In this guide, you will learn how to determine the cause of a server restart—whether it was an unexpected crash or a planned update—by analyzing Windows logs in a controlled environment.
To understand what an unexpected restart looks like in the logs, we will first simulate a crash using a tool from the Sysinternals suite called NotMyFault.
Search for "NotMyFault" on the Sysinternals Microsoft Learn page. This tool is designed to crash, hang, or cause memory leaks on a Windows system for diagnostic purposes.
After downloading, extract the files and run the 64-bit version of the application.
The interface is simple. Select a crash type (or leave the default) and press the Crash button. This will immediately trigger a "Blue Screen of Death" and force the virtual machine to restart.
After the server reboots and you log back in, you may see a popup asking why the computer shut down unexpectedly. To find the real technical reason, we must look at the Event Viewer.
Right-click the Start menu and select Event Viewer. Navigate to Windows Logs and then select the System tab.
Click on Filter Current Log. In the field for "All Event IDs," paste the specific Event ID string that tracks restarts (e.g., 41, 1074, 6005, 6006, 6008).
41, 1074, 6005, 6006, 6008Review the filtered events around the timestamp of the restart.
Next, we can compare the previous logs with those generated by a controlled, planned restart, such as one initiated by Windows Update.
Install pending Windows Updates and allow the server to restart normally. When you log back in, you will not see the "unexpected shutdown" popup.
Open Event Viewer and apply the same Event ID filter used previously.
This time, look for events indicating a "clean" restart. You will likely see details stating the operating system service pack was "planned". This confirms the restart was intentional and not the result of a system failure.