How to See PC Startup And Shutdown History in Windows 10

There are times when a user wants to know the startup and shutdown history of a computer. Mostly, system administrators need to know about the history for troubleshooting purposes. If multiple people use the computer, it may be a good security measure to check PC startup and shutdown times to make sure the PC is being used legitimately. In this article we will discuss two ways to keep track of your PC shutdown and startup times.

Using event logs to extract startup and shutdown times

Windows Event Viewer is a wonderful tool which saves all kinds of stuff that is happening in the computer. During each event, the event viewer logs an entry. The event viewer is handled by eventlog service that cannot be stopped or disabled manually, as it is a Windows core service. The event viewer also logs the start and stop times of the eventlog service. We can make use of those times to get an idea of when our computer was started or shut down.

The eventlog service events are logged with two event codes. The event ID 6005 indicates that the eventlog service was started, and the event ID 6009 indicates that the eventlog services were stopped. Let’s go through the complete process of extracting this information from the event viewer.

1. Open Event Viewer (press Win + R and type eventvwr ).

2. In the left pane, open Windows Logs -> System.

3. In the middle pane you will get a list of events that occurred while Windows was running. Our concern is to see only three events. Let’s first sort the event log with Event ID. Click on the Event ID label to sort the data with respect to the Event ID column.

4. If your event log is huge, then the sorting will not work. You can also create a filter from the actions pane on the right side. Just click on “Filter current log.”

5. Type 6005, 6006 in the Event IDs field labeled as . You can also specify the time period under Logged.

• Event ID 6005 will be labeled as “The event log service was started.” This is synonymous with system startup.
• Event ID 6006 will be labeled as “The event log service was stopped.” This is synonymous with system shutdown.

If you want to investigate the Event log further, you can go through the Event ID 6013 which will display the uptime of the computer, and Event ID 6009 indicates the processor information detected during boot time. Event ID 6008 will let you know that the system started after it was not shut down properly.

Using TurnedOnTimesView

TurnedOnTimesView is a simple, portable tool for analyzing the event log for startup and shutdown times. The utility can be used to view the list of shutdown and startup times of local computers or any remote computer connected to the network. Since it is a portable tool, you will only need to unzip and execute the TurnedOnTimesView.exe file. It will immediately list the startup time, shutdown time, duration of uptime between each startup and shutdown, shutdown reason and shutdown code.

Shutdown reason is usually associated with Windows Server machines where we have to give a reason if we are shutting down the server.

To view the startup and shutdown times of a remote computer, go to “Options -> Advanced Options” and select “Data source as Remote Computer.” Specify the IP address or name of the computer in the Computer Name field and Press the OK button. Now the list will show the details of the remote computer.

While you can always use the event viewer for detailed analysis of startup and shutdown times, TurnedOnTimesView serves the purpose with a very simple interface and to-the-point data. For what purpose do you monitor the startup and shutdown times of your computer? Which method do you prefer for monitoring?

Content Manager at Make Tech Easier. Enjoys Android, Windows, and tinkering with retro console emulation to breaking point.

Disable the Log Off and Turn Off Buttons in Windows

Posted October 13, 2004 by David Kirk in Windows security

Last Updated on June 3, 2012

Some users, regardless of what you tell them, insist on logging off or shutting down public computers in common areas. If you would like to stop this from occurring, you can disable the Log Off and Turn Off Computer buttons on the Start menu.

Obviously, this requires editing the registry. You should know how to backup and restore your registry before proceeding.

Follow these steps to disable the Log Off and Turn Off buttons:

To do either, you will first need to navigate to the appropriate area of the registry.
Open the Registry Editor (Regedit.exe). You may need to put in your password if UAC is active.
Navigate to HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer.

Disable the Log Off button

Right-click the Explorer key, and select New | DWORD value.
Name the value StartMenuLogoff, and press Enter twice to access the Edit DWORD Value dialog box.
Type 1 in the Value Data text box, and click OK.

Disable the Power Off button

Right-click the Explorer key, and select New | DWORD value.
Name the value NoClose, and press Enter twice to access the Edit DWORD Value dialog box.
Type 1 in the Value Data text box, and click OK.
Close the Registry Editor.

At this point, both the Log Off and Turn Off Computer buttons are still on the Start menu. Click the Log Off button and then log back on.

When you need to shut down the computer, launch the Registry Editor, and change the values to 0, or pull the plug if it has to be done in a hurry. Likewise, executing “shutdown” from a command prompt will also turn off your system.

How to disable Windows 10 system log

In Windows 10 Resource Monitor I found that the system process is constantly writing C:\ProgramData\Microsoft\Windows\wfp\wfpdiag.etl at like 30-100KB/s. This equals 1TB write/year which is not healthy for SSD. There are other log write like C:\Windows\System32\LogFiles*** too.

Although logs is needed for diagnostics, it’s better to be turned on only when problem has already occured.

Is it possible to disable as much system logs as possible to decrease garbage write amoung to SSD?

3 Answers 3

By default, Windows has a huge number of log files, constantly writing data.

Two ways to stop some of this churning:

• Open the CMD prompt as Administrator: Press Windows , type cmd , press Ctrl + Shift + Enter and confirm.
• Type (or copy/paste) the following and press Enter : auditpol /set /subcategory:»Filtering Platform Connection» /success:disable /failure:enable

If this succeeds, expect fewer events to be logged.

Disable individual logs

• Open the Windows Event Viewer: press Windows R , type eventvwr.msc and press Enter .
• Scroll down to Application and Service Logs , Microsoft , Windows , WFP .
• Right-click on a log process and select Disable Log .

A useful tool to search the Event Logs by name is Nirsoft’s Full Event Log View.

Going hardcore:

If you want to disable specific event logging, go to Event Viewer and right-click on an event log you want to get rid of. Click Event Properties .

A new window should open — click XML view , where you’ll be able to see the event’s GUID. We’ll try to find the event logging service in the registry based on this GUID. Not all events have this GUID, and we won’t be able to find every GUID in the registry.

After we have our GUID, we navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System in regedit , and we search for our GUID inside curved brackets.

If we find it, we can then proceed to change the Enabled and EnabledProperty keys:

I think I figured out how to get NetCore.etl to be written to hard drive instead of ssd. I ran Performance Monitor (a Windows app), drilled down to Data Collector Sets | Event Trace Sessions, right-clicked NetCore, clicked Properties in the menu that popped up, clicked the Directory tab, and browsed to the desired folder. Time will tell if the change is permanent, but at the moment the log is being written to my hard drive E:, according to Resource Monitor.

If one wished to stop the writing of NetCore.etl entirely, clicking Stop instead of Properties would presumably stop it. But I’m less confident that that change would be permanent. Some app might restart it, perhaps the next time Windows is restarted. If anyone tries this, I hope s/he will post the result in this thread.

Several other log files could be redirected (or stopped) in a similar manner.

How to Find the Shutdown Log in Windows 10

If you are curious to know why your computer shut down and what happened exactly during the shut down, you will be happy to know that Windows is able to track the shut down process and write a number of events in the system log. In this article, we will see how to find them.

In Windows 10, there are three events connected with shut down and restart.

Event ID 1074 — Indicates that the shut down process was initiated by an app. For example, it can be Windows Update.

Event ID 6006 — The clean shut down event. This means Windows 10 was turned off correctly.

Event ID 6008 — Indicates a dirty/improper shutdown. Appears in the log when the previous shutdown was unexpected, e.g. due to power loss or BSoD (Bug check).

Here is how to find these events.

To find the Shutdown log in Windows 10, do the following.

1. Press the Win + R keys together on the keyboard to open the Run dialog, type eventvwr.msc, and press the Enter key.
2. In Event Viewer, select Windows Logs -> System on the left.
3. On the right, click on the link Filter Current Log.
4. In the next dialog, type the line 1074, 6006, 6008 into the text box under Includes/Excludes Event IDs.
5. Click OK to filter the event log.

Now, the Event Viewer will display only events related to shut down.

Note: Starting with Windows 10 Fall Creators Update, the operating system is able to automatically reopen apps which were running before shutdown or restart. This behavior is totally unexpected for most Windows users who upgraded to the recent release of the OS. To avoid this issue, you can add a special «Shut Down» context menu to the Desktop that restores the classic behavior.

See the following article:

Winaero greatly relies on your support. You can help the site keep bringing you interesting and useful content and software by using these options:

Share this post

About Sergey Tkachenko

Sergey Tkachenko is a software developer from Russia who started Winaero back in 2011. On this blog, Sergey is writing about everything connected to Microsoft, Windows and popular software. Follow him on Telegram, Twitter, and YouTube.

2 thoughts on “ How to Find the Shutdown Log in Windows 10 ”

Thank you, it worked.

Thanks for simple explanation. It worked.

Leave a Reply Cancel reply

report this ad Connect with us

We discontinued Facebook to deliver our post updates.

Turning off windows event log?

The FAQ of GTA IV tells me to turn off Windows Event Log in msconfig . This will handle the game more efficiently. And it does!

But turning off windows processes always worries me. So therefore: After playing GTA IV. Should I turn on Windows Event Log again?

If so: What does it do?
If not: Why is it booted by windows in the first place?

4 Answers 4

I find it surprising and shocking that Rockstar would actually recommend disabling the Event Log. It’s not just some extraneous service that most people don’t use, it’s a required service that Windows expects to be running, and frankly I would be surprised if you don’t get a crash at some point if it is disabled. (It’s like trying to run Windows with the RPC service disabled: you might be able to do it for a bit, but expect a BSOD soon.)

Besides, the Event Log does not normally cause any sort of performance problem whatsoever (it is normally idle unless a relevant event has been generated), so if GTA IV actually gets bogged down when it’s running, then the problem is either due to a bad audio or video driver, in which case you should update it to alleviate the problem, or else the issue is that the game has a bug that is causing many (read thousands of events per seconds) to get written to the log. In that case, they should fix the bug rather than recommend users compromise the integrity of their systems to accommodate their sloppy programming.

From the FAQ, it sounds like either GTA IV is not compatible with Win64 (in which case it is incumbent on Rockstar to fix—and I would be surprised if they couldn’t since they updated GTA 1 and 2 to run well on XP), or else it is an input driver or software that is causing something to be displayed on screen whenever you press a key (eg an OSD, hence the flashes). See if there is an updated keyboard driver available or check your keyboard manufacturer’s FAQs or forums for mentions of this issue. Also see if there is some sort of keyboard program (eg MS Intellipoint, Logitech iTouch) running and either quit it or disable the OSD.