Check Reboot Shutdown logs in Windows server, keeping track of system shutdowns and reboots is crucial for monitoring server health and troubleshooting potential issues. The Event Viewer is a powerful tool that allows administrators to review detailed logs of system events, including when and why a server was shut down or restarted. By filtering the logs for specific event IDs, you can easily identify whether the shutdown or reboot was planned, user-initiated, or caused by an unexpected error. This guide walks you through the steps to check Reboot Shutdown logs in Windows using Event Viewer, providing insights into server activity and helping ensure optimal performance.
Table of Contents
Step 1: Open Event Viewer
- Access the Run Dialog:
- Press the
Windows + Rkeys on your keyboard to open the Run dialog box.
- Press the
- Launch Event Viewer:
- Type
eventvwr.mscinto the Run dialog box and pressEnter. This will open the Event Viewer application to check Reboot Shutdown logs in Windows
- Type
Step 2: Navigate to System Logs
- Expand Windows Logs:
- In the left-hand navigation pane of Event Viewer, locate and expand the Windows Logs section by clicking the small triangle next to it.
- Select the System Log:
- Under Windows Logs, click on System. This will display all system events in the middle pane to check Reboot Shutdown logs in Windows.
Step 3: Filter Relevant Events
To focus only on check Reboot Shutdown logs in Windows events, filter the logs for specific Event IDs.
- Open the Filter Current Log Window:
- On the right-hand side of the Event Viewer window, find the Actions pane and click Filter Current Log….
- Enter Event IDs:
- In the Filter Current Log dialog box to check Reboot Shutdown logs in Windows
- Locate the Event IDs field and enter the following IDs to check Reboot Shutdown logs in Windows, separated by commas:
1074: Clean shutdown or restart initiated by a user or application.6006: Logs when the Event Log service was stopped (indicates a clean shutdown).- 41: This indicates that the Windows computer unexpectedly restarted without shutting down, and the related details can provide information about the potential causes of the issue.
6008: Logs unexpected shutdowns (e.g., power failures or crashes).6005: Logs when the Event Log service started (indicates a system reboot).- 1076: “The reason supplied by user X for the last unexpected shutdown of this computer is: Y.” Records when the first user with shutdown privileges logs on to the computer after an unexpected restart or shutdown and supplies a reason for the occurrence.
- Select Event Sources (Optional):
- If desired, you can filter further by specifying User32 as the Event Source. This narrows down the logs to those related to user-initiated actions.
- Apply the Filter:
- Click OK to apply the filter and return to the Event Viewer window. The middle pane will now display only the filtered events.
Step 4: check Reboot Shutdown logs in Windows
- View Event Details:
- Browse through the filtered events in the middle pane. Each log entry provides:
- Date and Time: When the event occurred.
- Source: The process or application responsible for the event.
- Event ID: The unique identifier for the type of event.
- User: The user account that initiated the action (if applicable).
- Description: Detailed information about the event, such as the reason for shutdown or reboot.
- Browse through the filtered events in the middle pane. Each log entry provides:
- Open an Event:
- Double-click on any event entry to open the Event Properties window. This displays a detailed description of the selected event, including:
- Reason Code: Explains why the action occurred.
- Message: Provides context for the event, such as whether it was planned or unexpected.
- Double-click on any event entry to open the Event Properties window. This displays a detailed description of the selected event, including:
Step 5: Understand Event IDs
Here’s a quick explanation of the most relevant Event IDs you may encounter:
- 1074: Logs planned shutdowns or restarts initiated by a user or application, often with a reason provided.
- 6006: Indicates a clean shutdown, logging that the Event Log service was stopped.
- 6005: Signifies a system restart, logging that the Event Log service started.
- 6008: Captures unexpected shutdowns, such as power failures or crashes.
Step 6: Clear or Export Logs (Optional)
- Clear Logs:
- If you want to clear old logs, right-click on System in the left pane and select Clear Log…. Be sure to save the logs first if needed.
- Export Logs for Analysis:
- To save the logs for offline analysis:
- Right-click on System in the left-hand pane and choose Save All Events As….
- Select a destination folder and save the file in
.evtxformat for compatibility with Event Viewer.
- To save the logs for offline analysis:
Step 7: Close Event Viewer
- Once you’ve reviewed or exported the logs, close Event Viewer by clicking the X in the top-right corner.
Key Notes:
- Regularly monitoring these logs helps in troubleshooting server issues and maintaining uptime.
- The descriptions provided in each event entry can help pinpoint whether a shutdown or reboot was planned, user-initiated, or caused by an unexpected issue like a crash.
By following these steps, you can effectively identify and analyze reboot and shutdown logs on your Windows Server using Event Viewer.