Windows Server restart / shutdown history

Question

How can I easily see a history of every time my Windows Server has restarted or shutdown and the reason why, including user-initiated, system-initiated, and system crashed?

The Windows Event Log is an obvious answer but what is the complete list of events that I should view?

I found these posts that partially answer my question:

Windows server last reboot time includes several answers that partially address the full restart history
View Shutdown Event Tracker logs under Windows Server 2008 R2 includes an additional event id
Event Log time when Computer Start up / boot up includes some of the same event ids

but those don't cover every scenario AFAIK and the info is hard to understand because it is spread across multiple answers.

I have several versions of Windows Server so a solution that works for at least versions 2008, 2008 R2, 2012, and 2012 R2 would be ideal.

In some situations Nirsoft's TurnedOnTimesView may be good enough. (http://www.nirsoft.net/utils/computer_turned_on_times.html) it shows reboots and shutdown times. — Peter Hahndorf, Jul 01 '15 at 16:27
Do you use an external monitoring tool, .e.g., opsview, nagios, icinga, shinken? These tools store the monitoring results in a database and then you could check if servers were restarted and when, — 030, Jul 01 '15 at 20:35

JohnC · Accepted Answer · 2018-11-26T03:36:53.940

127

The clearest most succinct answer I could find is:

How To See PC Startup And Shutdown History In Windows

which lists these event ids to monitor (quoted but edited and reformatted from article):

Event ID 6005 (alternate): “The event log service was started.” This is synonymous to system startup.
Event ID 6006 (alternate): “The event log service was stopped.” This is synonymous to system shutdown.
Event ID 6008 (alternate): "The previous system shutdown was unexpected." Records that the system started after it was not shut down properly.
Event ID 6009 (alternate): Indicates the Windows product name, version, build number, service pack number, and operating system type detected at boot time.
Event ID 6013: Displays the uptime of the computer. There is no TechNet page for this id.

Add to that a couple more from the Server Fault answers listed in my OP:

Event ID 1074 (alternate): "The process X has initiated the restart / shutdown of computer on behalf of user Y for the following reason: Z." Indicates that an application or a user initiated a restart or shutdown.
Event ID 1076 (alternate): "The reason supplied by user X for the last unexpected shutdown of this computer is: Y." Records when the first user with shutdown privileges logs on to the computer after an unexpected restart or shutdown and supplies a reason for the occurrence.

Did I miss any?

edited Nov 26 '18 at 03:36

answered Jul 01 '15 at 13:19

JohnC

2,504
3
12
15

6

To differentiate between power loss and a reboot due to bugcheck, look for combination of Event ID 41 (source: Microsoft-Windows-Kernel-Power) and Event ID 1001: (source: BugCheck). Former without the latter indicates power loss or reset. – sendmoreinfo Jul 01 '15 at 20:16
4

This was helpful. Thank you johnC. In the Includes/Excludes event ID's input field in the Filter Current Log window, I entered "6005, 6006, 6008, 6009, 6013, 1074, 1076" and it gave me exactly what I needed. – jb007 Aug 23 '16 at 18:39
3

You should probably add [`Kernel-General` with eventid `12`](http://www.eventid.net/display-eventid-12-source-Microsoft-Windows-Kernel-General-eventno-11542-phase-1.htm), which is typically the first eventid to be logged after a reboot/reset etc and shows the actual "system start time", i.e.: _"The operating system started at system time ‎2017‎-‎09‎-‎19T02:46:06.582794900Z."_ – Abel Sep 19 '17 at 14:45
The links in this answer are broken – Tim Schmelter Mar 07 '18 at 09:03
1

I search but failed to find current Microsoft docs on event log codes so I created an issue in the Microsoft Docs github to garner advice / consensus on where to revive this content in the new MS docs regime, https://github.com/MicrosoftDocs/windowsserverdocs/issues/444. @tim-schmelter please upvote and add your thoughts. – JohnC Mar 08 '18 at 02:19
I added alternate links to archive.org where all the missing Microsoft TechNet pages are still available. – JohnC Nov 26 '18 at 03:39
4

Here is a PowerShell "one-liner" for that: Get-EventLog -LogName System |? {$_.EventID -in (6005,6006,6008,6009,1074,1076)} | ft TimeGenerated,EventId,Message -AutoSize -wrap – user10082 Aug 07 '19 at 13:12
1

Event ID 41 "The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly." – Mick Jul 01 '20 at 03:02

ocroquette · Answer 2 · 2021-08-31T09:17:12.563

Turning @user10082 comment into an answer. The proposed solution is a one-liner, as Powershell script:

Get-EventLog -LogName System |? {$_.EventID -in (6005,6006,6008,6009,1074,1076)} | ft TimeGenerated,EventId,Message -AutoSize –wrap

Here is the output:

TimeGenerated         EventID Message
-------------         ------- -------
5/30/2021 11:23:16 AM    6005 The Event log service was started.
5/30/2021 11:23:16 AM    6009 Microsoft (R) Windows (R) 10.00. 19042  Multiprocessor Free.
5/30/2021 11:23:16 AM    6008 The previous system shutdown at 18:35:45 on ‎24/‎05/‎2021 was unexpected.
5/24/2021 11:55:45 AM    6005 The Event log service was started.
5/24/2021 11:55:45 AM    6009 Microsoft (R) Windows (R) 10.00. 19042  Multiprocessor Free.
5/24/2021 11:55:31 AM    6006 The Event log service was stopped.
5/24/2021 11:55:27 AM    1074 The process C:\Windows\system32\SystemSettingsAdminFlows.exe (DESKTOP) has
                              initiated the restart of computer DESKTOP on behalf of user DESKTOP\User
                              for the following reason: Other (Unplanned)
                               Reason Code: 0x0
                               Shutdown Type: restart
                               Comment:

This was very helpful. Deserves a lot more votes – Wesley Apr 12 '21 at 07:08 — Wesley, Apr 12 '21 at 07:08

JTL · Answer 3 · 2015-07-01T15:02:16.210

4

I would simply leave this as a comment since JohnC has basically covered everything, but I am not allowed to do so yet.

The events he described have been used for quite a while, so they will work for any of the OS you mentioned, as well as their desktop brethren. The event ID pages He linked to, such as the one for 6006 on TechNet, mention Windows Server 2003.

If there was an elegant shutdown, user initiated or otherwise, you should also see some Event ID 7036 telling you that various services "entered the stopped state." As the machine starts up again, you will see more 7036s announcing that services are entering the running state.

edited Jul 01 '15 at 15:02

answered Jul 01 '15 at 14:54

JTL

141
1
2
5

2

You will also see a big block of event ID 7036 if a service is repeatedly cycling states, so it isn't the best way to look for restarts. You should look for [the events described](http://serverfault.com/a/702829/297063) by JohnC , first. – JTL Jul 01 '15 at 15:01

Rakaim · Answer 4 · 2019-01-24T18:42:52.817

4

I prefer to accomplish activities from command line. Here's the beginning of a snippet you can leverage. This shows the most recent 30,000 system records and returns the reboots within those records.

Get-EventLog -LogName System -Newest 30000 | Where-Object {$_.EventID -eq 6005}

edited Jan 24 '19 at 18:42

answered Jan 24 '19 at 18:20

Rakaim

214
1
6

elemer82 · Answer 5 · 2019-08-19T16:13:22.457

Building on @JohnC s answer and extending it

You could use an XML filter like:

<QueryList>
<Query Id="0" Path="System">
<Select Path="Security">*[System[Provider[@Name='eventlog' or @Name='Microsoft-Windows-Eventlog'] and (EventID=1074 or EventID=1076 or EventID=6005 or EventID=6006 or EventID=6008) and TimeCreated[timediff(@SystemTime) &lt;= 172800000]]]</Select>
<Select Path="Setup">*[System[Provider[@Name='eventlog' or @Name='Microsoft-Windows-Eventlog'] and (EventID=1074 or EventID=1076 or EventID=6005 or EventID=6006 or EventID=6008) and TimeCreated[timediff(@SystemTime) &lt;= 172800000]]]</Select>
<Select Path="System">*[System[Provider[@Name='eventlog' or @Name='Microsoft-Windows-Eventlog'] and (EventID=1074 or EventID=1076 or EventID=6005 or EventID=6006 or EventID=6008) and TimeCreated[timediff(@SystemTime) &lt;= 172800000]]]</Select>
<Select Path="Microsoft-Windows-Kernel-Power/Diagnostic">*[System[Provider[@Name='Microsoft-Windows-Kernel-Power'] and (Level=1 ) and TimeCreated[timediff(@SystemTime) &lt;= 172800000]]]</Select>
<Select Path="Microsoft-Windows-Kernel-Power/Thermal-Diagnostic">*[System[Provider[@Name='Microsoft-Windows-Kernel-Power'] and (Level=1 ) and TimeCreated[timediff(@SystemTime) &lt;= 172800000]]]</Select>
<Select Path="System">*[System[Provider[@Name='Microsoft-Windows-Kernel-Power'] and (Level=1 ) and TimeCreated[timediff(@SystemTime) &lt;= 172800000]]]</Select>
<Select Path="System">*[System[Provider[@Name='User32'] and TimeCreated[timediff(@SystemTime) &lt;= 172800000]]]</Select>
<Select Path="System">*[System[Provider[@Name='Microsoft-Windows-WER-SystemErrorReporting'] and TimeCreated[timediff(@SystemTime) &lt;= 172800000]]]</Select>
</Query>
</QueryList>

You can replace 172800000 with the below values for the time range:

86400000 - Last 24 hours

172800000 - Last 2 Days

604800000 - Last 7 Days

This will show much more detail from the time when the server/pc went offline It includes Kernel-Power, User32 and EventLog events.

score 1 · Answer 6 · answered Feb 05 '21 at 23:24

Short and concise one liner to get reboot and startup time of last 8 hours from a remote machine using SysInternals psloglist and the event id's from above:

psloglist \\computername -h 8 -i 41,1074,1076,6005,6006,6008,6013

The only thing missing (for me) is the event id for "logon dialog ready for user" equivalent. That seems to hard to find (What can I query to see if Windows is booted and done with updates?)

Windows Server restart / shutdown history

6 Answers6

Linked

Related