44

I'm trying to view the Shutdown Event Tracker logs in the Event Viewer, on windows server 2008 r8, but I can't find the messages that I supplied when previously restart the server.

Where in the Event Viewer can I see these logs?

stacker
  • 831
  • 3
  • 10
  • 15

7 Answers7

59

Open event viewer. Expand windows logs. Click system, then either find or filter for event ID 1074. And you will see all your shut down logs.

peterh
  • 4,914
  • 13
  • 29
  • 44
Jacob
  • 9,114
  • 4
  • 44
  • 56
15

I know this is a very old question. But this might help someone who is looking for the same solution. you can use a single line in powershell (which is available in all OS later than win 2003) to find out the reboot history. Just open powershell.exe from run prompt and enter the below command.

Get-EventLog System | Where-Object {$_.EventID -eq "1074" -or $_.EventID -eq "6008" -or $_.EventID -eq "1076"} | ft Machinename, TimeWritten, UserName, EventID, Message -AutoSize -Wrap
gbabu
  • 251
  • 2
  • 2
9

If you or others are just trying to find the most recent boot time, the easiest way I've found is to run this in cmd:

systeminfo | find "System Boot Time"

From powercram.com

Brad
  • 141
  • 1
  • 3
2

Another useful approach I've found, since we frequently monitor our ISP hosted servers for outages, is to create a custom event view as follows:

Open Event Viewer then

  • Right click Custom Views
  • Click Create Custom View
  • Under the Filter tab
    • Keep Logged as Any time
    • Select all the Event level types (Critical, Warning, etc.)
    • Choose by source = Windows Logs > System
    • For Event ID under the Includes/Excludes Event IDs section enter 1074 for the Event ID
  • Click Ok
  • Enter a name like Shutdown Events and any description then
  • Click Ok again to complete the custom event log.

Your new custom view should show up in the list of custom views with the correct filter applied.

Jacques
  • 195
  • 1
  • 2
  • 15
  • 2
    Based on the other answers, I've changed this step for my views: `For Event ID under the Includes/Excludes Event IDs section enter 1074,1076,6008 for the Event ID` – Jeroen Wiert Pluimers Jul 12 '17 at 07:52
2

Slightly cleaner Powershell one-liner that I use to filter out shutdown related EventIDs:

Get-EventLog system |?{$_.EventID -in 6008,41,1074,1001}| ft -w

To restrict that to just the most useful properties:

Get-EventLog system | ?{6008,41,1074,1076,1001 -eq $_.EventID}| select EventID, TimeGenerated, Message| ft -w

Alternatively, to search by message text:

Get-EventLog system -m "*Shutdown*" | select EventID, TimeGenerated, Message| ft -w
Amit Naidu
  • 774
  • 5
  • 11
0

You can try search the event viewer by filtering it using this event ID:

Event ID 41: The system rebooted without cleanly shutting down first. This error occurs when the system stopped responding, crashed, or lost power unexpectedly.

Event ID 1074: Logged when an app (such as Windows Update) causes the system to restart, or when a user initiates a restart or shutdown.

Event ID 6006: Logged as a clean shutdown. It gives the message, “The Event log service was stopped.”

Event ID 6008: Logged as a dirty shutdown. It gives the message, “The previous system shutdown at time on date was unexpected.”
Nerdynosaur
  • 101
  • 1
-1

Expand The Windows Logs in The Event Viewer Application and select System. Then in The System Panel, usually appears in the middle, sort them by Level Or ID.

Click On the every entry to see the description in the bottom panel

m.r226
  • 99
  • 2