Scribd
Upload
71 views12 pages

How To Check Shutdown and Reboot Logs in Windows Servers

The Windows Event Viewer logs system events like startup, shutdown, errors and warnings. It monitors user activity and records event IDs related to starting and shutting down like startup of the event log service, normal shutdown, and unexpected restarts. Users can view these events by opening the Event Viewer, filtering by event ID, and checking events like startup and shutdown of the event log service.

Uploaded by

irfan ahmed khan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
71 views12 pages

How To Check Shutdown and Reboot Logs in Windows Servers

The Windows Event Viewer logs system events like startup, shutdown, errors and warnings. It monitors user activity and records event IDs related to starting and shutting down like startup of the event log service, normal shutdown, and unexpected restarts. Users can view these events by opening the Event Viewer, filtering by event ID, and checking events like startup and shutdown of the event log service.

Uploaded by

irfan ahmed khan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 12

What is the Windows Event Viewer?

The Windows Event Viewer is handled by the event log service, it's the Windows core service.
The event viewer logs the startup and shutdown history of the event log service. It monitors each
user’s activities while running the device. It records errors, information messages, and warnings
on their Windows Server/Desktop PCs.

Most Common Events Related to Startup and Shutdown times

There are many identified events related to shutting down and restarting a Windows PC.
However, we will show you the most common events in this article:

1. Event ID 41: It shows that your Windows computer rebooted without shutting down
completely.

2. Event ID 6005: It indicates that the event log service was started.

3. Event ID 1074: Your computer records this event when an application forces your laptop to
shut down or restart. This event also helps you know when a user restarted or shut down the
computer from the Start menu or by using CTRL+ALT+DEL.

For example: "The process X has initiated the restart/shutdown of the computer on behalf of
user Y for the following reason: Z." Indicates that an application or a user initiated a restart
or shutdown.
Event ID 6006: This event is recorded if your Windows computer shuts down correctly.

4. Event ID 6008: At times when your computer shuts down abnormally or unexpectedly, you
will see this event in your system log.

5. Event ID 6009: Indicates the Windows product name, version, build number, service pack
number, and operating system type detected at boot time.

6. Event ID 1076: "The reason supplied by user X for the last unexpected shutdown of this
computer is: Y." Records when the first user with shutdown privileges logs on to the
computer after an unexpected restart or shutdown and supplies a reason for the occurrence.
GET WINDOWS VPS HOSTING
View Shutdown and Restart Log from Event Viewer

Let’s go through the complete process of extracting this information from the Windows event
viewer.

1. Open Event Viewer (press Win + R[Run] and type eventvwr).

2. In the left pane, open “Windows Logs >> System.”

3. In the middle pane, you will get a list of events that occurred while Windows was running.
You can sort the event log with the Event ID.
4. Click on the Event ID label to sort the data with respect to the Event ID column.

5. If your event log is huge, then the sorting will not work. You can also create a filter from
the Actions pane on the right side. Just click on “Filter current log”.
GET WINDOWS VPS HOSTING
6.

7. Type 6005, 6006[any Event ID] in the Event IDs field labeled as. You can also specify the
time period under Logged.
Example: Click on Filter Current Log on the right. Type “41” (no quotes) into the textbox
under Includes/Excludes Event IDs, and then click OK to filter the event log.

GET WINDOWS VPS HOSTING


8. After completing all the steps, Windows Event Viewer will display only activities related to
the shutdown.
How To See Server Startup And Shutdown History In Windows
Server Filter Options

Event ID 6005 will be labeled as “The event log service was started.” This is synonymous with
system startup. Event ID 6006 will be labeled as “The event log service was stopped.” This is
synonymous with system shutdown.
GET WINDOWS VPS HOSTING

Suppose you want to investigate the Event log further, you can go through the Event ID 6013,
which will display the uptime of the computer, and Event ID 6009 indicates the processor
information detected during boot time. Event ID 6008 will let you know that the system started
after it was not shut down properly.

View Shutdown and Restart Log Using Windows PowerShell

The shutdown/reboot logs in Windows can also be retrieved from the command-line using the
PowerShell’s Get-EventLog command. For example, to filter the 10000 most recent entries in
the System Event Log and display only events related to the Windows shutdowns, run the
following command:

Get-EventLog System -Newest 10000 | ` Where EventId -in


41,1074,1076,6005,6006,6008,6009,6013 | ` Format-Table
TimeGenerated,EventId,UserName,Message -AutoSize -wrap

1074 events Filter Get-WinEvent -FilterHashtable @{logname = 'System'; id = 1074} |


Format-Table -wrap
GET WINDOWS VPS HOSTING

You might also like