How to check shutdown and reboot logs in Windows servers? Print

  • 14

In this article, we’ll learn how to check shutdown/reboot/startup logs in Windows servers. Windows has an excellent tool that saves all activities that are happening on the computer, which is called Windows Event Viewer.

What is the Windows Event Viewer?

The Windows Event Viewer is handled by the event log service, it's the Windows core service. The event viewer logs the startup and shutdown history of the event log service. It monitors each user’s activities while running the device. It records errors, information messages, and warnings on their Windows Server/Desktop PCs.

Most Common Events Related to Startup and Shutdown times

There are many identified events related to shutting down and restarting a Windows PC. However, we will show you the most common events in this article:

  1. Event ID 41: It shows that your Windows computer rebooted without shutting down completely.

  2. Event ID 6005: It indicates that the event log service was started.

  3. Event ID 1074: Your computer records this event when an application forces your laptop to shut down or restart. This event also helps you know when a user restarted or shut down the computer from the Start menu or by using CTRL+ALT+DEL.

    For example: "The process X has initiated the restart/shutdown of the computer on behalf of user Y for the following reason: Z." Indicates that an application or a user initiated a restart or shutdown.

  4. Event ID 6006: This event is recorded if your Windows computer shuts down correctly.

  5. Event ID 6008: At times when your computer shuts down abnormally or unexpectedly, you will see this event in your system log.

  6. Event ID 6009: Indicates the Windows product name, version, build number, service pack number, and operating system type detected at boot time.

  7. Event ID 1076: "The reason supplied by user X for the last unexpected shutdown of this computer is: Y." Records when the first user with shutdown privileges logs on to the computer after an unexpected restart or shutdown and supplies a reason for the occurrence.

View Shutdown and Restart Log from Event Viewer

Let’s go through the complete process of extracting this information from the Windows event viewer.

  1. Open Event Viewer (press Win + R[Run] and type eventvwr).

  2. In the left pane, open “Windows Logs >> System.”

  3. In the middle pane, you will get a list of events that occurred while Windows was running. You can sort the event log with the Event ID.

  4. Click on the Event ID label to sort the data with respect to the Event ID column.

  5. If your event log is huge, then the sorting will not work. You can also create a filter from the Actions pane on the right side. Just click on “Filter current log”.

  6. Type 6005, 6006[any Event ID] in the Event IDs field labeled as. You can also specify the time period under Logged.

    Example: Click on Filter Current Log on the right. Type “41” (no quotes) into the textbox under Includes/Excludes Event IDs, and then click OK to filter the event log.

  7. After completing all the steps, Windows Event Viewer will display only activities related to the shutdown.

How To See Server Startup And Shutdown History In Windows Server Filter Options

Event ID 6005 will be labeled as “The event log service was started.” This is synonymous with system startup. Event ID 6006 will be labeled as “The event log service was stopped.” This is synonymous with system shutdown.

Suppose you want to investigate the Event log further, you can go through the Event ID 6013, which will display the uptime of the computer, and Event ID 6009 indicates the processor information detected during boot time. Event ID 6008 will let you know that the system started after it was not shut down properly.

View Shutdown and Restart Log Using Windows PowerShell

The shutdown/reboot logs in Windows can also be retrieved from the command-line using the PowerShell’s Get-EventLog command. For example, to filter the 10000 most recent entries in the System Event Log and display only events related to the Windows shutdowns, run the following command:

Get-EventLog System -Newest 10000 | ` Where EventId -in 41,1074,1076,6005,6006,6008,6009,6013 | ` Format-Table TimeGenerated,EventId,UserName,Message -AutoSize -wrap

1074 events Filter Get-WinEvent -FilterHashtable @{logname = 'System'; id = 1074} | Format-Table -wrap

Was this answer helpful?

« Back