How do I log startup and shut-down times in Windows 7?

windows boot shutdown logging

26,540

Solution 1

Windows uses event logs with Event Viewer to log this sort of thing:

Event ID #6005 indicates system startup

Event ID #6006 indicates system shutdown

You should create a custom view in Event Viewer that will filter those two event IDs with the source being the eventlog.

This is the simplest way.

Alternatively, you can use PowerShell's Get-WinEvent cmdlet to create a custom filter and pipe those items to a text file.

Or... you can use the Get-EventLog to pipe a custom event log (that you create with the custom views...) to a text file.

Solution 2

Using PowerShell's Get-EventLog the following (long) one-liner will output the requested output to a text file:

Get-EventLog -LogName System | Where-Object {(($_.EventID -eq 6005) -or ($_.EventID -eq 6006)) -and ($_.TimeGenerated -gt [DateTime] "2017-05-01")} | Select-Object EventID, TimeGenerated, Message | Sort-Object -Property TimeGenerated | Foreach { if ($_.EventID -eq 6005) { $out = "Startup"  } else { $out = "Shutdown" + "`r`n"}  ($_.TimeGenerated.ToString() + '  ' + $out); } > C:\temp2\_ComputerStartsAndStops.log

Notes

Directory C:\temp2 must exist for this to work. If it does not exist, create it or change the one-liner to use another (existing) directory.
To get the output in ISO 8601 format, replace "TimeGenerated.ToString()" with "TimeGenerated.ToString("s")".
There is a built-in time filter in the one-liner (only including start and shutdowns after 2017-05-01). Change "2017-05-01" to something else if older start and shutdowns are needed.
If the output is required in reverse chronological order then replace "Sort-Object" with "Sort-Object -Descending".
As it uses Get-EventLog it will also work on older versions of Windows.

Instruction

The one-liner can be put in a script, but then permissions have to be taken care of before it works. Instead, the easiest way is to:

Open a Windows command prompt: Window + R, type CMD and press Enter.
Type powershell and press Enter. (On Windows 10, PowerShell can be opened directly by Window + X and choosing "Windows PowerShell")
Copy the one-liner to the clipboard.
Paste in the one-liner: Alt + Space → Edit → Paste (on newer versions of Windows, the normal Ctrl + V actually works in both CMD and PowerShell windows (both now run under conhost.exe)).
Press Enter
Wait until it finishes (it can take quite a long time, especially if it is an old installation of Windows).
The result can found in file C:\temp2\_ComputerStartsAndStops.log.

Solution 3

6005 is showing the start of logging events, but I assume it will also show up in case of any reboots, i.e. Windows does not make a difference between a 'full start-up' or warm reboot.

If the purpose is to seek the first startup and last closedown only, one has to remove any double 6005 entries.

With me, event id 12 is the very first one and event id 13 is the last one.

12: The description for Event ID ( 12 ) in Source ( Microsoft-Windows-Kernel-General ) could not be found. Either the component that raises this event is not installed on the computer or the installation is corrupted.You can install or repair the component or try to change Description Server.

13: The description for Event ID ( 13 ) in Source ( Microsoft-Windows-Kernel-General ) could not be found. Either the component that raises this event is not installed on the computer or the installation is corrupted.You can install or repair the component or try to change Description Server.

The following information was included with the event (insertion strings): 2012-12-25T18:23:26.070181000Z

PS: That aside, I have a number of instances where a few 6005's were logged, but no 6006 that follows. One has to manually add the actual log-off based on e.g. the last eventlog entry that day.

26,540

Will Martin

Updated on September 18, 2022

Comments

Will Martin almost 2 years
I'd like to log the times when my computer starts up and shuts down. I don't need any diagnostic info or anything, just a simple note of the date and time, e.g. something like:
```
2011/04/29 08:17:34 AM Startup
2011/04/29 05:26:52 PM Shutdown
```
How can I do that?

My Google searches so far have yielded lots of people asking about reducing Windows startup times, but nothing of interest to the task at hand.
Viktor Sehr over 12 years

Is there any way to know system login\sleep times?
machineaddict almost 11 years

I don't have a clue how to create those views, even after I've read those pages. But, there is an easier way. Open up Event Viewer, click Windows Logs -> System. On the right side there is Filter Current Log..., click on it and when the new window appears insert 6006 on All Event ID's and click Ok. This will show up only system shutdown events. Do the same for system startup.
Fernando Espinosa almost 10 years

useful stuff...