In a virtualized environment, it can be difficult to differentiate between an error with the virtual machine or the VMkernel of the ESX. It is important to determine whether a halted or unresponsive virtual machine is a symptom of an error with Windows (or the applications running on the virtual machine) or the ESX host on which it resides. The following is intended as a set of general guidelines for diagnosing and identifying typical errors associated with a Windows failure.

Windows uses event codes that identify the issue encountered within the guest guest operating system. These codes are standardized and are useful in identifying the cause of issues on the guest. The Resolution section outlines a few common event codes, and provides information about each code. These codes are useful for determining the way in which the guest was made to go offline.

1. Click Start > Run.
2. In the field provided type eventvwr and press Enter.

First, identify the approximate time the error occurred. Check the Application, Security and System logs for any items logged in this time period. If the guest has experienced a failure or unscheduled shutdown, this information is listed in the System log. Identify the error code in the System log to determine the type of shutdown encountered.

The following list identifies the event codes that pertain to a shutdown, failure, and restart of a Windows host:

• 6006: This event code identifies a “graceful” shutdown. This is a shutdown initiated by an authorized user of the system.
• 6008: This event code identifies a system failure of some kind.
• 6005: This event code is a resumption of event log services. This indicates that the system has been rebooted, and is now returned to an operational state in which the Event Log service has successfully restarted and resumed normal operation.

To identify the duration of a downtime, compare the time at which the 6006 or 6008 event occurred to the time when the 6005 event occurred. This amount of time is the duration of the downtime on this Windows guest machine.

When the type and time of interruption are identified, you can review the Application and Security logs to determine additional information about the cause can be identified. For example, a system failure may have related errors in the Application log that can explain what contributing factors lead to the failure. A 6006 shutdown event may have information regarding who initiated the command (or at least who was logged into the system) at the time of the incident.

After reviewing the Event Viewer, it may be necessary to identify more specific information regarding a Windows failure incident. At the time of a failure, Windows automatically dumps all of the data contained in its memory for diagnostic purposes. Windows does not save memory dumps by default. The guest operating system needs to be configured to do so. To configure the guest to do so, reference the Microsoft support and documentation resources to identify the correct method to enable this feature on the specific version of Windows that you are running.

If it has been configured, this memory information is stored as a file on the hard drive named memory.dmp . Typically, this file is saved to C:\windows\system and can usually be found with a simple search.

The stop code and information contained in this file can be researched via Microsoft’s site Technet. Technet can be found online at http://technet.microsoft.com/en-us/default.aspx . Any errors recorded in this file should be researched by the customer, as issues with the guest operating system are outside the scope of VMware Support.