Thursday, August 17, 2017

Windows Server reboot/shutdown events in event viewer

Ever found yourself wondering about an unexpected system reboot, these event IDs are very useful while one is investigating the cause of unexpected system shutdown/reboot. 
I not sure about others but but always found hard remembering these event IDs so making a note for future reference and believe others will also find it useful.

Server reboot/shutdown events:
  •  Event ID 6005: “The event log service was started.” This is synonymous to system startup.
  •   Event ID 6006: “The event log service was stopped.” This is synonymous to system shutdown.
  •   Event ID 6008: "The previous system shutdown was unexpected." Records that the system started  after it was not shut down properly.
  •   Event ID 6009: Indicates the Windows product name, version, build number, service pack number,   and operating system type detected at boot time.
  •    Event ID 6013: Displays the uptime of the computer. There is no TechNet page for this id.
  •    Event ID 1074: "The process X has initiated the restart / shutdown of computer on behalf of user     Y for the following reason: Z." Indicates that an application or a user initiated a restart or                  shutdown.
  •    Event ID 1076: "The reason supplied by user X for the last unexpected shutdown of this computer    is: Y." Records when the first user with shutdown privileges logs on to the computer after an           unexpected restart or shutdown and supplies a reason for the occurrence.
Note: In case of unexpected shoutdown due to power failure, there would be no event created.

To know the system boot Time:
  C:\systeminfo | find /i “boot time”


That's it... :)


No comments:

Post a Comment