannot isolate the problem, set the system to its default configuration and verify whether the issue still occurs. + +> [!NOTE] +> If the computer reports a Stop error message that includes a bug check code, but Event ID 41 does not include that code, change the restart behavior for the computer. To do this, follow these steps: +> +> 1. Right-click **My Computer**, then select **Properties** > **Advanced system settings** > **Advanced**. +> 1. In the **Startup and Recovery** section, select **Settings**. +> 1. Clear the **Automatically restart** checkbox. From 79e763b13bb1ae57ea051245d5e5ca936cbbc148 Mon Sep 17 00:00:00 2001 From: Teresa-Motiv Date: Thu, 26 Dec 2019 17:47:24 -0800 Subject: [PATCH 02/16] Metadata update, TOC edit --- windows/client-management/TOC.md | 1 + windows/client-management/troubleshoot-event-id-41-restart.md | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/client-management/TOC.md b/windows/client-management/TOC.md index 8da971ed53..cb93e0fb3b 100644 --- a/windows/client-management/TOC.md +++ b/windows/client-management/TOC.md @@ -31,5 +31,6 @@ #### [Advanced troubleshooting for Windows-based computer freeze](troubleshoot-windows-freeze.md) #### [Advanced troubleshooting for stop error or blue screen error](troubleshoot-stop-errors.md) #### [Advanced troubleshooting for stop error 7B or Inaccessible_Boot_Device](troubleshoot-inaccessible-boot-device.md) +#### [Advanced troubleshooting for Event ID 41 "The system has rebooted without cleanly shutting down first"](troubleshoot-event-id-41-restart.md) ## [Mobile device management for solution providers](mdm/index.md) ## [Change history for Client management](change-history-for-client-management.md) diff --git a/windows/client-management/troubleshoot-event-id-41-restart.md b/windows/client-management/troubleshoot-event-id-41-restart.md index 36f16e5e74..7d3b955dcb 100644 --- a/windows/client-management/troubleshoot-event-id-41-restart.md +++ b/windows/client-management/troubleshoot-event-id-41-restart.md @@ -4,7 +4,7 @@ description: Describes the circumstances that cause a computer to generate Event author: Teresa-Motiv ms.author: v-tea ms.date: 12/26/2019 -ms.prod: W10 +ms.prod: w10 ms.topic: article ms.custom: - CI 111437 From 863411f8113a28fa8de8d30f41faa501a61f5bc6 Mon Sep 17 00:00:00 2001 From: Teresa-Motiv Date: Thu, 26 Dec 2019 17:50:26 -0800 Subject: [PATCH 03/16] Added listing --- .../client-management/change-history-for-client-management.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/client-management/change-history-for-client-management.md b/windows/client-management/change-history-for-client-management.md index 8eabad806b..adb273d21f 100644 --- a/windows/client-management/change-history-for-client-management.md +++ b/windows/client-management/change-history-for-client-management.md @@ -9,7 +9,7 @@ ms.pagetype: security ms.localizationpriority: medium author: dansimp ms.author: dansimp -ms.date: 12/13/2019 +ms.date: 12/27/2019 ms.reviewer: manager: dansimp ms.topic: article @@ -24,6 +24,7 @@ This topic lists new and updated topics in the [Client management](index.md) doc New or changed topic | Description --- | --- [Change in default removal policy for external storage media in Windows 10, version 1809](change-default-removal-policy-external-storage-media.md) | New +[Advanced troubleshooting for Event ID 41 "The system has rebooted without cleanly shutting down first"](troubleshoot-event-id-41-restart.md) | New ## December 2018 From cc278df88d8b8153ad1c768304933e2a8bbb73bf Mon Sep 17 00:00:00 2001 From: Teresa-Motiv Date: Thu, 26 Dec 2019 17:57:36 -0800 Subject: [PATCH 04/16] Added link to new topic --- .../advanced-troubleshooting-boot-problems.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/client-management/advanced-troubleshooting-boot-problems.md b/windows/client-management/advanced-troubleshooting-boot-problems.md index a9442e6fe9..5986263a1e 100644 --- a/windows/client-management/advanced-troubleshooting-boot-problems.md +++ b/windows/client-management/advanced-troubleshooting-boot-problems.md @@ -220,7 +220,6 @@ If Windows cannot load the system registry hive into memory, you must restore th If the problem persists, you may want to restore the system state backup to an alternative location, and then retrieve the registry hives to be replaced. - ## Kernel Phase If the system gets stuck during the kernel phase, you experience multiple symptoms or receive multiple error messages. These include, but are not limited to, the following: @@ -228,8 +227,9 @@ If the system gets stuck during the kernel phase, you experience multiple sympto - A Stop error appears after the splash screen (Windows Logo screen). - Specific error code is displayed. - For example, "0x00000C2" , "0x0000007B" , "inaccessible boot device" and so on. - [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](https://docs.microsoft.com/windows/client-management/troubleshoot-inaccessible-boot-device) + For example, "0x00000C2" , "0x0000007B" , "inaccessible boot device" and so on. + - [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](https://docs.microsoft.com/windows/client-management/troubleshoot-inaccessible-boot-device) + - [Advanced troubleshooting for Event ID 41 "The system has rebooted without cleanly shutting down first"](troubleshoot-event-id-41-restart.md) - The screen is stuck at the "spinning wheel" (rolling dots) "system busy" icon. From 1aaff3631f82901a02ac158556c05eea63ae2de4 Mon Sep 17 00:00:00 2001 From: Teresa-Motiv Date: Fri, 27 Dec 2019 08:45:55 -0800 Subject: [PATCH 05/16] Link fix --- windows/client-management/troubleshoot-event-id-41-restart.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/troubleshoot-event-id-41-restart.md b/windows/client-management/troubleshoot-event-id-41-restart.md index 7d3b955dcb..e6cb1aa7c9 100644 --- a/windows/client-management/troubleshoot-event-id-41-restart.md +++ b/windows/client-management/troubleshoot-event-id-41-restart.md @@ -36,7 +36,7 @@ By itself, Event ID 41 might not contain sufficient information to explicitly de - [Scenario 1](#scen1): The computer restarts because of a Stop error, and Event ID 41 contains a bug check code - [Scenario 2](#scen2): The computer restarts because you pressed and held the power button -- Scenario 3: The computer restarts randomly or becomes completely unresponsive, and Event ID 41 is missing or does not include error code information +- [Scenario 3](#scen2): The computer restarts randomly or becomes completely unresponsive, and Event ID 41 is missing or does not include error code information ### Scenario 1: The computer restarts because of a Stop error, and Event ID 41 contains a bug check code @@ -77,7 +77,7 @@ For help with troubleshooting an unresponsive computer, see [Windows Help](https For more information about a specific situation in which a computer may stop responding, see KB 974476, [The computer stops responding when an USB device resumes from the USB Selective Suspend state in Windows 7 or in Windows Server 2008 R2](https://support.microsoft.com/help/974476/the-computer-stops-responding-when-an-usb-device-resumes-from-the-usb). -### Scenario 3: The computer is unresponsive or randomly restarts, and Event ID 41 is missing or lists error code values of zero +### Scenario 3: The computer is unresponsive or randomly restarts, and Event ID 41 is missing or lists error code values of zero This scenario includes the following circumstances: From f6faca985df4a7deb2085af580a5ae53be2d5cdc Mon Sep 17 00:00:00 2001 From: Teresa-Motiv Date: Fri, 27 Dec 2019 08:49:01 -0800 Subject: [PATCH 06/16] Link fix --- windows/client-management/troubleshoot-event-id-41-restart.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/troubleshoot-event-id-41-restart.md b/windows/client-management/troubleshoot-event-id-41-restart.md index e6cb1aa7c9..ce4051c23d 100644 --- a/windows/client-management/troubleshoot-event-id-41-restart.md +++ b/windows/client-management/troubleshoot-event-id-41-restart.md @@ -36,7 +36,7 @@ By itself, Event ID 41 might not contain sufficient information to explicitly de - [Scenario 1](#scen1): The computer restarts because of a Stop error, and Event ID 41 contains a bug check code - [Scenario 2](#scen2): The computer restarts because you pressed and held the power button -- [Scenario 3](#scen2): The computer restarts randomly or becomes completely unresponsive, and Event ID 41 is missing or does not include error code information +- [Scenario 3](#scen2): The computer is unresponsive or randomly restarts, and Event ID 41 is missing or lists error code values of zero ### Scenario 1: The computer restarts because of a Stop error, and Event ID 41 contains a bug check code From 7feda4b2d37c9b48bba7c289b710ad8a9421cb32 Mon Sep 17 00:00:00 2001 From: Teresa-Motiv Date: Fri, 27 Dec 2019 09:13:57 -0800 Subject: [PATCH 07/16] Edits --- .../troubleshoot-event-id-41-restart.md | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/windows/client-management/troubleshoot-event-id-41-restart.md b/windows/client-management/troubleshoot-event-id-41-restart.md index ce4051c23d..b3cae5846a 100644 --- a/windows/client-management/troubleshoot-event-id-41-restart.md +++ b/windows/client-management/troubleshoot-event-id-41-restart.md @@ -30,6 +30,15 @@ If your computer shuts down unexpectedly, Windows logs an event that resembles t This event indicates that something unexpected happened that prevented Windows from shutting down correctly. Causes for such a shutdown include an interruption in the power supply or a Stop error. If feasible, Windows records any error codes as it shuts down. During the [kernel phase](advanced-troubleshooting-boot-problems.md#kernel-phase) of the next Windows startup, Windows checks for these codes and, if they are present, includes them in the event data of Event ID 41. +> EventData +> BugcheckCode 159 +> BugcheckParameter1 0x3 +> BugcheckParameter2 0xfffffa80029c5060 +> BugcheckParameter3 0xfffff8000403d518 +> BugcheckParameter4 0xfffffa800208c010 +> SleepInProgress false +> PowerButtonTimestamp 0Converts to 0x9f (0x3, 0xfffffa80029c5060, 0xfffff8000403d518, 0xfffffa800208c010) + ## How to use Event ID 41 when troubleshooting an unexpected shutdown or restart By itself, Event ID 41 might not contain sufficient information to explicitly define what happened. Typically, you have to also consider what was happening at the time of the unexpected shutdown (for example, whether the power supply failed). Use the information in this article to identify a troubleshooting approach that is appropriate for your circumstances: @@ -48,8 +57,6 @@ When a computer shuts down or restarts because of a Stop error, Windows includes > BugcheckParameter2 0xfffffa80029c5060 > BugcheckParameter3 0xfffff8000403d518 > BugcheckParameter4 0xfffffa800208c010 -> SleepInProgress false -> PowerButtonTimestamp 0Converts to 0x9f (0x3, 0xfffffa80029c5060, 0xfffff8000403d518, 0xfffffa800208c010) > [!NOTE] > Event ID 41 includes the bug check code in decimal format. Most documentation on Stop error codes reference the code as a hexadecimal value instead of a decimal value. To convert decimal to hexadecimal, follow these steps: From d0c92ecbeaf4ee9345e4e901cc2b2eea2f501f40 Mon Sep 17 00:00:00 2001 From: Teresa-Motiv Date: Fri, 27 Dec 2019 09:15:39 -0800 Subject: [PATCH 08/16] edits --- windows/client-management/troubleshoot-event-id-41-restart.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/troubleshoot-event-id-41-restart.md b/windows/client-management/troubleshoot-event-id-41-restart.md index b3cae5846a..01cf714e83 100644 --- a/windows/client-management/troubleshoot-event-id-41-restart.md +++ b/windows/client-management/troubleshoot-event-id-41-restart.md @@ -59,7 +59,7 @@ When a computer shuts down or restarts because of a Stop error, Windows includes > BugcheckParameter4 0xfffffa800208c010 > [!NOTE] -> Event ID 41 includes the bug check code in decimal format. Most documentation on Stop error codes reference the code as a hexadecimal value instead of a decimal value. To convert decimal to hexadecimal, follow these steps: +> Event ID 41 includes the bug check code in decimal format. Most documentation that describes Stop error codes refers the codes as hexadecimal values instead of decimal values. To convert decimal to hexadecimal, follow these steps: > > 1. Select **Start**, and then type **calc** in the **Search** box. > 1. In the Calculator window, select **View** > **Programmer**. From 436e1e451e68f0860215891437bd21a0a208b1ae Mon Sep 17 00:00:00 2001 From: Teresa-Motiv Date: Fri, 27 Dec 2019 09:39:35 -0800 Subject: [PATCH 09/16] edits --- .../troubleshoot-event-id-41-restart.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/client-management/troubleshoot-event-id-41-restart.md b/windows/client-management/troubleshoot-event-id-41-restart.md index 01cf714e83..6ebfafc0fd 100644 --- a/windows/client-management/troubleshoot-event-id-41-restart.md +++ b/windows/client-management/troubleshoot-event-id-41-restart.md @@ -61,14 +61,14 @@ When a computer shuts down or restarts because of a Stop error, Windows includes > [!NOTE] > Event ID 41 includes the bug check code in decimal format. Most documentation that describes Stop error codes refers the codes as hexadecimal values instead of decimal values. To convert decimal to hexadecimal, follow these steps: > -> 1. Select **Start**, and then type **calc** in the **Search** box. +> 1. Select **Start**, type **calc** in the **Search** box, and then select **Calculator**. > 1. In the Calculator window, select **View** > **Programmer**. -> 1. On the left side of calculator, make sure that **Dec** is selected. -> 1. Use the keyboard to enter the decimal value of the **BugcheckCode** parameter. +> 1. On the left side of calculator, make sure that **Dec** is highlighted. +> 1. Use the keyboard to enter the decimal value of the bug check code. > 1. On the left side of the calculator, select **Hex**. > The value that the calculator displays is now the hexadecimal code. > -> In the case of the example event data in this article, "159" converts to 0x0000009f. When a BugcheckCode entry is converted to a hexadecimal format, it should have eight digits. For example, 0x9F is typically documented as 0x0000009f, and 0xA is documented as 0x0000000A. +> When you convert a bug check code to hexadecimal format, make sure that it has eight digits (the value preceded by "0x" + enough zeros to fill out eight digits). For example, 0x9F is typically documented as 0x0000009f, and 0xA is documented as 0x0000000A. In the case of the example event data in this article, "159" converts to 0x0000009f. After you identify the hexadecimal value, use the following references to continue troubleshooting: @@ -78,7 +78,7 @@ After you identify the hexadecimal value, use the following references to contin ### Scenario 2: The computer restarts because you pressed and held the power button -Because this method of restarting the computer interferes with Windows shutdown operations, we recommend only using this method if you have no alternative. For example, you might have to use this approach if your computer is not responding. When you restart the computer by pressing and holding the power button, the resulting Event ID 41 includes a non-zero value for the PowerButtonTimestamp entry. +Because this method of restarting the computer interferes with Windows shutdown operations, we recommend only using this method if you have no alternative. For example, you might have to use this approach if your computer is not responding. When you restart the computer by pressing and holding the power button, the resulting Event ID 41 includes a non-zero value for the **PowerButtonTimestamp** entry. For help with troubleshooting an unresponsive computer, see [Windows Help](https://support.microsoft.com/hub/4338813/windows-help?os=windows-10). Consider searching for assistance by using keywords such as "hang," "responding," or "blank screen." @@ -116,7 +116,7 @@ Typically, the symptoms that this scenario describes indicate a hardware problem If you perform these checks and still cannot isolate the problem, set the system to its default configuration and verify whether the issue still occurs. > [!NOTE] -> If the computer reports a Stop error message that includes a bug check code, but Event ID 41 does not include that code, change the restart behavior for the computer. To do this, follow these steps: +> If you see a Stop error message that includes a bug check code, but Event ID 41 does not include that code, change the restart behavior for the computer. To do this, follow these steps: > > 1. Right-click **My Computer**, then select **Properties** > **Advanced system settings** > **Advanced**. > 1. In the **Startup and Recovery** section, select **Settings**. From d9349086ba8b3d3ff3cdf29f3211c217a2d44d34 Mon Sep 17 00:00:00 2001 From: Teresa-Motiv Date: Fri, 27 Dec 2019 10:31:45 -0800 Subject: [PATCH 10/16] Edits --- .../troubleshoot-event-id-41-restart.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/client-management/troubleshoot-event-id-41-restart.md b/windows/client-management/troubleshoot-event-id-41-restart.md index 6ebfafc0fd..ac4cc1afbc 100644 --- a/windows/client-management/troubleshoot-event-id-41-restart.md +++ b/windows/client-management/troubleshoot-event-id-41-restart.md @@ -3,7 +3,7 @@ title: Advanced troubleshooting for Event ID 41 "The system has rebooted without description: Describes the circumstances that cause a computer to generate Event ID 41, and provides guidance for troubleshooting the issue author: Teresa-Motiv ms.author: v-tea -ms.date: 12/26/2019 +ms.date: 12/27/2019 ms.prod: w10 ms.topic: article ms.custom: @@ -11,7 +11,7 @@ ms.custom: - CSSTroubleshooting audience: ITPro ms.localizationpriority: medium -keywords: +keywords: event id 41, reboot, restart, stop error, bug check code manager: kaushika --- @@ -45,7 +45,7 @@ By itself, Event ID 41 might not contain sufficient information to explicitly de - [Scenario 1](#scen1): The computer restarts because of a Stop error, and Event ID 41 contains a bug check code - [Scenario 2](#scen2): The computer restarts because you pressed and held the power button -- [Scenario 3](#scen2): The computer is unresponsive or randomly restarts, and Event ID 41 is missing or lists error code values of zero +- [Scenario 3](#scen3): The computer is unresponsive or randomly restarts, and Event ID 41 is missing or lists error code values of zero ### Scenario 1: The computer restarts because of a Stop error, and Event ID 41 contains a bug check code @@ -111,7 +111,7 @@ Typically, the symptoms that this scenario describes indicate a hardware problem - **Disable overclocking**. If the computer has overclocking enabled, disable it. Verify whether the issue occurs when the system runs at the correct speed. - **Check the memory**. Use a memory checker to verify the memory health and configuration. Verify that each memory chip is the same speed and that it is configured correctly in the system. - **Check the power supply**. Make sure that the power supply has enough wattage to appropriately handle the installed devices. If you added memory, installed a newer processor, installed additional drives, or added external devices, such devices can require more energy than the current power supply can provide consistently. If the computer logged Event ID 41 because power to the computer was interrupted, consider obtaining an uninterruptible power supply (UPS) such as a battery backup power supply. -- **Overheating**. Examine the internal temperature of the hardware to verify that the system is not overheating. +- **Check for overheating**. Examine the internal temperature of the hardware to verify that the system is not overheating. If you perform these checks and still cannot isolate the problem, set the system to its default configuration and verify whether the issue still occurs. @@ -120,4 +120,4 @@ If you perform these checks and still cannot isolate the problem, set the system > > 1. Right-click **My Computer**, then select **Properties** > **Advanced system settings** > **Advanced**. > 1. In the **Startup and Recovery** section, select **Settings**. -> 1. Clear the **Automatically restart** checkbox. +> 1. Clear the **Automatically restart** check box. From 12a2f0c37afe1c7564772c7bacd69802e74ebf3b Mon Sep 17 00:00:00 2001 From: Mike Eggers <49650192+v-miegge@users.noreply.github.com> Date: Mon, 30 Dec 2019 10:01:15 -0800 Subject: [PATCH 11/16] Editing changes added v-miegge added editing changes from v-jesits. --- .../troubleshoot-event-id-41-restart.md | 62 +++++++++---------- 1 file changed, 30 insertions(+), 32 deletions(-) diff --git a/windows/client-management/troubleshoot-event-id-41-restart.md b/windows/client-management/troubleshoot-event-id-41-restart.md index ac4cc1afbc..00344d5d62 100644 --- a/windows/client-management/troubleshoot-event-id-41-restart.md +++ b/windows/client-management/troubleshoot-event-id-41-restart.md @@ -19,16 +19,16 @@ manager: kaushika # Advanced troubleshooting for Event ID 41 "The system has rebooted without cleanly shutting down first" > **Home users** -> This article is intended for use by support agents and IT professionals. If you're looking for more information about blue screen error messages, please visit [Troubleshoot blue screen errors](https://support.microsoft.com/help/14238/windows-10-troubleshoot-blue-screen-errors). +> This article is intended for use by support agents and IT professionals. If you're looking for more information about Stop code error messages, please visit [Troubleshoot blue screen errors](https://support.microsoft.com/help/14238/windows-10-troubleshoot-blue-screen-errors). -The preferred way to shut down Windows is to select **Start**, and then select an option to turn off or shut down the computer. Then the operating system closes all files and notifies the running services and applications so that they can write any data to disk and flush any caches. +The preferred way to shut down Windows is to select **Start**, and then select an option to turn off or shut down the computer. By using this standard method, the operating system closes all files and notifies the running services and applications so that they can write any unsaveddata to disk and flush any active caches. -If your computer shuts down unexpectedly, Windows logs an event that resembles the following the next time the computer starts: +If your computer shuts down unexpectedly, Windows logs Event ID 41 entry that resembles the following the next time that the computer starts: > Event ID: 41 > Description: The system has rebooted without cleanly shutting down first. -This event indicates that something unexpected happened that prevented Windows from shutting down correctly. Causes for such a shutdown include an interruption in the power supply or a Stop error. If feasible, Windows records any error codes as it shuts down. During the [kernel phase](advanced-troubleshooting-boot-problems.md#kernel-phase) of the next Windows startup, Windows checks for these codes and, if they are present, includes them in the event data of Event ID 41. +This event indicates that some unexpected activity prevented Windows from shutting down correctly. Such a shutdown may be caused by an interruption in the power supply or by a Stop error. If feasible, Windows records any error codes as it shuts down. During the [kernel phase](advanced-troubleshooting-boot-problems.md#kernel-phase) of the next Windows startup, Windows checks for these codes and includes any existing codes in the event data of Event ID 41. > EventData > BugcheckCode 159 @@ -39,15 +39,15 @@ This event indicates that something unexpected happened that prevented Windows f > SleepInProgress false > PowerButtonTimestamp 0Converts to 0x9f (0x3, 0xfffffa80029c5060, 0xfffff8000403d518, 0xfffffa800208c010) -## How to use Event ID 41 when troubleshooting an unexpected shutdown or restart +## How to use Event ID 41 when you troubleshoot an unexpected shutdown or restart -By itself, Event ID 41 might not contain sufficient information to explicitly define what happened. Typically, you have to also consider what was happening at the time of the unexpected shutdown (for example, whether the power supply failed). Use the information in this article to identify a troubleshooting approach that is appropriate for your circumstances: +By itself, Event ID 41 might not contain sufficient information to explicitly define what occured. Typically, you have to also consider what was occuring at the time of the unexpected shutdown (for example, the power supply failed). Use the information in this article to identify a troubleshooting approach that is appropriate for your circumstances: -- [Scenario 1](#scen1): The computer restarts because of a Stop error, and Event ID 41 contains a bug check code +- [Scenario 1](#scen1): The computer restarts because of a Stop error, and Event ID 41 contains a Stop error (bug check) code - [Scenario 2](#scen2): The computer restarts because you pressed and held the power button -- [Scenario 3](#scen3): The computer is unresponsive or randomly restarts, and Event ID 41 is missing or lists error code values of zero +- [Scenario 3](#scen3): The computer is unresponsive or randomly restarts, and Event ID 41 is not recorded or the Event ID 41 entry lists error code values of zero -### Scenario 1: The computer restarts because of a Stop error, and Event ID 41 contains a bug check code +### Scenario 1: The computer restarts because of a Stop error, and Event ID 41 contains a Stop error code When a computer shuts down or restarts because of a Stop error, Windows includes the Stop error data in Event ID 41 as part of the additional event data. This information includes the Stop error code (also called a bug check code), as shown in the following example: @@ -59,59 +59,57 @@ When a computer shuts down or restarts because of a Stop error, Windows includes > BugcheckParameter4 0xfffffa800208c010 > [!NOTE] -> Event ID 41 includes the bug check code in decimal format. Most documentation that describes Stop error codes refers the codes as hexadecimal values instead of decimal values. To convert decimal to hexadecimal, follow these steps: +> Event ID 41 includes the bug check code in decimal format. Most documentation that describes Stop error codes refer to the codes as hexadecimal values instead of decimal values. To convert decimal to hexadecimal, follow these steps: > > 1. Select **Start**, type **calc** in the **Search** box, and then select **Calculator**. -> 1. In the Calculator window, select **View** > **Programmer**. -> 1. On the left side of calculator, make sure that **Dec** is highlighted. +> 1. In the **Calculator** window, select **View** > **Programmer**. +> 1. On the left side of calculator, verify that **Dec** is highlighted. > 1. Use the keyboard to enter the decimal value of the bug check code. > 1. On the left side of the calculator, select **Hex**. > The value that the calculator displays is now the hexadecimal code. > -> When you convert a bug check code to hexadecimal format, make sure that it has eight digits (the value preceded by "0x" + enough zeros to fill out eight digits). For example, 0x9F is typically documented as 0x0000009f, and 0xA is documented as 0x0000000A. In the case of the example event data in this article, "159" converts to 0x0000009f. +> When you convert a bug check code to hexadecimal format, verify that it has eight digits following the “0x” designation (that is, the part of the code after the “x” includes enough zeros to fill out eight digits). For example, 0x9F is typically documented as 0x0000009f, and 0xA is documented as 0x0000000A. In the case of the example event data in this article, "159" converts to 0x0000009f. After you identify the hexadecimal value, use the following references to continue troubleshooting: - [Advanced troubleshooting for Stop error or blue screen error issue](troubleshoot-stop-errors.md). -- [Bug Check Code Reference](https://docs.microsoft.com/windows-hardware/drivers/debugger/bug-check-code-reference2). This page lists links to documentation for different bug check codes. +- [Bug Check Code Reference](https://docs.microsoft.com/windows-hardware/drivers/debugger/bug-check-code-reference2). (This page lists links to documentation for different bug check codes.) - [How to Debug Kernel Mode Blue Screen Crashes (for beginners)](https://blogs.technet.microsoft.com/askcore/2008/10/31/how-to-debug-kernel-mode-blue-screen-crashes-for-beginners/). ### Scenario 2: The computer restarts because you pressed and held the power button -Because this method of restarting the computer interferes with Windows shutdown operations, we recommend only using this method if you have no alternative. For example, you might have to use this approach if your computer is not responding. When you restart the computer by pressing and holding the power button, the resulting Event ID 41 includes a non-zero value for the **PowerButtonTimestamp** entry. +Because this method of restarting the computer interferes with the Windows shutdown operation, we recommend that you use this method only if you have no alternative. For example, you might have to use this approach if your computer is not responding. When you restart the computer by pressing and holding the power button, Event ID 41 occurs and includes a non-zero value for the **PowerButtonTimestamp** entry. -For help with troubleshooting an unresponsive computer, see [Windows Help](https://support.microsoft.com/hub/4338813/windows-help?os=windows-10). Consider searching for assistance by using keywords such as "hang," "responding," or "blank screen." +For help to troubleshoot an unresponsive computer, see [Windows Help](https://support.microsoft.com/hub/4338813/windows-help?os=windows-10). Consider searching for assistance by using keywords such as "hang," "responding," or "blank screen." -For more information about a specific situation in which a computer may stop responding, see KB 974476, [The computer stops responding when an USB device resumes from the USB Selective Suspend state in Windows 7 or in Windows Server 2008 R2](https://support.microsoft.com/help/974476/the-computer-stops-responding-when-an-usb-device-resumes-from-the-usb). - -### Scenario 3: The computer is unresponsive or randomly restarts, and Event ID 41 is missing or lists error code values of zero +### Scenario 3: The computer is unresponsive or randomly restarts, and Event ID 41 is not recorded or the Event ID 41 entry or lists error code values of zero This scenario includes the following circumstances: -- You shut off power to an unresponsive computer, then start it again. - To verify that a computer is unresponsive, press the CAPS LOCK key on the keyboard. If the CAPS LOCK light on the keyboard does not change when you press the CAPS LOCK key, the computer might be completely unresponsive (also called a hard hang). -- The computer restarts, but does not generate Event ID 41. +- You shut off power to an unresponsive computer, and then you restart the computer. + To verify that a computer is unresponsive, press the CAPS LOCK key on the keyboard. If the CAPS LOCK light on the keyboard does not change when you press the CAPS LOCK key, the computer might be completely unresponsive (also known as a *hard hang*). +- The computer restarts, but it does not generate Event ID 41. - The computer restarts and generates Event ID 41, but the **BugcheckCode** and **PowerButtonTimestamp** values are zero. In such cases, something prevents Windows from generating error codes or from writing error codes to disk. Something might block write access to the disk (as in the case of an unresponsive computer) or the computer might shut down too quickly to write the error codes or even detect an error. The information in Event ID 41 provides some indication of where to start checking for problems: -- **Event ID 41 is missing or the bug check code is zero**. This behavior might indicate a power supply problem. If the power supply to a computer is interrupted, the computer might shut down without generating a Stop error. If it does generate a Stop error, it might not finish writing the error codes to disk. The next time the computer starts, it might not log Event ID 41, or if it does, the bug check code is zero. Conditions such as the following might be the cause: +- **Event ID 41 is not recorded or the bug check code is zero**. This behavior might indicate a power supply problem. If the power to a computer is interrupted, the computer might shut down without generating a Stop error. If it does generate a Stop error, it might not finish writing the error codes to disk. The next time the computer starts, it might not log Event ID 41. Or, if it does, the bug check code is zero. Conditions such as the following might be the cause: - In the case of a portable computer, the battery was removed or completely drained. - - In the case of a desktop computer, the computer was unplugged or was subject to a power outage. - - The power supply might be underpowered or faulty. + - In the case of a desktop computer, the computer was unplugged or experienced a power outage. + - The power supply is underpowered or faulty. -- **The PowerButtonTimestamp value is zero**. This behavior might result if you disconnected power to a computer that was not responding to input. Conditions such as the following might be the cause: +- **The PowerButtonTimestamp value is zero**. This behavior might occur if you disconnected the power to a computer that was not responding to input. Conditions such as the following might be the cause: - A Windows process blocked write access to the disk, and you shut down the computer by pressing and holding the power button for at least four seconds. - - You disconnected power to an unresponsive computer. + - You disconnected the power to an unresponsive computer. -Typically, the symptoms that this scenario describes indicate a hardware problem. To help isolate the problem, do the following: +Typically, the symptoms described in this scenario indicate a hardware problem. To help isolate the problem, do the following: -- **Disable overclocking**. If the computer has overclocking enabled, disable it. Verify whether the issue occurs when the system runs at the correct speed. -- **Check the memory**. Use a memory checker to verify the memory health and configuration. Verify that each memory chip is the same speed and that it is configured correctly in the system. -- **Check the power supply**. Make sure that the power supply has enough wattage to appropriately handle the installed devices. If you added memory, installed a newer processor, installed additional drives, or added external devices, such devices can require more energy than the current power supply can provide consistently. If the computer logged Event ID 41 because power to the computer was interrupted, consider obtaining an uninterruptible power supply (UPS) such as a battery backup power supply. -- **Check for overheating**. Examine the internal temperature of the hardware to verify that the system is not overheating. +- **Disable overclocking**. If the computer has overclocking enabled, disable it. Verify that the issue occurs when the system runs at the correct speed. +- **Check the memory**. Use a memory checker to determine the memory health and configuration. Verify that all memory chips run at the same speed and that every chip is configured correctly in the system. +- **Check the power supply**. Verify that the power supply has enough wattage to appropriately handle the installed devices. If you added memory, installed a newer processor, installed additional drives, or added external devices, such devices can require more energy than the current power supply can provide consistently. If the computer logged Event ID 41 because the power to the computer was interrupted, consider obtaining an uninterruptible power supply (UPS) such as a battery backup power supply. +- **Check for overheating**. Examine the internal temperature of the hardware and check for any overheating components. If you perform these checks and still cannot isolate the problem, set the system to its default configuration and verify whether the issue still occurs. From 01becd9a16a75a2ab5da6208c265392c1db2629c Mon Sep 17 00:00:00 2001 From: Mike Eggers <49650192+v-miegge@users.noreply.github.com> Date: Mon, 30 Dec 2019 11:10:19 -0800 Subject: [PATCH 12/16] Edit to title --- windows/client-management/troubleshoot-event-id-41-restart.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/troubleshoot-event-id-41-restart.md b/windows/client-management/troubleshoot-event-id-41-restart.md index 00344d5d62..c982cc7835 100644 --- a/windows/client-management/troubleshoot-event-id-41-restart.md +++ b/windows/client-management/troubleshoot-event-id-41-restart.md @@ -1,5 +1,5 @@ --- -title: Advanced troubleshooting for Event ID 41 "The system has rebooted without cleanly shutting down first" +title: Advanced troubleshooting for Event ID 41: "The system has rebooted without cleanly shutting down first" description: Describes the circumstances that cause a computer to generate Event ID 41, and provides guidance for troubleshooting the issue author: Teresa-Motiv ms.author: v-tea From 0a7c062cad44e932bcb549054790751c48b01e4f Mon Sep 17 00:00:00 2001 From: Mike Eggers <49650192+v-miegge@users.noreply.github.com> Date: Mon, 30 Dec 2019 11:11:33 -0800 Subject: [PATCH 13/16] Update troubleshoot-event-id-41-restart.md --- windows/client-management/troubleshoot-event-id-41-restart.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/troubleshoot-event-id-41-restart.md b/windows/client-management/troubleshoot-event-id-41-restart.md index c982cc7835..3fbd3307c6 100644 --- a/windows/client-management/troubleshoot-event-id-41-restart.md +++ b/windows/client-management/troubleshoot-event-id-41-restart.md @@ -16,7 +16,7 @@ manager: kaushika --- -# Advanced troubleshooting for Event ID 41 "The system has rebooted without cleanly shutting down first" +# Advanced troubleshooting for Event ID 41: "The system has rebooted without cleanly shutting down first" > **Home users** > This article is intended for use by support agents and IT professionals. If you're looking for more information about Stop code error messages, please visit [Troubleshoot blue screen errors](https://support.microsoft.com/help/14238/windows-10-troubleshoot-blue-screen-errors). From 5c41d50767ba6f0d5a995ae653f1c3628de8db44 Mon Sep 17 00:00:00 2001 From: "v-tea@microsoft.com" <46357187+Teresa-Motiv@users.noreply.github.com> Date: Mon, 6 Jan 2020 10:31:00 -0800 Subject: [PATCH 14/16] Fixed metadata --- windows/client-management/troubleshoot-event-id-41-restart.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/troubleshoot-event-id-41-restart.md b/windows/client-management/troubleshoot-event-id-41-restart.md index 3fbd3307c6..68298f3175 100644 --- a/windows/client-management/troubleshoot-event-id-41-restart.md +++ b/windows/client-management/troubleshoot-event-id-41-restart.md @@ -1,5 +1,5 @@ --- -title: Advanced troubleshooting for Event ID 41: "The system has rebooted without cleanly shutting down first" +title: Advanced troubleshooting for Event ID 41 - "The system has rebooted without cleanly shutting down first" description: Describes the circumstances that cause a computer to generate Event ID 41, and provides guidance for troubleshooting the issue author: Teresa-Motiv ms.author: v-tea From ce38383d58d126d423b4ff67624ae82e848fdce0 Mon Sep 17 00:00:00 2001 From: Teresa-Motiv Date: Tue, 7 Jan 2020 09:47:43 -0800 Subject: [PATCH 15/16] Review of edits --- .../troubleshoot-event-id-41-restart.md | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/windows/client-management/troubleshoot-event-id-41-restart.md b/windows/client-management/troubleshoot-event-id-41-restart.md index 68298f3175..b774919abf 100644 --- a/windows/client-management/troubleshoot-event-id-41-restart.md +++ b/windows/client-management/troubleshoot-event-id-41-restart.md @@ -19,16 +19,16 @@ manager: kaushika # Advanced troubleshooting for Event ID 41: "The system has rebooted without cleanly shutting down first" > **Home users** -> This article is intended for use by support agents and IT professionals. If you're looking for more information about Stop code error messages, please visit [Troubleshoot blue screen errors](https://support.microsoft.com/help/14238/windows-10-troubleshoot-blue-screen-errors). +> This article is intended for use by support agents and IT professionals. If you're looking for more information about blue screen error messages, please visit [Troubleshoot blue screen errors](https://support.microsoft.com/help/14238/windows-10-troubleshoot-blue-screen-errors). -The preferred way to shut down Windows is to select **Start**, and then select an option to turn off or shut down the computer. By using this standard method, the operating system closes all files and notifies the running services and applications so that they can write any unsaveddata to disk and flush any active caches. +The preferred way to shut down Windows is to select **Start**, and then select an option to turn off or shut down the computer. When you use this standard method, the operating system closes all files and notifies the running services and applications so that they can write any unsaved data to disk and flush any active caches. -If your computer shuts down unexpectedly, Windows logs Event ID 41 entry that resembles the following the next time that the computer starts: +If your computer shuts down unexpectedly, Windows logs Event ID 41 the next time that the computer starts. The event text resembles the following: > Event ID: 41 > Description: The system has rebooted without cleanly shutting down first. -This event indicates that some unexpected activity prevented Windows from shutting down correctly. Such a shutdown may be caused by an interruption in the power supply or by a Stop error. If feasible, Windows records any error codes as it shuts down. During the [kernel phase](advanced-troubleshooting-boot-problems.md#kernel-phase) of the next Windows startup, Windows checks for these codes and includes any existing codes in the event data of Event ID 41. +This event indicates that some unexpected activity prevented Windows from shutting down correctly. Such a shutdown might be caused by an interruption in the power supply or by a Stop error. If feasible, Windows records any error codes as it shuts down. During the [kernel phase](advanced-troubleshooting-boot-problems.md#kernel-phase) of the next Windows startup, Windows checks for these codes and includes any existing codes in the event data of Event ID 41. > EventData > BugcheckCode 159 @@ -41,13 +41,13 @@ This event indicates that some unexpected activity prevented Windows from shutti ## How to use Event ID 41 when you troubleshoot an unexpected shutdown or restart -By itself, Event ID 41 might not contain sufficient information to explicitly define what occured. Typically, you have to also consider what was occuring at the time of the unexpected shutdown (for example, the power supply failed). Use the information in this article to identify a troubleshooting approach that is appropriate for your circumstances: +By itself, Event ID 41 might not contain sufficient information to explicitly define what occurred. Typically, you have to also consider what was occurring at the time of the unexpected shutdown (for example, the power supply failed). Use the information in this article to identify a troubleshooting approach that is appropriate for your circumstances: - [Scenario 1](#scen1): The computer restarts because of a Stop error, and Event ID 41 contains a Stop error (bug check) code - [Scenario 2](#scen2): The computer restarts because you pressed and held the power button -- [Scenario 3](#scen3): The computer is unresponsive or randomly restarts, and Event ID 41 is not recorded or the Event ID 41 entry lists error code values of zero +- [Scenario 3](#scen3): The computer is unresponsive or randomly restarts, and Event ID 41 is not logged or the Event ID 41 entry lists error code values of zero -### Scenario 1: The computer restarts because of a Stop error, and Event ID 41 contains a Stop error code +### Scenario 1: The computer restarts because of a Stop error, and Event ID 41 contains a Stop error (bug check) code When a computer shuts down or restarts because of a Stop error, Windows includes the Stop error data in Event ID 41 as part of the additional event data. This information includes the Stop error code (also called a bug check code), as shown in the following example: @@ -59,7 +59,7 @@ When a computer shuts down or restarts because of a Stop error, Windows includes > BugcheckParameter4 0xfffffa800208c010 > [!NOTE] -> Event ID 41 includes the bug check code in decimal format. Most documentation that describes Stop error codes refer to the codes as hexadecimal values instead of decimal values. To convert decimal to hexadecimal, follow these steps: +> Event ID 41 includes the bug check code in decimal format. Most documentation that describes bug check codes refers to the codes as hexadecimal values instead of decimal values. To convert decimal to hexadecimal, follow these steps: > > 1. Select **Start**, type **calc** in the **Search** box, and then select **Calculator**. > 1. In the **Calculator** window, select **View** > **Programmer**. @@ -68,19 +68,19 @@ When a computer shuts down or restarts because of a Stop error, Windows includes > 1. On the left side of the calculator, select **Hex**. > The value that the calculator displays is now the hexadecimal code. > -> When you convert a bug check code to hexadecimal format, verify that it has eight digits following the “0x” designation (that is, the part of the code after the “x” includes enough zeros to fill out eight digits). For example, 0x9F is typically documented as 0x0000009f, and 0xA is documented as 0x0000000A. In the case of the example event data in this article, "159" converts to 0x0000009f. +> When you convert a bug check code to hexadecimal format, verify that the “0x” designation is followed by eight digits (that is, the part of the code after the “x” includes enough zeros to fill out eight digits). For example, 0x9F is typically documented as 0x0000009f, and 0xA is documented as 0x0000000A. In the case of the example event data in this article, "159" converts to 0x0000009f. After you identify the hexadecimal value, use the following references to continue troubleshooting: - [Advanced troubleshooting for Stop error or blue screen error issue](troubleshoot-stop-errors.md). -- [Bug Check Code Reference](https://docs.microsoft.com/windows-hardware/drivers/debugger/bug-check-code-reference2). (This page lists links to documentation for different bug check codes.) +- [Bug Check Code Reference](https://docs.microsoft.com/windows-hardware/drivers/debugger/bug-check-code-reference2). This page lists links to documentation for different bug check codes. - [How to Debug Kernel Mode Blue Screen Crashes (for beginners)](https://blogs.technet.microsoft.com/askcore/2008/10/31/how-to-debug-kernel-mode-blue-screen-crashes-for-beginners/). ### Scenario 2: The computer restarts because you pressed and held the power button -Because this method of restarting the computer interferes with the Windows shutdown operation, we recommend that you use this method only if you have no alternative. For example, you might have to use this approach if your computer is not responding. When you restart the computer by pressing and holding the power button, Event ID 41 occurs and includes a non-zero value for the **PowerButtonTimestamp** entry. +Because this method of restarting the computer interferes with the Windows shutdown operation, we recommend that you use this method only if you have no alternative. For example, you might have to use this approach if your computer is not responding. When you restart the computer by pressing and holding the power button, the computer logs an Event ID 41 that includes a non-zero value for the **PowerButtonTimestamp** entry. -For help to troubleshoot an unresponsive computer, see [Windows Help](https://support.microsoft.com/hub/4338813/windows-help?os=windows-10). Consider searching for assistance by using keywords such as "hang," "responding," or "blank screen." +For help when troubleshooting an unresponsive computer, see [Windows Help](https://support.microsoft.com/hub/4338813/windows-help?os=windows-10). Consider searching for assistance by using keywords such as "hang," "responding," or "blank screen." ### Scenario 3: The computer is unresponsive or randomly restarts, and Event ID 41 is not recorded or the Event ID 41 entry or lists error code values of zero From 4590a32343c95a798f5e95e18c99771060b6be5a Mon Sep 17 00:00:00 2001 From: lomayor Date: Tue, 7 Jan 2020 14:27:05 -0800 Subject: [PATCH 16/16] Add kusto languange name to AH code --- .../microsoft-defender-atp/advanced-hunting-best-practices.md | 4 ++-- .../microsoft-defender-atp/attack-surface-reduction.md | 2 +- .../microsoft-defender-atp/custom-detection-rules.md | 2 +- .../microsoft-defender-atp/exploit-protection.md | 2 +- .../microsoft-defender-atp/network-protection.md | 2 +- .../microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md | 2 +- 6 files changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md index 58f09d7eb7..7ce887afa8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md @@ -45,7 +45,7 @@ Process IDs (PIDs) are recycled in Windows and reused for new processes. On thei The following example query finds processes that access more than 10 IP addresses over port 445 (SMB), possibly scanning for file shares. -``` +```kusto DeviceNetworkEvents | where RemotePort == 445 and Timestamp > ago(12h) and InitiatingProcessId !in (0, 4) | summarize RemoteIPCount=dcount(RemoteIP) by DeviceName, InitiatingProcessId, InitiatingProcessCreationTime, InitiatingProcessFileName @@ -68,7 +68,7 @@ To create more durable queries using command lines, apply the following practice The following examples show various ways to construct a query that looks for the file *net.exe* to stop the Windows Defender Firewall service: -``` +```kusto // Non-durable query - do not use DeviceProcessEvents | where ProcessCommandLine == "net stop MpsSvc" diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index e4e202f76f..363a0b815b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -50,7 +50,7 @@ You can query Microsoft Defender ATP data by using [Advanced hunting](advanced-h Here is an example query: -```PowerShell +```kusto DeviceEvents | where ActionType startswith 'Asr' ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md index 90c461b3d6..c5a436c489 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md @@ -40,7 +40,7 @@ There are various ways to ensure more complex queries return these columns. For The sample query below counts the number of unique machines (`DeviceId`) with antivirus detections and uses this count to find only the machines with more than five detections. To return the latest `Timestamp` and the corresponding `ReportId`, it uses the `summarize` operator with the `arg_max` function. -``` +```kusto DeviceEvents | where Timestamp > ago(7d) | where ActionType == "AntivirusDetection" diff --git a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md index 30e3eff1f4..c0073ce75e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md @@ -53,7 +53,7 @@ You can query Microsoft Defender ATP data by using [Advanced hunting](https://do Here is an example query: -```PowerShell +```kusto DeviceEvents | where ActionType startswith 'ExploitGuard' and ActionType !contains 'NetworkProtection' ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md index cdcb26b8fd..3c6f9f6bc7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md @@ -56,7 +56,7 @@ You can query Microsoft Defender ATP data by using [Advanced hunting](https://do Here is an example query -```PowerShell +```kusto DeviceEvents | where ActionType in ('ExploitGuardNetworkProtectionAudited','ExploitGuardNetworkProtectionBlocked') ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md index 2d623aad56..55ffb2b7ca 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md @@ -167,7 +167,7 @@ When an exception is created for a recommendation, the recommendation is no long 3. Enter the following queries: -``` +```kusto // Search for machines with High active alerts or Critical CVE public exploit DeviceTvmSoftwareInventoryVulnerabilities | join kind=inner(DeviceTvmSoftwareVulnerabilitiesKB) on CveId