How to troubleshoot event ID 41: A system reboot without a clean shutdown and kernel power error

This article explains how you can view and troubleshoot Windows event id 41 associated with an unexpected restart of a system without a clean shutdown.

Effective troubleshooting of event ID 41 or Kernel Power Event ID 41 requires understanding of how a shutdown happens and its different types.

How shutdown is initiated and its types

When you shutdown a system, Windows initiates WM_QUERYENDSESSION message to all the applications that are running and have a UI thread. This message asks the applications to save any unsaved data and terminate itself. If an application doesn't respond to this message, Windows sends WM_ENDSESSION message to it to terminate the application immediately.

If all the applications that are running respond to the initial message of Windows—WM_QUERYENDSESSION—then Windows logs record a clean shutdown with event ID 6006 in the System event log. If any application doesn't respond to the message or terminates forcibly, then Windows logs a dirty shutdown with event ID 6008 in the System event log. This can happen due to a sudden power failure or when the computer is shutdown by holding down the power button and can cause data loss and boot-up problems. The unexpected shutdowns are the ones that are caused outside of the operating system's functionality.

Understanding the different Event IDs with shutdowns

• Event ID 41 or Kernel Power Event ID 41: Indicates that Windows restarted without a complete shutdown.
• Event ID 1074: Gets logged when an application is responsible for the system shutdown or restart. It also provides information on whether the Start menu or Ctrl+Alt+Del option is used by the user for system shutdown and restart.
• Event ID 6006: Indicates a clean shutdown.
• Event ID 6008: Indicates a dirty shutdown and gets logged when the most recent shutdown was unexpected.

How and when Windows event ID 41 occurs

Event ID 41 indicates the occurrence of unexpected activity that resulted in Windows not shutting down properly, as described above. The major causes of such a shutdown are an interruption in the power supply or from a Stop error. Whenever possible, Windows records any error codes as it shuts down. Therefore, during the kernel phase of the next startup, Windows checks for these codes and includes any existing codes in the event data of Event ID 41. Since this event originates from the operating system's power management system—Kernel Power—it also referred to Kernel Power Event ID 41.

Format of Event ID 41

Event ID 41 is represented below in Microsoft's Event Viewer, a native tool that displays important events that occurred in the Windows system.

Source: Event log
Event ID: 41
Level: Critical
Source: Kernel-Power
Description: The system has rebooted without cleanly shutting down first.
Date and Time: The date and time of the event's occurrence


Probable causes for Event ID 41

Power issues: A malfunctioning of the power supply unit, a sudden loss of power leading to unexpected restart, unstable power supply with voltage fluctuations can lead to the generation of event ID 41.

Hardware issues: If your CPU, graphic cards, or other critical components get overheated, the system might shutdown and restart automatically to prevent damage. At times, faulty hardware or malfunctions of hardware, such as RAM module or storage driver failures, can lead to unexpected restarts.

Software issues: In rare cases, critical system program failures or driver crash can lead to unexpected restart. Damaged or corrupted file systems can also trigger this event.

Blue screens: Critical errors within the operating system kernel lead to blue screens and subsequently to unexpected restart.

Investigating event ID 41 for troubleshooting

Investigation of event ID 41 tells you how the unexpected shutdown and restart occurred in the system. Here are the most common scenarios to troubleshoot for an unexpected shutdown or restart:

I. Event ID 41 with Stop error code

When a computer shuts down or restarts due to a Stop error, event ID within the log will contain supplementary data relevant as a part of more event data. This additional data often includes the specific Stop error code, also known as bug check code, which provides valuable information for troubleshooting purposes.

An example of event ID with Stop error code:

EventData
BugcheckCode 0x116
BugcheckParameter1 0x0
BugcheckParameter2 0xfffffa8001e2f9f0
BugcheckParameter3 0xfffff80003f92e30
BugcheckParameter4 0xfffffa8001e2fa18


In the above Event Data, bug check code 0x116 indicates VIDEO_DXGKRNL_FATAL_ERROR. This points to a critical error with the video driver, specifically relating to the DirectX graphics kernel.

Parameter 1 indicates an unspecified issue with the video driver. Parameters 2 to 4 contain memory addresses that provide hints about the specific section of the video driver that encountered the error.

Refer to Microsoft's Bug Check Code Reference documentation to troubleshoot this issue.

II. Event ID 41 with PowerButtonTimestamp entry

One of the reasons for unexpected shutdown or restart is when the user holds down the power button for shutting down the computer. Often, this method is used when the system is unresponsive. In this case, event ID 41 returns a non-zero value for the PowerButtonTimestamp entry.

III. When Event ID 41 isn't recorded or it lists error code values of zero

This scenario includes the below circumstances:

• Computer restarts but doesn't generate event ID 41 or its bug code is zero: This might indicate a power supply problem. If the computer's power is interrupted, it might not generate the Stop error or might not finish writing the error codes to the disk. Therefore, when the computer starts next time, it might not log event ID 41. Check for battery drains or removal in laptops. In case of desktops, check whether the computer was unplugged or experienced a sudden power outage.
• Computer restarts and generates event ID 41 but PowerButtonTimestamp values are zero: This happens when something blocks Windows from writing the error codes itself or error codes to the disk. There could also be a case where the computer got shutdown too quickly to write the error codes or even detect the error codes. Alternatively, when the power is disconnected that wasn't responding to the input, it can also result in the PowerButtonTimestamp value displaying zero.

How to troubleshoot event ID 41 using Event Viewer for analysis

To figure out what exactly caused a dirty shutdown, you need to analyze the event ID 41 for the scenarios above. To do this, you can use Windows Event Viewer for detailed analysis of the error codes and other information.

• Start Event Viewer.
• Use the filters below to narrow down to critical events.
  a. Log: System, Levels: Critical, Error; Source: Kernel-Power
• This will filter out all the events with source Kernel-Power and that are critical and erroneous in nature.
• Click on the event ID 41 to view the general details of the event.
• Click on the Details tag to view the bug check codes.

Look for the scenarios described above to take appropriate measures.

How to troubleshoot event ID 41 using EventLog Analyzer

ManageEngine EventLog Analyzer is your one-stop shop to effectively analyze Windows event logs. The solution centrally collects, analyzes, correlates, and archives log data from sources across your network for troubleshooting, performance and health monitoring, security, and compliance needs.

While Event Viewer allows you to view and analyze the event ID 41 for single system, EventLog Analyzer is a centralized log management system that allows you to view all the dirty shutdowns and unexpected restarts happening in your Windows environment from a single console.

Out-of-the-box report that provides insights into all the unexpected restarts happening in your network

Easy visualization of the error codes and reason for event ID 41 using intuitive analytics

 

 

Efficiently drill down through your logs to extract relevant information about an incident

Intuitive reports to give you what exactly is needed

 

 

View and analyze occurrence of Event ID 41 over a specified time period.

Further investigations through Device Summary analytics

Apart from being used for troubleshooting, analysis of event ID 41 is also of importance for security analysts. Early onset of a DoS attack which aims to overload a system can cause it to crash or go unresponsive which might trigger event ID 41. Occurrence of event ID 41 followed by numerous failed login attempts might indicate an unauthorized access attempts. Further, some malicious programs or rootkits can cause system instability and unexpected restarts.

To ascertain the overall security posture, security analysts should investigate the events occurred on the system that frequently experienced event ID 41 correlate them with other critical security events.

ManageEngine EventLog Analyzer provides a Device Summary Dashboard that can be invoked from the reports to view:

• Recent critical alerts triggered for that system.
• Active users of that system.
• Important events occurred on the system, such as failed logons, account lockouts.
• File modifications happened on the system and much more.

This will help you to effectively investigate the event by correlating it with other critical events that occurred.

 

 

Recent critical alerts triggered for that system

 

 

Active users of that system

 

 

Important events occurred on the system, such as failed logons, account lockouts

 

 

File modifications happened on the system and much more.

Further, the solution's real-time correlation engine helps you build detection rules or establish incident timelines around the time of event ID 41's occurrence.

Next steps: