Windows Server restart / shutdown history

windows-server-2008 windows-server-2008-r2 windows-server-2012 windows-server-2012-r2 windows-event-log

592,446

Solution 1

The clearest most succinct answer I could find is:

How To See PC Startup And Shutdown History In Windows

which lists these event ids to monitor (quoted but edited and reformatted from article):

Event ID 6005 (alternate): “The event log service was started.” This is synonymous to system startup.
Event ID 6006 (alternate): “The event log service was stopped.” This is synonymous to system shutdown.
Event ID 6008 (alternate): "The previous system shutdown was unexpected." Records that the system started after it was not shut down properly.
Event ID 6009 (alternate): Indicates the Windows product name, version, build number, service pack number, and operating system type detected at boot time.
Event ID 6013: Displays the uptime of the computer. There is no TechNet page for this id.

Add to that a couple more from the Server Fault answers listed in my OP:

Event ID 1074 (alternate): "The process X has initiated the restart / shutdown of computer on behalf of user Y for the following reason: Z." Indicates that an application or a user initiated a restart or shutdown.
Event ID 1076 (alternate): "The reason supplied by user X for the last unexpected shutdown of this computer is: Y." Records when the first user with shutdown privileges logs on to the computer after an unexpected restart or shutdown and supplies a reason for the occurrence.

Did I miss any?

Solution 2

Turning @user10082 comment into an answer. The proposed solution is a one-liner, as Powershell script:

Get-EventLog -LogName System |? {$_.EventID -in (6005,6006,6008,6009,1074,1076)} | ft TimeGenerated,EventId,Message -AutoSize –wrap

Here is the output:

TimeGenerated         EventID Message
-------------         ------- -------
5/30/2021 11:23:16 AM    6005 The Event log service was started.
5/30/2021 11:23:16 AM    6009 Microsoft (R) Windows (R) 10.00. 19042  Multiprocessor Free.
5/30/2021 11:23:16 AM    6008 The previous system shutdown at 18:35:45 on ‎24/‎05/‎2021 was unexpected.
5/24/2021 11:55:45 AM    6005 The Event log service was started.
5/24/2021 11:55:45 AM    6009 Microsoft (R) Windows (R) 10.00. 19042  Multiprocessor Free.
5/24/2021 11:55:31 AM    6006 The Event log service was stopped.
5/24/2021 11:55:27 AM    1074 The process C:\Windows\system32\SystemSettingsAdminFlows.exe (DESKTOP) has
                              initiated the restart of computer DESKTOP on behalf of user DESKTOP\User
                              for the following reason: Other (Unplanned)
                               Reason Code: 0x0
                               Shutdown Type: restart
                               Comment:

Solution 3

I would simply leave this as a comment since JohnC has basically covered everything, but I am not allowed to do so yet.

The events he described have been used for quite a while, so they will work for any of the OS you mentioned, as well as their desktop brethren. The event ID pages He linked to, such as the one for 6006 on TechNet, mention Windows Server 2003.

If there was an elegant shutdown, user initiated or otherwise, you should also see some Event ID 7036 telling you that various services "entered the stopped state." As the machine starts up again, you will see more 7036s announcing that services are entering the running state.

Solution 4

Building on @JohnC s answer and extending it

You could use an XML filter like:

<QueryList>
<Query Id="0" Path="System">
<Select Path="Security">*[System[Provider[@Name='eventlog' or @Name='Microsoft-Windows-Eventlog'] and (EventID=1074 or EventID=1076 or EventID=6005 or EventID=6006 or EventID=6008) and TimeCreated[timediff(@SystemTime) &lt;= 172800000]]]</Select>
<Select Path="Setup">*[System[Provider[@Name='eventlog' or @Name='Microsoft-Windows-Eventlog'] and (EventID=1074 or EventID=1076 or EventID=6005 or EventID=6006 or EventID=6008) and TimeCreated[timediff(@SystemTime) &lt;= 172800000]]]</Select>
<Select Path="System">*[System[Provider[@Name='eventlog' or @Name='Microsoft-Windows-Eventlog'] and (EventID=1074 or EventID=1076 or EventID=6005 or EventID=6006 or EventID=6008) and TimeCreated[timediff(@SystemTime) &lt;= 172800000]]]</Select>
<Select Path="Microsoft-Windows-Kernel-Power/Diagnostic">*[System[Provider[@Name='Microsoft-Windows-Kernel-Power'] and (Level=1 ) and TimeCreated[timediff(@SystemTime) &lt;= 172800000]]]</Select>
<Select Path="Microsoft-Windows-Kernel-Power/Thermal-Diagnostic">*[System[Provider[@Name='Microsoft-Windows-Kernel-Power'] and (Level=1 ) and TimeCreated[timediff(@SystemTime) &lt;= 172800000]]]</Select>
<Select Path="System">*[System[Provider[@Name='Microsoft-Windows-Kernel-Power'] and (Level=1 ) and TimeCreated[timediff(@SystemTime) &lt;= 172800000]]]</Select>
<Select Path="System">*[System[Provider[@Name='User32'] and TimeCreated[timediff(@SystemTime) &lt;= 172800000]]]</Select>
<Select Path="System">*[System[Provider[@Name='Microsoft-Windows-WER-SystemErrorReporting'] and TimeCreated[timediff(@SystemTime) &lt;= 172800000]]]</Select>
</Query>
</QueryList>

You can replace 172800000 with the below values for the time range:

86400000 - Last 24 hours

172800000 - Last 2 Days

604800000 - Last 7 Days

This will show much more detail from the time when the server/pc went offline It includes Kernel-Power, User32 and EventLog events.

Solution 5

I prefer to accomplish activities from command line. Here's the beginning of a snippet you can leverage. This shows the most recent 30,000 system records and returns the reboots within those records.

Get-EventLog -LogName System -Newest 30000 | Where-Object {$_.EventID -eq 6005}

View more solutions

592,446

JohnC

Cloud Solution / Technical Architect, Designer and Developer Microsoft Azure, AWS, Google M365, Teams, SharePoint Online & OneDrive SharePoint Server Amateur local historian Outdoor recreation enthusiast

Updated on September 18, 2022

Comments

JohnC over 1 year
How can I easily see a history of every time my Windows Server has restarted or shutdown and the reason why, including user-initiated, system-initiated, and system crashed?

The Windows Event Log is an obvious answer but what is the complete list of events that I should view?

I found these posts that partially answer my question:
- Windows server last reboot time includes several answers that partially address the full restart history
- View Shutdown Event Tracker logs under Windows Server 2008 R2 includes an additional event id
- Event Log time when Computer Start up / boot up includes some of the same event ids
but those don't cover every scenario AFAIK and the info is hard to understand because it is spread across multiple answers.

I have several versions of Windows Server so a solution that works for at least versions 2008, 2008 R2, 2012, and 2012 R2 would be ideal.
- Peter Hahndorf almost 9 years
  
  In some situations Nirsoft's TurnedOnTimesView may be good enough. (nirsoft.net/utils/computer_turned_on_times.html) it shows reboots and shutdown times.
- 030 almost 9 years
  
  Do you use an external monitoring tool, .e.g., opsview, nagios, icinga, shinken? These tools store the monitoring results in a database and then you could check if servers were restarted and when,
JTL almost 9 years

You will also see a big block of event ID 7036 if a service is repeatedly cycling states, so it isn't the best way to look for restarts. You should look for the events described by JohnC , first.
sendmoreinfo almost 9 years

To differentiate between power loss and a reboot due to bugcheck, look for combination of Event ID 41 (source: Microsoft-Windows-Kernel-Power) and Event ID 1001: (source: BugCheck). Former without the latter indicates power loss or reset.
jbooker over 7 years

This was helpful. Thank you johnC. In the Includes/Excludes event ID's input field in the Filter Current Log window, I entered "6005, 6006, 6008, 6009, 6013, 1074, 1076" and it gave me exactly what I needed.
Abel over 6 years

You should probably add Kernel-General with eventid 12, which is typically the first eventid to be logged after a reboot/reset etc and shows the actual "system start time", i.e.: "The operating system started at system time ‎2017‎-‎09‎-‎19T02:46:06.582794900Z."
Tim Schmelter about 6 years

The links in this answer are broken
JohnC about 6 years

I search but failed to find current Microsoft docs on event log codes so I created an issue in the Microsoft Docs github to garner advice / consensus on where to revive this content in the new MS docs regime, github.com/MicrosoftDocs/windowsserverdocs/issues/444. @tim-schmelter please upvote and add your thoughts.
JohnC over 5 years

I added alternate links to archive.org where all the missing Microsoft TechNet pages are still available.
user10082 almost 5 years

Here is a PowerShell "one-liner" for that: Get-EventLog -LogName System |? {$_.EventID -in (6005,6006,6008,6009,1074,1076)} | ft TimeGenerated,EventId,Message -AutoSize -wrap
Mick almost 4 years

Event ID 41 "The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly."
Wesley about 3 years

This was very helpful. Deserves a lot more votes