Windows Startup And Shutdown Event Log Auditing

How to Fix “MMC has detected an error in a snap-in and will unload it” On Windows 7 or Windows Server 2008 R2-based computer
How to Fix “MMC has detected an error in a snap-in and will unload it” On Windows 7 or Windows Server 2008 R2-based computer
April 1, 2019
Windows: Enable “Run as different user”
April 3, 2019

Windows Startup And Shutdown Event Log Auditing

There are times when a user wants to know the startup and shutdown history of a computer. Mostly, system administrators need to know about the history for troubleshooting purposes. If multiple users use the computer, it may be a good security measure to check PC startup and shutdown times to make sure that the PC is being used legitimately. In this article, we will discuss two ways to keep track of your PC shutdown and startup times.

Using event logs to extract startup and shutdown times

Windows Event Viewer is a wonderful tool which saves all kinds of stuff happening in the computer. At each event, the event viewer logs an entry. The event viewer is handled by eventlog service that cannot be stopped or disabled manually as it is a Windows core service. The event viewer also logs the start and stop times of the eventlog service. We can make use of those times to get an idea of when our computer was started or shut down.

The eventlog service events are logged with two event codes. The event ID 6005 indicates that the eventlog service was started, and the event ID 6009 indicates that the eventlog services were stopped. Let’s go through the complete process of extracting this information from the event viewer.

1. Open Event Viewer (press “Ctrl + R” and type “eventvwr.msc“). If you are using Windows 8, you can run the Event Viewer with the “Windows Key + X + V” shortcut.

see startup and shutdown history with event_viewer

2. In the left pane, open Windows Logs -> System.

event_system

3. In the pane on the right, you will get a list of events that occurred while Windows was running. Our concern is to see only three events. Let’s first sort the event log with Event ID. Click on the Event ID label to sort the data with respect to the Event ID column.

event_sorting

4. If your event log is huge, then the sorting will not work. You can also create a filter from the actions pane on the right-hand side. Just click on “Filter current log”.

event_filter

5. Write 6005, 6006 in the Event IDs field labeled as <All Event IDs>. You can also specify the time period under Logged.

event_filter_properties

Event ID 6005 will be labeled as “The event log service was started”. This is synonymous to system startup.

Event ID 6006 will be labeled as “The event log service was stopped”. This is synonymous to system shutdown. Event ID 1074 for shutdown

If you want to investigate the Event log further, you can go through the Event ID 6013 which will display the uptime of the computer, and Event ID 6009 indicates the processor information detected during boot time. Event ID 6008 will let you know that the system started after it was not shut down properly.

Leave a Reply

Your email address will not be published. Required fields are marked *