Просмотр событий windows 10 перезагрузка

Если в вашей организации несколько системных администраторов, у вас периодически может возникать вопрос “Кто перезагрузил сервер?”. В этой статье я покажу как найти определения пользователя, который перезагрузил или выключил компьютер/сервер Windows.

Информация об учетной записи, которая отправила команду перезагрузки Windows сохраняется в журнал событий.

Откройте консоль Event Viewer (
eventvwr.msc
) и перейдите в раздел Windows Logs -> System;
Включите фильтр журнала событий, выбрав в контекстном меню пункт Filter Current Log;

Картинка с сайта: winitpro.ru
В поле фильтра укажите EventID 1074 и нажмите OK;

Картинка с сайта: winitpro.ru
В журнале событий останутся только события выключения (перезагрузки), откройте любое из них;
В событии от источника User32 будет указан пользователь, который инициировал перезагрузку Windows. В этом примере это пользователь a.novak.

Картинка с сайта: winitpro.ru

The process C:\Windows\Explorer.EXE (MSK-DC03) has initiated the restart of computer MSK-DC03 on behalf of user WINITPRO\a.novak for the following reason: Other (Unplanned)
Reason Code: 0x5000000
Shutdown Type: restart
Comment:

Рассмотрим еще несколько примеров событий перезагрузки/выключения Windows. В качестве пользователя, запустившего перезагрузку операционную систему может быть указан NT AUTHORITY\SYSTEM.

Это означает, что перезагрузку инициировала одна из служб или программ Windows, запущенная от имени SYSTEM.. Например, это может быть процесс службы
wuauserv
, который закончил установку обновлений Windows и выполнил перезагрузку согласно настроенной политике Windows Update или с помощью задания модуля PSWindowsUpdate.

The process C:\Windows\uus\AMD64\MoUsoCoreWorker.exe (WKS-PC11S22) has initiated the restart of computer WKS-PC11S22 on behalf of user NT AUTHORITY\SYSTEM for the following reason: Operating System: Service pack (Planned)
Reason Code: 0x80020010
Shutdown Type: restart
Comment:

Если ваша Windows запущена внутри виртуальной машины VMware, то если выполнить Restart Guest из консоли управления VMware, событие (выключения) будет выглядеть так:

The process C:\Program Files\VMware\VMware Tools\vmtoolsd.exe (MSK-DC03) has initiated the shutdown of computer MSK-DC03 on behalf of user NT AUTHORITY\SYSTEM for the following reason: Legacy API shutdown
Reason Code: 0x80070000
Shutdown Type: shutdown

В этом случае выключение Windows также инициировано NT AUTHORITY\SYSTEM, т.к. службы интеграции VMware Tools запущены от имени системы.

Вы можете получить информацию о событиях перезагрузки с помощью PowerShell. Следующая команда выберет все события с EventID 1074:

Get-WinEvent -FilterHashtable @{logname=’System’;id=1074}|ft TimeCreated,Id,Message

Команда вернула описания всех событий перезагрузки и выключения Windows.

Можно использовать следующий скрипт PowerShell, который возвращает более короткий список с последними десятью событиями с именами пользователей, и процессами, которые инициировали перезагрузку/выключение сервера.

Get-EventLog -LogName System | where {$_.EventId -eq 1074} |select-object -first 10 | ForEach-Object { $rv = New-Object PSObject | Select-Object Date, User, Action, process, Reason, ReasonCode

if ($_.ReplacementStrings[4]) { $rv.Date = $_.TimeGenerated $rv.User = $_.ReplacementStrings[6] $rv.Process = $_.ReplacementStrings[0] $rv.Action = $_.ReplacementStrings[4] $rv.Reason = $_.ReplacementStrings[2] $rv } } | Select-Object Date, Action, Reason, User, Process |ft

скрипт powershell - кто перезагрузил windows

Также с помощью PowerShell можно быстро получить имя пользователя, который перезагрузил удаленный компьютер. Получить доступ к журналу событий на удаленном хосте можно с помощью формата Get-EventLog -ComputerName или вы можете подключиться к компьютеру через PSRemoting с помощью командлета Invoke-Command:

Invoke-Command -ComputerName rds2-12 -ScriptBlock {Get-WinEvent -FilterHashtable @{logname=’System’;id=1074} |select-object TimeCreated,Id,Message -first 1}

По событию 1074 можно найти только причины корректных (штатных) перезагрузок сервера. Если Windows была перезагружена не штатно (например, при потере электропитания, или появления BSOD), тогда нужно искать события с EventID 6008.

The previous system shutdown at 4:34:49 AM on ‎1/‎17/‎2022 was unexpected.

EventID 6008 The previous system shutdown was unexpected.

И конечно, вы не сможете понять, кто перезагрузил Windows, если журналы событий были очищены, или старые события перезатерты более новыми (в домене желательно настроить увеличенный размер журналов событий с помощью GPO).

Источник

Table of contents

What Is the Windows Event Viewer?
Most Common Windows Reboot and Shutdown Event IDs
How to See PC Startup and Shutdown Logs in Windows 10/11?
- Method 1: View the shutdown and restart log from the Event Viewer
- Method 2: View the shutdown and restart log using the Command Prompt
Windows Restart/Shutdown Logs: Explained
FAQ

Are you wondering what happens when your computer shuts down and after it restarts? Many things happen within that period, and thankfully, Windows helps track the entire process and keeps a record in the system log.With the built-in Windows Event Viewer, you can monitor the activities that occur on your computer before, during, and after it shuts down or restarts. In this article, we’ll teach you how to do that, but first, what is the Event Viewer?

What Is the Windows Event Viewer?

The Event Viewer

records application and system messages on a Windows 10 PC and logs every action taken while working on the computer. That said, if many users operate a computer, you can use the Event Viewer to monitor each user’s activities while the device is running. Also, it helps users discover errors, such as blue screens of death (BSODs) , information messages, and warnings on their PCs. What’s more, you can’t alter, stop, or disable the activities of the Event Viewer altogether because it’s a core Windows service. In many cases, you can start troubleshooting any issue on a Windows computer from the Event Viewer. However, as a rule of thumb, you don’t need to panic even if there are alarming messages or warnings in the system log. Unfortunately, some fraudsters take advantage of messages in the Event Viewer to scare and defraud people. They can manipulate it to display error messages and warnings even if your computer is working correctly. Without much ado, let’s show you how to track what happens when your computer shuts down or starts using the Windows Event Viewer or the Command Prompt.

Most Common Windows Reboot and Shutdown Event IDs

There are many identified events related to shutting down and restarting a PC. However, we will show you the most common four in this article, and they include the following:

Event ID 41: This Event Viewer restart event ID shows that your Windows computer didn’t shut down completely and restarted .
Event ID 1074: When a certain app forces your laptop or PC to shut down or restart, you’ll see this shutdown/ restart event ID reflected in the Windows restart log . It will also show you if the PC was shut down (or restarted) using the Ctrl + Alt + Del combo or directly from the Start menu .
Event ID 6006: This one is the Event Viewer shutdown event ID that shows that your PC shut down properly .
Event ID 6008: You will see this event in your Windows shutdown log if your PC shut down unexpectedly.

How to See PC Startup and Shutdown Logs in Windows 10/11?

Using the Windows Event Viewer, you can quickly determine the shutdown or reboot event IDs on your computer after shutting down or restarting. You can also access some of the events using the Command Prompt, as we will show you below.

Generally, there are two methods to check the reboot or shutdown event ID s on your computer. The steps for both methods to view the Windows shutdown log (or the restart one) on Windows 10 and 11 are absolutely the same.

Method 1: View the shutdown and restart log from the Event Viewer

Follow the steps below to view shutdown and restart activities using Event Viewer:

Press the Windows logo + R keys to invoke the Run dialog.
Type eventvwr.msc and hit Enter.

The Event Viewer window will open. After that, navigate to Windows Logs > System on the left pane.
Click on Filter Current Log on the right.

The Event Viewer window will open. After that, navigate to Windows Logs > System on the left pane. Click on Filter Current Log on the right.» src=»https://www.auslogics.com/en/articles/wp-content/uploads/2024/08/View-the-shutdown-2.png»></p>
<div class=

Картинка с сайта: www.auslogics.com

Type 41,1074,6006,6008 into the textbox under Includes/Excludes Event IDs , and then click OK to filter the event log to the desired shutdown/ reboot event ID s.

Type 41,1074,6006,6008 into the textbox under Includes/Excludes Event IDs, and then click OK to filter the event log to the desired shutdown/reboot event IDs.

After completing all the steps, the Event Viewer will only display the Windows shutdown log .

Important!

From the Windows 10 Fall Creators Update ( also known as version 1709 ), the OS can automatically reopen apps that were running before your computer shut down or restarted.

This information is handy for Windows users who upgraded their OS to the recent release.

You can avoid this Windows update issue by doing the following:

Adding a unique Shut Down context menu to the desktop to restore the classic behavior.
Seeing the last shutdown time using the Command Prompt .

Also read:A Problem Has Been Detected and Windows Has Been Shut Down

PRO TIP

We always advise people to use our recognized software tool to get rid of all sorts of computer problems. Auslogics BoostSpeed can remove all harmful files in the registry, tweak system settings to boost your computer’s speed and performance, and modify internet connection settings to ensure seamless browsing, quicker downloads, and better audio/video call quality.

Method 2: View the shutdown and restart log using the Command Prompt

If the first method is not convenient for you, you can use the Command Prompt to check the Windows restart log (or the shutdown one if that’s your case) by following the steps below:

Press the Windows logo + R keys to open the run dialog, and then type cmd . That’s how you open the Command Prompt.

Now, you can simply copy and paste (or type it yourself if you’re feeling like it) the code you see below into the Command Prompt window and press Enter:

wevtutil qe system "/q:*[System [(EventID=1074)]]" /rd:true /f:text /c:1

Copy and paste the code you see below into the Command Prompt window and press Enter.

If you don’t need the complete Windows restart log with the reboot/ shutdown event ID and other information and want to view only the date and time of the last shutdown, you can use the code below:

wevtutil qe system "/q:*[System [(EventID=1074)]]" /rd:true /f:text /c:1 | findstr /i "date"

That’s all! You can use the Command Prompt to view the Windows shutdown and startup log on Windows 10 and 11. However, I recommend using the Event Viewer, mainly because it’s simple and straightforward. Moreover, you don’t have to copy-paste codes, which fraudsters can take advantage of to hack into your computer.

Are you unable to view the restart and shutdown log on your Windows 10 /11 PC?

If you have computer issues like junk or corrupted files or registry keys, it may be challenging to get to see the Windows restart log (or the shutdown one) and view restart and shutdown events on your PC.

Windows Restart/Shutdown Logs: Explained

If you still can’t get to see the Windows shutdown log to view startup and shutdown events on your computer using the methods we have shared, please provide us with more details.

We’d also love it if you left a comment and shared our post on your social media. For more tips about Windows-related issues, visit our blog.

FAQ

It could be due to junk files, corrupted system files, or problematic registry keys. In such a case, I suggest that you run Auslogics BoostSpeed, which can help clear out these problems and allow you to view the logs properly.

That’s pretty straightforward. Follow these steps:

Right-click anywhere on your desktop and select New > Shortcut .
For a shutdown shortcut, type shutdown /s /f /t 0 in the location box.
For a restart shortcut, type shutdown /r /f /t 0 .
Click Next, name your shortcut (e.g., “Shutdown” or “Restart”), and click Finish.

If your computer is stuck in a restart loop , try booting into Safe Mode:

Restart your computer and press the F8 key (or Shift + F8) before the Windows logo appears to enter the Advanced Boot Options.
Select Safe Mode and press Enter.
Once in Safe Mode, use the System Restore feature or uninstall recently installed updates or drivers that you suspect might be causing the issue.

If you’re still stuck, you might need to use a bootable USB to repair your Windows installation.

To turn off Fast Startup :

Open Control Panel and navigate to Hardware and Sound > Power Options .
Click on Choose what the power buttons do on the left.
Click on Change settings that are currently unavailable .
Under Shutdown settings , uncheck the box next to Turn on fast startup (recommended) .
Click Save changes.

Follow these steps:

Press the Windows logo + R keys, type cmd , and hit Enter to open the Command Prompt.
Copy and paste the following command and press Enter:

wevtutil qe system "/q:*[System [(EventID=1074)]]" /rd:true /f:text /c:1 | findstr /i "dat e"

Источник

Want to see your PC Startup and Shutdown History? Finding out the last time the PC was correctly turned off or booted up is the way to start troubleshooting many Windows issues. Another scenario is a public system. Thanks to the Event Viewer, administrators can view and monitor unauthorized use of the computer.

Whatever the reason, you can find out when your PC was last turned on and shut down directly from Windows. You don’t need a third-party app for this; the Windows Event Viewer can handle it perfectly.

What is the Windows Event Viewer?

How to check the Shutdown and Startup Log in Windows 10

The Windows Event Viewer is a Microsoft Management Console (MCC) – a core service of Windows that cannot be stopped or disabled. It keeps track of every activity that takes place on your PC.

The Event Viewer logs entries during every event. It also logs the start and stop times of the event log service (Windows), giving the correct date, time, and user details of every shutdown process.

How to use the Event Viewer?

Aside from keeping a log of when your Windows start and stop, you can use the Event Viewer for the following:

Create custom views by saving useful event filters.
You can see events from different event logs.
You can also create and manage different event subscriptions.
Create and schedule a task to run when triggered by another event.

Types of events in Windows related to shutting down and restarting

They are more than four events related to shutting down and restarting the Windows 11/10 operating system; we will list the important five. They are:

Event ID 41: This event indicates that Windows rebooted without a complete shutdown.
Event ID 1074: This event is written down when an application is responsible for the system shutdown or restart. It also indicates when a user restarted or shut down the system by using the Start menu or by pressing CTRL+ALT+DEL.
Event ID 6006: This event indicates that Windows was adequately turned off.
Event ID 6008: This Event indicates an improper or dirty shutdown. It shows up when the most recent shutdown was unexpected.

There are different ways to access any of the events listed above. The traditional way is through the Event Viewer app itself. As you will see below, most events can be accessed with the Command Prompt.

See PC Startup and Shutdown History

1] View shutdown and restart events from Event Viewer

Open the Run dialogue box and input eventvwr.msc then hit OK. In Event Viewer, select Windows Logs > System from the left pane. From the right, click on the Filter Current Log link.

Type in 41,1074,6006,6008 into the box below Includes/Exclude Event IDs... Hit Ok. Windows then displays all shutdown-related events.

The Event Viewer shows detailed information on every operation carried out on the system. Learn how to view full event viewer logs in this article.

2] See the last shutdown time using Command Prompt

Open the Command Prompt, copy and paste the following code in the window, and hit Enter:

wevtutil qe system "/q:*[System [(EventID=1074)]]" /rd:true /f:text /c:1

To view the timestamp of the last shutdown without other details, copy and paste the code below then hit Enter:

wevtutil qe system "/q:*[System [(EventID=1074)]]" /rd:true /f:text /c:1 | findstr /i "date"

As much as this method gets the job done, we often suggest you use method one, which is the Event Viewer. Not only is it more straightforward, but it also doesn’t involve copying and pasting commands.

We hope you find this post useful.

Read: How to export Event Viewer logs in Windows

How to see PC startup and shutdown history in Windows 11?

To set PC startup and shutdown history in Windows 11, you can use Event Viewer, Command Prompt, or Terminal. In the Command Prompt, enter this command: wevtutil qe system "/q:*[System [(EventID=1074)]]" /rd:true /f:text /c:1. It displays the complete shutdown timing along with some other descriptions.

How do I see restart logs in Windows 11?

To see the restart logs in Windows 11, you need to open the Event Viewer. Then, go to Windows Logs > System and try looking for Kernel-Power and/or Kernel-Boot. It denotes the reboot and startup. From here, you can see all the entries made by a restart.

Related read: How to find out Windows Downtime, Uptime and Last Shutdown Time.

Источник

В организациях с несколькими системными администраторами часто возникает необходимость выяснить, кто инициировал перезагрузку или выключение сервера Windows. Информация о таких действиях сохраняется в журнале событий Windows, что позволяет точно определить пользователя или процесс, ответственный за событие. В этой статье мы разберём, как найти инициатора перезагрузки с помощью Event Viewer, PowerShell и анализа событий с EventID 1074 и 6008.

Приобрести оригинальные ключи активации Windows Server можно у нас в каталоге от 1190 ₽

Поиск инициатора перезагрузки через журнал событий

Журнал событий Windows фиксирует данные о пользователе или процессе, отправившем команду на перезагрузку или выключение. Чтобы найти эту информацию:

1. Откройте Просмотр событий с помощью команды:

eventvwr.msc

2. Перейдите в раздел Журналы Windows → Система (Windows Logs → System).

3. В правой панели выберите Фильтр текущего журнала (Filter Current Log).

4. В поле ИД события укажите 1074 и нажмите ОК.

5. В отфильтрованном списке откройте любое событие с EventID 1074.

В описании события от источника User32 будет указано имя пользователя, инициировавшего перезагрузку. Например, пользователь softuser. Если указан NT AUTHORITY\SYSTEM, перезагрузку запустила системная служба или программа, такая как wuauserv (служба обновлений Windows), настроенная на автоматическую перезагрузку после установки обновлений.

Примеры событий перезагрузки

Разные сценарии перезагрузки или выключения могут указывать на различные причины и инициаторов:

— Перезагрузка из-за обновлений Windows:

Если перезагрузка вызвана службой wuauserv или заданием PSWindowsUpdate, в событии будет указан NT AUTHORITY\SYSTEM. Это происходит, если в политике Windows Update настроена автоматическая перезагрузка.

— Перезагрузка виртуальной машины VMware:

Если сервер работает на VMware, команда Restart Guest из консоли VMware генерирует событие:

The process C:\Program Files\VMware\VMware Tools\vmtoolsd.exe (MSK-DC03) has initiated the shutdown of computer MSK-DC03 on behalf of user NT AUTHORITY\SYSTEM for the following reason: Legacy API shutdown Reason Code: 0x80070000 Shutdown Type: shutdown

В этом случае инициатор — NT AUTHORITY\SYSTEM, так как перезагрузка выполнена через службы интеграции VMware Tools.

Поиск событий перезагрузки с помощью PowerShell

Для автоматизации анализа журнала событий используйте PowerShell. Следующие команды помогут быстро найти информацию о перезагрузках.

Получение всех событий EventID 1074

Выведите список событий с EventID 1074:

Get-WinEvent -FilterHashtable @{logname='System';id=1074} | Format-Table TimeCreated,Id,Message

Команда возвращает даты, идентификаторы и описания всех перезагрузок и выключений.

Краткий отчёт о последних 10 событиях

Используйте скрипт для вывода последних 10 событий с указанием пользователей и процессов:

Get-EventLog -LogName System | Where-Object {$_.EventID -eq 1074} | Select-Object -First 10 | ForEach-Object { $rv = New-Object PSObject | Select-Object Date, User, Action, Process, Reason, ReasonCode if ($_.ReplacementStrings[4]) { $rv.Date = $_.TimeGenerated $rv.User = $_.ReplacementStrings[6] $rv.Process = $_.ReplacementStrings[0] $rv.Action = $_.ReplacementStrings[4] $rv.Reason = $_.ReplacementStrings[2] $rv } } | Select-Object Date, Action, Reason, User, Process | Format-Table

Скрипт показывает дату, действие, причину, пользователя и процесс, инициировавший перезагрузку.

Анализ событий на удалённом сервере

Чтобы проверить журнал событий на удалённом компьютере:

Invoke-Command -ComputerName rds2-12 -ScriptBlock { Get-WinEvent -FilterHashtable @{logname='System';id=1074} | Select-Object TimeCreated,Id,Message -First 1 }

Команда использует PSRemoting для получения последнего события EventID 1074 с удалённого сервера, например, rds2-12.

Анализ нештатных перезагрузок

Событие EventID 1074 фиксирует только штатные перезагрузки и выключения. Для нештатных ситуаций, таких как сбой питания или BSOD (синий экран), ищите события с EventID 6008:

The previous system shutdown at 4:34:49 AM on ‎1/‎17/‎2022 was unexpected.

Эти события указывают на неожиданное завершение работы, но не содержат информации о пользователе.

Ограничения и рекомендации

— Очистка журналов: Если журнал событий был очищен или старые записи перезаписаны, определить инициатора перезагрузки невозможно.

— Размер журналов: В доменной среде увеличьте размер журналов событий через групповые политики (GPO), чтобы сохранить больше данных.

— Мониторинг: Настройте централизованный сбор журналов событий с помощью Windows Event Collector или SIEM-систем для упрощения анализа.

— Резервное копирование: Регулярно экспортируйте журналы событий для сохранения истории:

wevtutil epl System C:\Logs\SystemBackup.evtx

Дополнительные советы

— Если перезагрузка вызвана обновлениями Windows, проверьте настройки Windows Update в GPO или локальной политике.

— Для виртуальных машин анализируйте логи гипервизора (VMware, Hyper-V), чтобы выявить команды управления.

— Используйте PowerShell-скрипты для автоматизации мониторинга перезагрузок и отправки уведомлений администраторам.

Следуя этим шагам, вы сможете точно определить, кто или что инициировало перезагрузку или выключение сервера Windows, а также выявить причины нештатных сбоев.

Источник

While troubleshooting an issue that causes an unexpected reboot or shutdown of a Windows machine, it is important to know which event IDs are related to system reboot/shutdown and how to find the appropriate logs.

In this note i am publishing all the event IDs related to reboots/shutdowns.

I am also showing how to display the shutdown events with date and time, using a Windows Event Viewer or from the command-line using a PowerShell.

Cool Tip: How to boot Windows in Safe Mode! Read more →

The list of the Windows event IDs, related to the system shutdown/reboot:

Event ID	Description
41	The system has rebooted without cleanly shutting down first.
1074	The system has been shutdown properly by a user or process.
1076	Follows after Event ID 6008 and means that the first user with shutdown privileges logged on to the server after an unexpected restart or shutdown and specified the cause.
6005	The Event Log service was started. Indicates the system startup.
6006	The Event Log service was stopped. Indicates the proper system shutdown.
6008	The previous system shutdown was unexpected.
6009	The operating system version detected at the system startup.
6013	The system uptime in seconds.

Display Shutdown Logs in Event Viewer

The shutdown events with date and time can be shown using the Windows Event Viewer.

Start the Event Viewer and search for events related to the system shutdowns:

Press the ⊞ Win keybutton, search for the eventvwr and start the Event Viewer
Expand Windows Logs on the left panel and go to System
Right-click on System and select Filter Current Log...
Type the following IDs in the <All Event IDs> field and click OK:
```
41,1074,1076,6005,6006,6008,6009,6013
```

Cool Tip: Get history of previously executed commands in PowerShell! Read more →

Find Shutdown Logs using PowerShell

The shutdown/reboot logs in Windows can also be retrieved from the command-line using the PowerShell’s Get-EventLog command.

For example, to filter the 10000 most recent entries in the System Event Log and display only events related to the Windows shutdowns, run:

PS C:\> Get-EventLog System -Newest 10000 | `
        Where EventId -in 41,1074,1076,6005,6006,6008,6009,6013 | `
        Format-Table TimeGenerated,EventId,UserName,Message -AutoSize -wrap

Cool Tip: Start/Stop a service in Windows from the CMD & PowerShell! Read more →

Was it useful? Share this post with the world!

Источник