Event Logging (Windows Installer)

Windows Events provides a standard, centralized way for applications (and the operating system) to record important software and hardware events. The event-logging service stores events from various sources in a single collection called an event log. Prior to WindowsВ Vista, you would use either Event Tracing for Windows (ETW) or Event Logging to log events. WindowsВ Vista introduced a new eventing model that unifies both ETW and the Windows Event Log API.

The installer also writes entries into the event log. These record events such as following:

• Success or failure of the installation; removal or repair of a product.
• Errors that occur during product configuration.
• Detection of corrupted configuration data.

If a large amount of information is written, the Event Log file can become full and the installer displays the message, «The Application log file is full.»

The installer may write the following entries in the event log. All event log messages have a unique event ID. All general errors authored in the Error table that are returned for an installation that fails are logged in the Application Event Log with a message ID equal to the Error + 10,000. For example, the error number in the Error table for an installation completed successfully is 1707. The successful installation is logged in the Application Event Log with a message ID of 11707 (1707 + 10,000).

For information about how to enable verbose logging on a user’s computer when troubleshooting deployment, see Windows Installer Best Practices.

Windows: Shutdown/Reboot Event IDs – Get Logs

While troubleshooting an issue that causes an unexpected reboot or shutdown of a Windows machine, it is important to know which event IDs are related to system reboot/shutdown and how to find the appropriate logs.

In this note i am publishing all the event IDs related to reboots/shutdowns.

I am also showing how to display the shutdown events with date and time, using a Windows Event Viewer or from the command-line using a PowerShell.

Cool Tip: How to boot Windows in Safe Mode! Read more →

Shutdown Event IDs

The list of the Windows event IDs, related to the system shutdown/reboot:

Event ID	Description
41	The system has rebooted without cleanly shutting down first.
1074	The system has been shutdown properly by a user or process.
1076	Follows after Event ID 6008 and means that the first user with shutdown privileges logged on to the server after an unexpected restart or shutdown and specified the cause.
6005	The Event Log service was started. Indicates the system startup.
6006	The Event Log service was stopped. Indicates the proper system shutdown.
6008	The previous system shutdown was unexpected.
6009	The operating system version detected at the system startup.
6013	The system uptime in seconds.

Display Shutdown Logs in Event Viewer

The shutdown events with date and time can be shown using the Windows Event Viewer.

Start the Event Viewer and search for events related to the system shutdowns:

1. Press the Win keybutton, search for the eventvwr and start the Event Viewer
2. Expand Windows Logs on the left panel and go to System
3. Right-click on System and select Filter Current Log.
4. Type the following IDs in the field and click OK :

Cool Tip: Get history of previously executed commands in PowerShell! Read more →

Find Shutdown Logs using PowerShell

For example, to filter the 10000 most recent entries in the System Event Log and display only events related to the Windows shutdowns, run:

Cool Tip: Start/Stop a service in Windows from the CMD & PowerShell! Read more →

Windows Event Log Service not starting or is unavailable

Windows Event Log service maintains a set of event logs that the system, system components, and applications use to record events. The service exposes functions that allow programs to maintain and manage the event logs and perform operations on the logs, such as archiving and clearing. As such, administrators can maintain event logs and perform administrative tasks requiring administrator privileges.

Windows Event Log Service Not Starting or Running

For some unknown reason, if you find you are having difficulty starting the following, it is quite possible that one of the reasons could be that Windows Event Log Service is Not Running.

• Task Scheduler
• Windows Event Calendar
• Messenger Sharing Folders

In such a scenario, you may get error messages like:

Event Log service is unavailable. Verify that the service is running

Windows could not start the Windows Event Log service on Local Computer

First, reboot your system and see if it helps. Sometimes a simple restart helps reinitialize this service. If the Windows Event Log shows as being started, re-start it from Services Manager.

To check if the Windows Event Log service is started or stopped, Run services.msc and hit Enter to open the Services Manager. Here, again right-click on Windows Event Log Service, check up its Properties.

Ensure that the Startup type is set on Automatic and that the services is Started; and that it runs in the Local Service account.

Also ensure in the Recovery tab, all three drop-down boxes, show the option as ‘Restart the Service’, in case of Failure. Reboot if required.

At times the Windows Event Log Service still will not start, and you may instead get the following error message:

System cannot find the file specified

In this case, open the following folder:

This logs folder contains Event Logs in .evtx format and can only be read with the Event Viewer. Give this logs folder Read-Write access rights and see if it helps.

You might also want to do the following.

Open Registry Editor and navigate to the following key:

Double-click ObjectName and ensure that its value is set at NT AUTHORITY\LocalService. If it is not, then change it.

If it still does not help, run the System File Checker and go through its logs.

Windows Server restart / shutdown history

How can I easily see a history of every time my Windows Server has restarted or shutdown and the reason why, including user-initiated, system-initiated, and system crashed?

The Windows Event Log is an obvious answer but what is the complete list of events that I should view?

I found these posts that partially answer my question:

• Windows server last reboot time includes several answers that partially address the full restart history
• View Shutdown Event Tracker logs under Windows Server 2008 R2 includes an additional event id
• Event Log time when Computer Start up / boot up includes some of the same event ids

but those don’t cover every scenario AFAIK and the info is hard to understand because it is spread across multiple answers.

I have several versions of Windows Server so a solution that works for at least versions 2008, 2008 R2, 2012, and 2012 R2 would be ideal.

6 Answers 6

The clearest most succinct answer I could find is:

which lists these event ids to monitor (quoted but edited and reformatted from article):

• Event ID 6005 (alternate): “The event log service was started.” This is synonymous to system startup.
• Event ID 6006 (alternate): “The event log service was stopped.” This is synonymous to system shutdown.
• Event ID 6008 (alternate): «The previous system shutdown was unexpected.» Records that the system started after it was not shut down properly.
• Event ID 6009 (alternate): Indicates the Windows product name, version, build number, service pack number, and operating system type detected at boot time.
• Event ID 6013: Displays the uptime of the computer. There is no TechNet page for this id.

Add to that a couple more from the Server Fault answers listed in my OP:

• Event ID 1074 (alternate): «The process X has initiated the restart / shutdown of computer on behalf of user Y for the following reason: Z.» Indicates that an application or a user initiated a restart or shutdown.
• Event ID 1076 (alternate): «The reason supplied by user X for the last unexpected shutdown of this computer is: Y.» Records when the first user with shutdown privileges logs on to the computer after an unexpected restart or shutdown and supplies a reason for the occurrence.

How to Use PowerShell to See When Your PC Last Rebooted

There’s nothing like coming back to your Windows PC to find that everything’s been refreshed. None of your apps are open. Your web browser tabs are gone, as is your browser itself. That document you were working on? Hopefully you autosaved, because it looks like your system reset for whatever reason.

While I can’t necessarily tell you the reason Windows restarted, it’s easy to see exactly when the reset occurred, and that might help you pinpoint the problem based on your own knowledge of what you’ve been doing. (Or, at the very least, you’ll have a good idea whether something like a scheduled Windows Update is to blame, versus a random, middle-of-the-night crash.)

To get started, fire up PowerShell and type in this command:

Get-EventLog -LogName System |? <$_.EventID -in (6005,6006,6008,6009,1074,1076)>| ft TimeGenerated,EventId,Message -AutoSize -wrap

(If that doesn’t work, because Kinja can be fussy with characters, simply copy and paste it from this Quora answer .)

Wait a bit while PowerShell chugs, and you’ll eventually get a screen that looks like this:

It shouldn’t take a ton of sleuthing to figure out when your system shut down and started up. In the above example, you’ll see EventID 6006 and 1074 occurring at roughly the same time two days ago (March 22) at around 4:00 p.m. I shut down my computer then (hence the event log service stopping and the obvious “shutdown message” from EventID 1074). And I turned my computer back on at 5:20 that day, which is when Windows reported its product name at boot (EventID 6009) and the Event log service started up (EventID 6005).

While you’re staring at the log, you can also look for “unplanned” or “unexpected” shutdowns, which might give you another clue that your system crashed, had a power outage, or had some other, inexplicable reason for turning off.

You can also try searching for these events directly within Windows 10’s Event Viewer. Simply open the Windows Logs folder and click on System, then start scrolling (or filtering) for the aforementioned EventIDs. While you’re at it, throw EventID “41″ into the mix, which will let you know if your system rebooted without cleanly shutting down—one indicator that it potentially crashed, suffered a power loss, or just had a shutdown issue.

Updated 3/24/21: We originally published a version of this story in 2010; David Murphy updated it in 2021 (!) with new a faster way to use PowerShell, instead of Event Viewer, to find out when your system last rebooted. We also added new images.