\\\ Windows System Shutdown and Restart History
Windows System Shutdown and Restart History
We can check shutdown and restart history — especially to find out why a server or PC rebooted.
1. Open Event Viewer
Run:
eventvwr.mscNavigate to:
Windows Logs→System
2. Key Event IDs to Look For
| Event ID | Source | Description |
|---|---|---|
| 41 | Kernel-Power | System rebooted without clean shutdown (often power loss or hardware issue). |
| 1074 | User32 | Event triggered by user or process requesting a shutdown or restart. |
| 6006 | EventLog | “The Event log service was stopped.” (Indicates a clean shutdown) |
| 6008 | EventLog | “The previous system shutdown was unexpected.” |
| 6005 | EventLog | “The Event log service was started.” (Often system startup) |
3. How to Analyze
Unexpected shutdown: Look for Event ID 6008 and Kernel-Power 41 around the same timestamp.
Determine cause: If Event ID 1074 is present, it might give a reason or the process/user that initiated shutdown.
Time correlation: Match shutdown time with logs from antivirus, Windows Update, or third-party software.
Example Audit Process
Filter System log for Event IDs:
41,1074,6006,6008,6005.Start from most recent unexpected shutdown (6008) and check surrounding logs.
Cross-check with:
Securitylogs (for logins, process starts)Applicationlogs (app crashes, update failures)
