8

Client OS - Window XP

Domain Controller:- Window server 2008 Standard R2

I had one Windows XP system. I want to find out when the system has started or boot ( at what time and date ). I don't know which parameter / word should I search for in Event Log.

For finding out shutdown time, I simply find the word "Shutdown" in Event Log.

Can you guide me which word should I should search for to determine Start up or boot time?

Dave M
  • 4,494
  • 21
  • 30
  • 30
Param
  • 1,347
  • 13
  • 34
  • 51

2 Answers2

13

EventViewer ( System Log )

6009 and 6005 same time stamp, system just started.

6013 - system has been up for a day or more, time in seconds.

6006 - the system was rebooted or shutdown.

PowerShell: Get All Reboot Messages in the Last Month

Get-EventLog -LogName System -After $(Get-Date).AddMonths(-1) | Where { 6009,6005,6006 -contains $_.EventID}
John Zabroski
  • 185
  • 9
  • the above powershell works great, thanks a lot – ikel Mar 11 '21 at 16:58
  • This answer is no longer complete because in Windows 10, events 6009 and 6005 are not always logged if a user clicks "Shut Down" from the Start Menu and then turns on the computer by pressing the power button. – Zian Choy Apr 02 '21 at 01:02
1

Look for the message saying the event log has started.

Event 6005 Event Log Service has started

Or Event 6009 with info about the OS build, service peck level, etc.

squillman
  • 37,618
  • 10
  • 90
  • 145