how to audit maintenance mode in mom 2005

what i've discovered is that there are tons of postings, documentation, scripts and such on how to put a machine into maintenance mode -- and bring it back out -- by ui, a cmd shell tool, a script, etc.  however, there's really not much describing how to find out how a machine got into maintenance mode in the first place.

it's actually very simple because mom likes to log the crap out of everything.  there are four relevant ids that you should be aware of.  based on this knowledge, you can create your own event views or reports to take a look at this data.

the first set of ids refer to maintenance mode set by the console:

• 10015 - maintenance mode start (details are in the parameters tab)
• 10016 - maintenance mode stop

the second set of maintenance mode ids are set by the cmd line tool or anything that accesses the sdk (sms client for example):

• 22153 - maintenance mode start request (details are in the description)
• 22154 - maintenance mode stop request

more details?  here's the knowledge base article.