If your organization has many system administrators, you may want to know who restarted the server at certain times. This post will show you How to find out who restarted Windows Server. This is to view shutdown/reboot/startup logs on Windows servers. Windows has a great application called Windows Event Viewer that records all actions that occur on the computer. Here are other related guides on Windows Server: How to uninstall Internet Explorer from your Windows PC or Windows Server, How to install Windows Server 2022 on VirtualBox, How to Install Web Server IIS in Windows Server 2019, Network File System: How to install NFS Server on Windows Server, and how to Migrate Roles and Features to Windows Server 2022 using WSMT.
The event log service, which is a Windows core service, manages the Windows Event Viewer. The event viewer records the event log service’s startup and shutdown history. It tracks each user’s activity while the machine is working. On the Windows Server/Desktop, and PCs, it logs errors, information messages, and warnings.
The Most Frequent Startup and Shutdown Events
There are several events associated with shutting down and restarting a Windows PC. However, in this post, we will show you the most common events:
- Event ID 41: indicates that your Windows machine rebooted without completely shutting down.
- Event ID 6005: This code indicates the starting of the event log service.
- Event ID 1074: Your computer logs this event whenever a program makes your laptop restart or shut down. Additionally, this event lets you know when a user rebooted or shut down the machine using the Start menu or the CTRL+ALT+DEL keyboard shortcut.
- Event ID 6006: If your Windows PC shuts down properly, this event is recorded.
- Event ID 6008: This event occasionally appears in your system log when your machine abruptly or unexpectedly shuts down.
- Event ID 6009: Identifies the name of the Windows product, version, build number, service pack number, and operating system type that is detected during boot.
- Event ID 1076: Keeps track of the first time a user with shutdown permissions logs in to the computer after an unexpected restart or shutdown, along with a reason for the occurrence.
Please see how to detect if an application was uninstalled on Windows: Find out who has uninstalled an application via Windows Event Viewer, How to view Scheduled Events on AW using the Command Line (CLI), How to prevent a remote shutdown and restart in Windows, How to prevent users from shutting down in a Virtual Machine, and How to use command prompt to shutdown and restart your computer.
How to find out who restarted Windows Server
In this section, I will show you how to view Shutdown and Restart Log from Event Viewer. Let’s go over the whole process of getting this data from the Windows event viewer.
To open the Event Viewer, press Win + R to launch the Run dialog box and type eventvwr.
In the left pane, click on Windows Logs and select System. You’ll see a list of events that occurred while Windows was operating in the center pane. Click on the Event ID label to sort the data by the Event ID column.
If the event log is large, the sorting will fail. You can also make a filter using the Actions pane on the right. Simply choose “Filter current log.”
In the Event IDs field, enter 1074 or any Event ID. Under Logged, you can also choose a time period.
After you have completed all of the procedures, the Windows Event Viewer will only show events connected to the shutdown.
How to View Shutdown and Restart Log Using Windows PowerShell
The PowerShell command Get-EventLog can be used to get the shutdown and reboot logs in Windows from the command line.
Enter the following command, for example, to filter the 10,000 most recent entries in the System Event Log:
Get-EventLog System -Newest 10000 | ` Where EventId -in 41,1074,1076,6005,6006,6008,6009,6013 | ` Format-Table TimeGenerated,EventId,UserName,Message -AutoSize -wrapRun the following command to view just events related to Windows shutdowns and restarts:
Get-WinEvent -FilterHashtable @{logname = 'System'; id = 1074} | Format-Table -wrapI hope you find this post helpful. If you have any questions, feel free to leave them in the comment section below.