habibzain Just husband, father and enthusiastic men about System Administration. Love to write short article about it. Perhaps can help and be useful for others.

How to Show Log Windows Startup and Shutdown History

1 min read

How to Show Log Windows Startup and Shutdown History

Sometimes, we need a record or log to find out why a computer or windows server suddenly restart itself or even the host shutdown. Mostly, system administrators need to know about the history for troubleshooting purposes. In this post, i want to show two ways to show and track log windows server startup shutdown.

Event Viewer Information

Windows Event Viewer is a wonderful tool. It can track PC/Server activity during startup until shutdown.

Windows Startup and Shutdown

The eventlog service events are logging with two event codes.

  • Event ID 6005 : indicates that the eventlog service was started.
  • Event ID 6009 indicates that the eventlog services were stopped.

Windows Shutdown And Reboot.

This list ID can be describe:

  • 41 : The system has rebooted without cleanly shutting down first. This error came from the system stop responding, crashed, or lost power unexpectedly.
  • 1074 : Logged when an app (ex: Windows Update) causes the system to restart, or when a user initiates a restart or shutdown.
  • 6006 : Log as a clean shutdown. It gives the message “The Event log service was stopped”.
  • 6008 : Log as a dirty shutdown. It gives the message “The previous system shutdown at time on date was unexpected”.

Here’s How:

  1. Press the Win + R keys to open Run, type eventvwr.msc into Run, and click/tap on OK to open Event Viewer.
  2. In the left pane of Event Viewer, open Windows Logs and System, right click or press and hold on System, and click/tap on Filter Current Log. (see screenshot below).
See also  Easy Change Default Port RDP Remote Dekstop Windows
Event viewer filter log
  • 3. Enter the event ID’s below into the field, and click/tap on OK. (see screenshot below)

41, 1074, 6006, 6008

wlms.exe make server or PC power off

Here is example result that i have done “filter log”. The system tell us that server have done power off because wlms.exe. wlms.exe is Windows License check. Usually license windows trial is expire. So i have to input license and solving this problem.

The process wlms.exe has initiated the power off of computer SERVER-1 on behalf of user NT AUTHORITY\SYSTEM for the following reason: Other (Unplanned)
Reason Code: 0x0
Shutdown Type: power off
Comment:

Using TurnOnView

This is helpfull, simple, portable tool for analyzing the event log for startup and shutdown history.

This tool is TurnedOnTimesView.

turnonview

From the picture above, it appears that there is a daily reboot activity, where daily task scheduler triggering reboot daily.

That is simple way to track log windows server startup shutdown. May be it’s helpful, please feel free to leave a comment if you have any questions and I’ll appreciate it.


habibzain Just husband, father and enthusiastic men about System Administration. Love to write short article about it. Perhaps can help and be useful for others.

Manage Windows Server with Sconfig

“Sconfig” stands for “Server Configuration”, and it is a command-line utility in Windows Server operating systems. It is used to perform basic configuration tasks...
habibzain
48 sec read

How Terminate or End a Running Process in Windows

To terminate or end a running process in Windows, we can use the “Taskkill” command. Here’s how to use it: Open the Command Prompt:...
habibzain
55 sec read

Leave a Reply

Your email address will not be published. Required fields are marked *

Never miss good article from us, get weekly updates in your inbox