Windows : How to detect if computer was shut down remotely?

4

A computer in domain is randomly shut down by someone (he was caught once)!

He uses shutdown /s /f /t 0 /m \\computername in windows command line to accomplish this.

After the incident some computers randomly shut down several times a week, but maybe not by the same person.

Now the question is: Is it possible to detect / monitor if a computer was shut down remotely, and by who? (eg in Event Viewer)

armen

Posted 2013-03-19T08:24:19.637

Reputation: 141

1Maybe you can take a look in System Event log? I think it should contain some details about which process initiated the shutdown. – Eugene S – 2013-03-19T08:56:22.173

@EugeneS - the system log does not contain any info related to shutdowns. – armen – 2013-03-27T14:47:15.493

Answers

2

Try filtering the System log with the User32 event source, and 1074 Event ID (see more).

Unless you have enabled the Shutdown Event Tracker the "Other (Unplanned)" reason, is normal.

Louis

Posted 2013-03-19T08:24:19.637

Reputation: 18 859

we are running Windows XP Pro on all machines, and the article says "This feature is not included in Windows XP Professional." – armen – 2013-04-01T06:30:22.117

Asked: 2013-03-19T08:24:19.637

Viewed: 6 117 times

Active: 2013-11-14T12:22:18.877