Windows Server restart / shutdown history

Solution 1:

The clearest most succinct answer I could find is:

  • How To See PC Startup And Shutdown History In Windows

which lists these event ids to monitor (quoted but edited and reformatted from article):

  • Event ID 6005 (alternate): “The event log service was started.” This is synonymous to system startup.
  • Event ID 6006 (alternate): “The event log service was stopped.” This is synonymous to system shutdown.
  • Event ID 6008 (alternate): "The previous system shutdown was unexpected." Records that the system started after it was not shut down properly.
  • Event ID 6009 (alternate): Indicates the Windows product name, version, build number, service pack number, and operating system type detected at boot time.
  • Event ID 6013: Displays the uptime of the computer. There is no TechNet page for this id.

Add to that a couple more from the Server Fault answers listed in my OP:

  • Event ID 1074 (alternate): "The process X has initiated the restart / shutdown of computer on behalf of user Y for the following reason: Z." Indicates that an application or a user initiated a restart or shutdown.
  • Event ID 1076 (alternate): "The reason supplied by user X for the last unexpected shutdown of this computer is: Y." Records when the first user with shutdown privileges logs on to the computer after an unexpected restart or shutdown and supplies a reason for the occurrence.

Did I miss any?

Solution 2:

Turning @user10082 comment into an answer. The proposed solution is a one-liner Powershell script:

Get-EventLog -LogName System |? {$_.EventID -in (6005,6006,6008,6009,1074,1076)} | ft TimeGenerated,EventId,Message -AutoSize –wrap

Solution 3:

I would simply leave this as a comment since JohnC has basically covered everything, but I am not allowed to do so yet.

The events he described have been used for quite a while, so they will work for any of the OS you mentioned, as well as their desktop brethren. The event ID pages He linked to, such as the one for 6006 on TechNet, mention Windows Server 2003.

If there was an elegant shutdown, user initiated or otherwise, you should also see some Event ID 7036 telling you that various services "entered the stopped state." As the machine starts up again, you will see more 7036s announcing that services are entering the running state.


Solution 4:

I prefer to accomplish activities from command line. Here's the beginning of a snippet you can leverage. This shows the most recent 30,000 system records and returns the reboots within those records.

Get-EventLog -LogName System -Newest 30000 | Where-Object {$_.EventID -eq 6005}

Solution 5:

Building on @JohnC s answer and extending it

You could use an XML filter like:

<QueryList>
<Query Id="0" Path="System">
<Select Path="Security">*[System[Provider[@Name='eventlog' or @Name='Microsoft-Windows-Eventlog'] and (EventID=1074 or EventID=1076 or EventID=6005 or EventID=6006 or EventID=6008) and TimeCreated[timediff(@SystemTime) &lt;= 172800000]]]</Select>
<Select Path="Setup">*[System[Provider[@Name='eventlog' or @Name='Microsoft-Windows-Eventlog'] and (EventID=1074 or EventID=1076 or EventID=6005 or EventID=6006 or EventID=6008) and TimeCreated[timediff(@SystemTime) &lt;= 172800000]]]</Select>
<Select Path="System">*[System[Provider[@Name='eventlog' or @Name='Microsoft-Windows-Eventlog'] and (EventID=1074 or EventID=1076 or EventID=6005 or EventID=6006 or EventID=6008) and TimeCreated[timediff(@SystemTime) &lt;= 172800000]]]</Select>
<Select Path="Microsoft-Windows-Kernel-Power/Diagnostic">*[System[Provider[@Name='Microsoft-Windows-Kernel-Power'] and (Level=1 ) and TimeCreated[timediff(@SystemTime) &lt;= 172800000]]]</Select>
<Select Path="Microsoft-Windows-Kernel-Power/Thermal-Diagnostic">*[System[Provider[@Name='Microsoft-Windows-Kernel-Power'] and (Level=1 ) and TimeCreated[timediff(@SystemTime) &lt;= 172800000]]]</Select>
<Select Path="System">*[System[Provider[@Name='Microsoft-Windows-Kernel-Power'] and (Level=1 ) and TimeCreated[timediff(@SystemTime) &lt;= 172800000]]]</Select>
<Select Path="System">*[System[Provider[@Name='User32'] and TimeCreated[timediff(@SystemTime) &lt;= 172800000]]]</Select>
<Select Path="System">*[System[Provider[@Name='Microsoft-Windows-WER-SystemErrorReporting'] and TimeCreated[timediff(@SystemTime) &lt;= 172800000]]]</Select>
</Query>
</QueryList>

You can replace 172800000 with the below values for the time range:

86400000 - Last 24 hours

172800000 - Last 2 Days

604800000 - Last 7 Days

This will show much more detail from the time when the server/pc went offline It includes Kernel-Power, User32 and EventLog events.