Sunday, November 12, 2023

How To Find Shutdown And Reboot Logs In Windows Servers?

 How To Find Shutdown And Reboot Logs In Windows Servers?

This article will explain how to check shutdown, reboot, and startup logs in Windows servers. Windows has an excellent tool called Windows Event Viewer that saves all computer activity.

What Is The Windows Event Viewer?

The Windows Event Viewer is handled by the event log service, which is the Windows core service. It logs the startup and shutdown history of the event log service. It monitors each user's activities while using the device. Windows Server/Desktop PCs are monitored for errors, information messages, and warnings.

Most Common Events Related To Startup And Shutdown Times

This article explains the most common events associated with shutting down and restarting a Windows computer:

1. Event ID 41: It shows that your Windows computer rebooted without shutting down completely.

2. Event ID 6005: It indicates that the event log service was started.

3. Event ID 1074: Your computer records this event when an application forces your laptop to shut down or restart. This event also helps you know when a user restarted or shut down the computer from the Start menu or by using CTRL+ALT+DEL.

For example: "The process X has initiated the restart/shutdown of the computer on behalf of user Y for the following reason: Z." Indicates that an application or a user initiated a restart or shutdown.

event-log-1

4. Event ID 6006: This event is recorded if your Windows computer shuts down correctly.

5. Event ID 6008: At times when your computer shuts down abnormally or unexpectedly, you will see this event in your system log.

6. Event ID 6009: Indicates the Windows product name, version, build number, service pack number, and operating system type detected at boot time.

7. Event ID 1076: "The reason supplied by user X for the last unexpected shutdown of this computer is: Y." Records when the first user with shutdown privileges logs on to the computer after an unexpected restart or shutdown and supplies a reason for the occurrence.

View Shutdown And Restart Log From Event Viewer

The following steps will guide you through the process of extracting this information from the Windows event viewer.

1. Open Event Viewer (press Win + R[Run] and type eventvwr).

2. In the left pane, open “Windows Logs >> System.”

3. In the middle pane, you will get a list of events that occurred while Windows was running. You can sort the event log with the Event ID.

click-on-the-filter

4. Click on the Event ID label to sort the data with respect to the Event ID column.

5. If your event log is huge, then the sorting will not work. You can also create a filter from the Actions pane on the right side. Just click on “Filter current log”.

event-log-2
6. Type 6005, 6006[any Event ID] in the Event IDs field labeled as. You can also specify the time period under Logged.

Example: Click on Filter Current Log on the right. Type “41” (no quotes) into the textbox under Includes/Excludes Event IDs, and then click OK to filter the event log.

filter-current-log
7. After completing all the steps, Windows Event Viewer will display only activities related to the shutdown.

Result

How To See Server Startup And Shutdown History In Windows Server Filter Options?

Event ID 6005 is labeled as "The event log service was started," which is equivalent to system startup. Similarly, Event ID 6006 is labeled as "The event log service was stopped," indicating system shutdown.

event-log-6006

If you wish to delve deeper into the Event log, Event ID 6013 will provide you with the computer's uptime, while Event ID 6009 will reveal the processor information detected during boot. Additionally, Event ID 6008 can tell you if the system started after an improper shutdown.

event-log-6013

View Shutdown And Restart Log Using Windows PowerShell

PowerShell's Get-EventLog command can also be used to retrieve shutdown/reboot logs in Windows. Run the following command to filter the 10000 most recent System Event Log entries and display only events related to Windows shutdowns.

Get-EventLog System -Newest 10000 | ` Where EventId -in 41,1074,1076,6005,6006,6008,6009,6013 | ` Format-Table TimeGenerated,EventId,UserName,Message -AutoSize -wrap

1074 events Filter Get-WinEvent -FilterHashtable @{logname = 'System'; id = 1074} | Format-Table -wrap

Windows Shutdown Event Log



Thanks for Reading...
Masud Rana

No comments:

Post a Comment

Describe BIOS and UEFI

  BIOS (Basic Input/Output System) and UEFI (Unified Extensible Firmware Interface) are firmware interfaces responsible for initializing har...