While troubleshooting an issue that causes an unexpected reboot or shutdown of a Windows machine, it is important to know which event IDs are related to system reboot/shutdown and how to find the appropriate logs.
In this note i am publishing all the event IDs related to reboots/shutdowns.
I am also showing how to display the shutdown events with date and time, using a Windows Event Viewer or from the command-line using a PowerShell.
Cool Tip: How to boot Windows in Safe Mode! Read more →
Shutdown Event IDs
The list of the Windows event IDs, related to the system shutdown/reboot:
| Event ID | Description |
|---|---|
| 41 | The system has rebooted without cleanly shutting down first. |
| 1074 | The system has been shutdown properly by a user or process. |
| 1076 | Follows after Event ID 6008 and means that the first user with shutdown privileges logged on to the server after an unexpected restart or shutdown and specified the cause. |
| 6005 | The Event Log service was started. Indicates the system startup. |
| 6006 | The Event Log service was stopped. Indicates the proper system shutdown. |
| 6008 | The previous system shutdown was unexpected. |
| 6009 | The operating system version detected at the system startup. |
| 6013 | The system uptime in seconds. |
Display Shutdown Logs in Event Viewer
The shutdown events with date and time can be shown using the Windows Event Viewer.
Start the Event Viewer and search for events related to the system shutdowns:
- Press the ⊞ Win keybutton, search for the
eventvwrand start theEvent Viewer - Expand
Windows Logson the left panel and go toSystem - Right-click on
Systemand selectFilter Current Log... - Type the following IDs in the
<All Event IDs>field and clickOK:41,1074,1076,6005,6006,6008,6009,6013
Cool Tip: Get history of previously executed commands in PowerShell! Read more →
Find Shutdown Logs using PowerShell
Get-EventLog command.
For example, to filter the 10000 most recent entries in the System Event Log and display only events related to the Windows shutdowns, run:
PS C:\> Get-EventLog System -Newest 10000 | `
Where EventId -in 41,1074,1076,6005,6006,6008,6009,6013 | `
Format-Table TimeGenerated,EventId,UserName,Message -AutoSize -wrap
Cool Tip: Start/Stop a service in Windows from the CMD & PowerShell! Read more →
Hey, I appreciate this post. Could you approve my comment or update your post to include all the event IDs comma delineated so we can copy/paste in event view filtering?