Check who restarted Windows OS
Sometimes you will need to investigate who restarted or shutdown Windows Server. This information can be found in Event Viewer.
1. Open Even Viewer (eventvwr.msc)
2. Right-click on System Windows log.
3. Click on Filter Current Log... 
2. Right-click on System Windows log.
3. Click on Filter Current Log...
4. In the filter box, enter the EventID 1074 and click OK. Only restart and shutdown events will be shown on the list.
5. Check info about restart or shutdown on the General tab of the event.
Check with PowerShell
Get-EventLog -LogName System |
where {$_.EventId -eq 1074} |select-object -first 10 |
ForEach-Object {
$rv = New-Object PSObject | Select-Object Date, User, Action, process, Reason, ReasonCode
if ($_.ReplacementStrings[4]) {
$rv.Date = $_.TimeGenerated
$rv.User = $_.ReplacementStrings[6]
$rv.Process = $_.ReplacementStrings[0]
$rv.Action = $_.ReplacementStrings[4]
$rv.Reason = $_.ReplacementStrings[2]
$rv
}
} | Select-Object Date, Action, Reason, User, Process |ft
where {$_.EventId -eq 1074} |select-object -first 10 |
ForEach-Object {
$rv = New-Object PSObject | Select-Object Date, User, Action, process, Reason, ReasonCode
if ($_.ReplacementStrings[4]) {
$rv.Date = $_.TimeGenerated
$rv.User = $_.ReplacementStrings[6]
$rv.Process = $_.ReplacementStrings[0]
$rv.Action = $_.ReplacementStrings[4]
$rv.Reason = $_.ReplacementStrings[2]
$rv
}
} | Select-Object Date, Action, Reason, User, Process |ft
Other EventIDs
- Event ID 41: This event indicates that Windows restarted without a complete shutdown.
- Event ID 6006: This event indicates that Windows was adequately turned off.
- Event ID 6008: This event indicates an improper or dirty shutdown. It is logged when the most recent shutdown was unexpected.
Comments
Post a Comment