Windows: Shutdown/Reboot Event IDs – Get Logs

While troubleshooting an issue that causes an unexpected reboot or shutdown of a Windows machine, it is important to know which event IDs are related to system reboot/shutdown and how to find the appropriate logs.

In this note i am publishing all the event IDs related to reboots/shutdowns.

I am also showing how to display the shutdown events with date and time, using a Windows Event Viewer or from the command-line using a PowerShell.

Cool Tip: How to boot Windows in Safe Mode! Read more →

Shutdown Event IDs

The list of the Windows event IDs, related to the system shutdown/reboot:

Event ID	Description
41	The system has rebooted without cleanly shutting down first.
1074	The system has been shutdown properly by a user or process.
1076	Follows after Event ID 6008 and means that the first user with shutdown privileges logged on to the server after an unexpected restart or shutdown and specified the cause.
6005	The Event Log service was started. Indicates the system startup.
6006	The Event Log service was stopped. Indicates the proper system shutdown.
6008	The previous system shutdown was unexpected.
6009	The operating system version detected at the system startup.
6013	The system uptime in seconds.

Display Shutdown Logs in Event Viewer

The shutdown events with date and time can be shown using the Windows Event Viewer.

Start the Event Viewer and search for events related to the system shutdowns:

1. Press the Win keybutton, search for the eventvwr and start the Event Viewer
2. Expand Windows Logs on the left panel and go to System
3. Right-click on System and select Filter Current Log.
4. Type the following IDs in the field and click OK :

Cool Tip: Get history of previously executed commands in PowerShell! Read more →

Find Shutdown Logs using PowerShell

For example, to filter the 10000 most recent entries in the System Event Log and display only events related to the Windows shutdowns, run:

Cool Tip: Start/Stop a service in Windows from the CMD & PowerShell! Read more →

The Core Technologies Blog

Our Software // Windows Services // 24×7 Operation

How to use the Event Viewer to troubleshoot problems with a Windows Service

A windows service, designed to run “headless” and unattended in the background, cannot easily employ conventional popup windows to report its activities as a user may not even be logged on. Instead, a service is encouraged to send important communication to the Windows Event Log – an administrative utility that collects and stores messages and events. Once recorded, these messages can be very helpful in troubleshooting problems, for example when a service stops unexpectedly or when it fails to start at all.

Viewing Events from Windows Services

Use Microsoft’s Event Viewer to see messages written to the Event Log. Start the application by clicking on the Start button and typing in Event Viewer, or from the Control Panel (search for it by name). The somewhat cluttered window should come up after a few seconds:

The left hand side shows a tree grouping the various logs captured on your machine. The events from Windows Services (and other applications running on your PC) are filed under . Navigate to that section to load the events in the center of the window, with the entire list in the top and details of the highlighted event underneath:

Messages from your windows service will have the display name of the service in the Source column.

Important Components of an Event

The Event Viewer shows over 10 pieces of information associated with each event, including:

Level – How important is this event?

Each event is classified into one of three categories:

Information: An informative yet unimportant event. You will probably see a lot of these, and they can be safely ignored unless you are digging into a specific issue from an application or service.

Warning: A moderately important event. These don’t necessarily signify a failure, and your software will probably limp along, but they should be reviewed regularly to see if anything mentioned can be resolved.

Error: Indicates a critical problem or failure that may deserve your immediate attention!

Date and Time – When did this event occur?

Source – Which application reported this event?

As mentioned before, an event written by a Windows Service will contain the service’s display name as the Source.

Description – Which happened?

The full description shown prominently in the lower pane will (hopefully) provide the relevant details of the event.

For example, this information event is from the Interactive Services detection service (“UI0Detect”) reporting that Notepad is showing itself in Session 0:

Viewing Events about Windows Services

While the Application log keeps track of events from a running service, the area records when services are started, stopped, crash or fail to start. Look for events with the Source set to Service Control Manager (SCM). For example, here is the SCM telling us that the Windows Print Spooler service has crashed:

Viewing Events from AlwaysUp and Service Protector

Both AlwaysUp and Service Protector write messages to the Application section of the event logs ().

For AlwaysUp, events from your application named “My Application” will be logged with Source set to My Application (managed by AlwaysUpService). The Event Log Messages Page lists and explains the events reported.

For Service Protector, events related to your service named “MyService” will have a Source of ServiceProtector: MyService.

And for both applications, events related to the starting and stopping of the underlying services themselves appear in the section. Look there if you have a problem with AlwaysUp itself failing to start at boot.

Windows Event Log Service not starting or is unavailable

Windows Event Log service maintains a set of event logs that the system, system components, and applications use to record events. The service exposes functions that allow programs to maintain and manage the event logs and perform operations on the logs, such as archiving and clearing. As such, administrators can maintain event logs and perform administrative tasks requiring administrator privileges.

Windows Event Log Service Not Starting or Running

For some unknown reason, if you find you are having difficulty starting the following, it is quite possible that one of the reasons could be that Windows Event Log Service is Not Running.

• Task Scheduler
• Windows Event Calendar
• Messenger Sharing Folders

In such a scenario, you may get error messages like:

Event Log service is unavailable. Verify that the service is running

Windows could not start the Windows Event Log service on Local Computer

First, reboot your system and see if it helps. Sometimes a simple restart helps reinitialize this service. If the Windows Event Log shows as being started, re-start it from Services Manager.

To check if the Windows Event Log service is started or stopped, Run services.msc and hit Enter to open the Services Manager. Here, again right-click on Windows Event Log Service, check up its Properties.

Ensure that the Startup type is set on Automatic and that the services is Started; and that it runs in the Local Service account.

Also ensure in the Recovery tab, all three drop-down boxes, show the option as ‘Restart the Service’, in case of Failure. Reboot if required.

At times the Windows Event Log Service still will not start, and you may instead get the following error message:

System cannot find the file specified

In this case, open the following folder:

This logs folder contains Event Logs in .evtx format and can only be read with the Event Viewer. Give this logs folder Read-Write access rights and see if it helps.

You might also want to do the following.

Open Registry Editor and navigate to the following key:

Double-click ObjectName and ensure that its value is set at NT AUTHORITY\LocalService. If it is not, then change it.

If it still does not help, run the System File Checker and go through its logs.

How to disable Windows 10 system log

In Windows 10 Resource Monitor I found that the system process is constantly writing C:\ProgramData\Microsoft\Windows\wfp\wfpdiag.etl at like 30-100KB/s. This equals 1TB write/year which is not healthy for SSD. There are other log write like C:\Windows\System32\LogFiles*** too.

Although logs is needed for diagnostics, it’s better to be turned on only when problem has already occured.

Is it possible to disable as much system logs as possible to decrease garbage write amoung to SSD?

3 Answers 3

By default, Windows has a huge number of log files, constantly writing data.

Two ways to stop some of this churning:

• Open the CMD prompt as Administrator: Press Windows , type cmd , press Ctrl + Shift + Enter and confirm.
• Type (or copy/paste) the following and press Enter : auditpol /set /subcategory:»Filtering Platform Connection» /success:disable /failure:enable

If this succeeds, expect fewer events to be logged.

Disable individual logs

• Open the Windows Event Viewer: press Windows R , type eventvwr.msc and press Enter .
• Scroll down to Application and Service Logs , Microsoft , Windows , WFP .
• Right-click on a log process and select Disable Log .

A useful tool to search the Event Logs by name is Nirsoft’s Full Event Log View.

Going hardcore:

If you want to disable specific event logging, go to Event Viewer and right-click on an event log you want to get rid of. Click Event Properties .

A new window should open — click XML view , where you’ll be able to see the event’s GUID. We’ll try to find the event logging service in the registry based on this GUID. Not all events have this GUID, and we won’t be able to find every GUID in the registry.

After we have our GUID, we navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System in regedit , and we search for our GUID inside curved brackets.

If we find it, we can then proceed to change the Enabled and EnabledProperty keys:

I think I figured out how to get NetCore.etl to be written to hard drive instead of ssd. I ran Performance Monitor (a Windows app), drilled down to Data Collector Sets | Event Trace Sessions, right-clicked NetCore, clicked Properties in the menu that popped up, clicked the Directory tab, and browsed to the desired folder. Time will tell if the change is permanent, but at the moment the log is being written to my hard drive E:, according to Resource Monitor.

If one wished to stop the writing of NetCore.etl entirely, clicking Stop instead of Properties would presumably stop it. But I’m less confident that that change would be permanent. Some app might restart it, perhaps the next time Windows is restarted. If anyone tries this, I hope s/he will post the result in this thread.

Several other log files could be redirected (or stopped) in a similar manner.

Is it possible to log who started or stopped a windows service?

I have some windows services written in C#. When somebody stops or starts the service, I would like to be able to determine who it was and log that information.

I tried logging Environment.UserName but that evaluates to SYSTEM even on my local machine.

Also, for the time being these services are running on Windows 2000 server.

5 Answers 5

Within the Event Viewer (Control Panel | Administrative Tools | Event Viewer) on the System tab the Service Control Manager logs who started and stop each event. I’ve just tested this myself and viewed the results. This leads me to two things:

1. You may be able to query or hook those events from the Service Control Manager as they happen, or
2. You can definitely just query the Event Viewer’s «System» log to look for those events for your Service.

Hope that leads you to your solution.

• You can filter the System EventLog by Service Control Manager

Event ID 7040 — covers Service start type change (eg disabled, manual, automatic)

Event ID 7036 — covers Service start/stop

For others that have PowerShell, you can use this:

You can enable auditing according to this article

Additionally, it may be a good idea to alert email to yourself in OnStop() method.

There probably isn’t a way. Any of the normal .NET ways that you get at the environment’s user are going to return the user whose credentials the service runs with (which will typically be SYSTEM, LOCAL SERVICE, NETWORK SERVICE, etc).

How I’d probably do it is poll the system to see if a user is logged in, and assume that user did it. Of course, this discounts services that are shut down by the system for some reason (presumably your service would not be), and can only help you narrow it down if more than one user is logged in at one time (but then, you could always log both of them).

1. Just open Event Viewer (Start menu -> Search «Event» Event Viewer will come, open it)
2. Expand ‘Windows Log’ on Event viewer left menu.
3. Click on Application. (It will show your application error with description in ‘general’ tab.
4. Again try to start your service and from event viewer see what is exact cause for stopping briefly in ‘general’ tab.

Not the answer you’re looking for? Browse other questions tagged c# windows-services or ask your own question.

Linked

Related

Hot Network Questions

Subscribe to RSS

To subscribe to this RSS feed, copy and paste this URL into your RSS reader.

site design / logo © 2021 Stack Exchange Inc; user contributions licensed under cc by-sa. rev 2021.4.16.39093

By clicking “Accept all cookies”, you agree Stack Exchange can store cookies on your device and disclose information in accordance with our Cookie Policy.