Windows: Shutdown/Reboot Event IDs – Get Logs

While troubleshooting an issue that causes an unexpected reboot or shutdown of a Windows machine, it is important to know which event IDs are related to system reboot/shutdown and how to find the appropriate logs.

In this note i am publishing all the event IDs related to reboots/shutdowns.

I am also showing how to display the shutdown events with date and time, using a Windows Event Viewer or from the command-line using a PowerShell.

Cool Tip: How to boot Windows in Safe Mode! Read more →

Shutdown Event IDs

The list of the Windows event IDs, related to the system shutdown/reboot:

Event ID	Description
41	The system has rebooted without cleanly shutting down first.
1074	The system has been shutdown properly by a user or process.
1076	Follows after Event ID 6008 and means that the first user with shutdown privileges logged on to the server after an unexpected restart or shutdown and specified the cause.
6005	The Event Log service was started. Indicates the system startup.
6006	The Event Log service was stopped. Indicates the proper system shutdown.
6008	The previous system shutdown was unexpected.
6009	The operating system version detected at the system startup.
6013	The system uptime in seconds.

Display Shutdown Logs in Event Viewer

The shutdown events with date and time can be shown using the Windows Event Viewer.

Start the Event Viewer and search for events related to the system shutdowns:

1. Press the Win keybutton, search for the eventvwr and start the Event Viewer
2. Expand Windows Logs on the left panel and go to System
3. Right-click on System and select Filter Current Log.
4. Type the following IDs in the field and click OK :

Cool Tip: Get history of previously executed commands in PowerShell! Read more →

Find Shutdown Logs using PowerShell

For example, to filter the 10000 most recent entries in the System Event Log and display only events related to the Windows shutdowns, run:

Cool Tip: Start/Stop a service in Windows from the CMD & PowerShell! Read more →

How to See PC Startup And Shutdown History in Windows 10

There are times when a user wants to know the startup and shutdown history of a computer. Mostly, system administrators need to know about the history for troubleshooting purposes. If multiple people use the computer, it may be a good security measure to check PC startup and shutdown times to make sure the PC is being used legitimately. In this article we will discuss two ways to keep track of your PC shutdown and startup times.

Using event logs to extract startup and shutdown times

Windows Event Viewer is a wonderful tool which saves all kinds of stuff that is happening in the computer. During each event, the event viewer logs an entry. The event viewer is handled by eventlog service that cannot be stopped or disabled manually, as it is a Windows core service. The event viewer also logs the start and stop times of the eventlog service. We can make use of those times to get an idea of when our computer was started or shut down.

The eventlog service events are logged with two event codes. The event ID 6005 indicates that the eventlog service was started, and the event ID 6009 indicates that the eventlog services were stopped. Let’s go through the complete process of extracting this information from the event viewer.

1. Open Event Viewer (press Win + R and type eventvwr ).

2. In the left pane, open Windows Logs -> System.

3. In the middle pane you will get a list of events that occurred while Windows was running. Our concern is to see only three events. Let’s first sort the event log with Event ID. Click on the Event ID label to sort the data with respect to the Event ID column.

4. If your event log is huge, then the sorting will not work. You can also create a filter from the actions pane on the right side. Just click on “Filter current log.”

5. Type 6005, 6006 in the Event IDs field labeled as . You can also specify the time period under Logged.

• Event ID 6005 will be labeled as “The event log service was started.” This is synonymous with system startup.
• Event ID 6006 will be labeled as “The event log service was stopped.” This is synonymous with system shutdown.

If you want to investigate the Event log further, you can go through the Event ID 6013 which will display the uptime of the computer, and Event ID 6009 indicates the processor information detected during boot time. Event ID 6008 will let you know that the system started after it was not shut down properly.

Using TurnedOnTimesView

TurnedOnTimesView is a simple, portable tool for analyzing the event log for startup and shutdown times. The utility can be used to view the list of shutdown and startup times of local computers or any remote computer connected to the network. Since it is a portable tool, you will only need to unzip and execute the TurnedOnTimesView.exe file. It will immediately list the startup time, shutdown time, duration of uptime between each startup and shutdown, shutdown reason and shutdown code.

Shutdown reason is usually associated with Windows Server machines where we have to give a reason if we are shutting down the server.

To view the startup and shutdown times of a remote computer, go to “Options -> Advanced Options” and select “Data source as Remote Computer.” Specify the IP address or name of the computer in the Computer Name field and Press the OK button. Now the list will show the details of the remote computer.

While you can always use the event viewer for detailed analysis of startup and shutdown times, TurnedOnTimesView serves the purpose with a very simple interface and to-the-point data. For what purpose do you monitor the startup and shutdown times of your computer? Which method do you prefer for monitoring?

Content Manager at Make Tech Easier. Enjoys Android, Windows, and tinkering with retro console emulation to breaking point.

How to check the Shutdown and Startup Log in Windows 10

Finding out the last time the PC was correctly turned off or booted up is the way to start for troubleshooting many Windows issues. Another scenario is a public system. Thanks to the Event Viewer, administrators can view and monitor unauthorized use of the computer.

Whatever reason it is, you can find out when last your PC was put on and shut down directly from Windows. You don’t need a third-party app for this; the Windows Event Viewer can handle it perfectly.

What is the Windows Event Viewer?

The Windows Event Viewer is a Microsoft Management Console (MCC) – a core service of Windows that cannot be stopped or disabled. It keeps track of every activity that takes place on your PC.

During every event, the Event Viewer logs entries. It also logs the start and stop times of the event log service (Windows), giving correct date, time, and user details of every shutdown process.

How to use the Event Viewer?

Aside from keeping a log of when your Windows start and stop, you can use the Event Viewer for the following:

1. Create custom views by saving useful events filters.
2. You can see events from different event logs.
3. You can also create and manage different event subscriptions.
4. Create and schedule a task to run when triggered by another event.

Types of events in Windows 10 related to shutting down and restarting

They are more than four events related to shutting down and restarting the Windows 10 operating system; we will list the important five. They are:

• Event ID 41: This event indicates that Windows rebooted without a complete shutdown.
• Event ID 1074: This event is written down when an application is responsible for the system shut down or restart. It also indicates when a user restarted or shut down the system by using the Start menu or by pressing CTRL+ALT+DEL.
• Event ID 6006: This event indicates that Windows was adequately turned off.
• Event ID 6008: This Event indicates an improper or dirty shutdown. It shows up when the most recent shutdown was unexpected.

How to find the shutdown log in Windows 10

They are different ways to find out any of the events listed above. The traditional way is through the Event Viewer app itself. Most events can be accessed with the Command Prompt, as you will see below.

1] View shutdown and restart events from Event Viewer

Open the Run dialogue box, and input eventvwr.msc then hit Ok. In Event Viewer, select Windows Logs > System from the left pane. From the right, click on the Filter Current Log link.

Type in 41,1074,6006,6008 into the box below Includes/Exclude Event IDs. Hit Ok. Windows then displays all shutdown-related events.

The Event Viewer shows detailed information on every operation carried out on the system. Learn how to view full event viewer logs in this article.

2] See the last shutdown time using Command Prompt

Open the Command Prompt, copy and paste the following code in the window, and hit Enter:

To view the timestamp of the last shutdown without other details, copy and paste the code below then hit Enter:

As much as this method gets the job done, we often suggest you use method one, which is the Event Viewer. Not only is it more straightforward, but it also doesn’t involve copying and pasting commands.

How to Find the Shutdown Log in Windows 10

If you are curious to know why your computer shut down and what happened exactly during the shut down, you will be happy to know that Windows is able to track the shut down process and write a number of events in the system log. In this article, we will see how to find them.

In Windows 10, there are three events connected with shut down and restart.

Event ID 1074 — Indicates that the shut down process was initiated by an app. For example, it can be Windows Update.

Event ID 6006 — The clean shut down event. This means Windows 10 was turned off correctly.

Event ID 6008 — Indicates a dirty/improper shutdown. Appears in the log when the previous shutdown was unexpected, e.g. due to power loss or BSoD (Bug check).

Here is how to find these events.

To find the Shutdown log in Windows 10, do the following.

1. Press the Win + R keys together on the keyboard to open the Run dialog, type eventvwr.msc, and press the Enter key.
2. In Event Viewer, select Windows Logs -> System on the left.
3. On the right, click on the link Filter Current Log.
4. In the next dialog, type the line 1074, 6006, 6008 into the text box under Includes/Excludes Event IDs.
5. Click OK to filter the event log.

Now, the Event Viewer will display only events related to shut down.

Note: Starting with Windows 10 Fall Creators Update, the operating system is able to automatically reopen apps which were running before shutdown or restart. This behavior is totally unexpected for most Windows users who upgraded to the recent release of the OS. To avoid this issue, you can add a special «Shut Down» context menu to the Desktop that restores the classic behavior.

See the following article:

Winaero greatly relies on your support. You can help the site keep bringing you interesting and useful content and software by using these options:

Share this post

About Sergey Tkachenko

Sergey Tkachenko is a software developer from Russia who started Winaero back in 2011. On this blog, Sergey is writing about everything connected to Microsoft, Windows and popular software. Follow him on Telegram, Twitter, and YouTube.

2 thoughts on “ How to Find the Shutdown Log in Windows 10 ”

Thank you, it worked.

Thanks for simple explanation. It worked.

Leave a Reply Cancel reply

Connect with us

We discontinued Facebook to deliver our post updates.

View windows shutdown log

This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Asked by:

Question

A few weeks ago, a Windows Server 2008 restarted without reason (as I got that «shutdown dialog» asking me why the server shut down unexpectedly and I was asked to give a reason).

At that time, I was too busy to look into the matter. Now I’d like to trace back the problem but I forgot when that happened. Is it possible to get the list of shutdown event with date and time? I just see that if I type shutdown, I get a list. But this list has no date and time.

All replies

Fastest way to identify is to look for event 6006 under system event log
have you disabled shutdown event tracker ?

To get a list of shutdown event with date and time, we can take use of Event Viewer to filter Event ID: 1074 in System Event log

1. Open Event Viewer with Eventvwr.exe

2. Navigate to Windows Logs\System

3. Right-Click on it and select «Filter Current Log…»

4. Filter: Event log: System Event ID: 1074

5. When you filter them, you can track down its shutdown type, date and time, and who has shutdown it.

For more information about shutdown event, please check this KB article:

Description of the Shutdown Event Tracker

Hope this can be helpful.

This posting is provided «AS IS» with no warranties, and confers no rights.

Thanks to both of you for your replies, but that didn’t give what I wanted.

When I wrote «restarted without reason» in my original post, I should have written «the server rebooted without a proper shutdown phase», as I’ve explained within the brackets. Since it has no correct shutdown, that event isn’t recorded in the event log. OTOH, since it hasn’t gone through the correct shutdown phase, the first time when we log in, there’s a special dialog asking the reason of previous unexpected shutdown. And it’s this list that I wanted.

In this case you have to generate the crash dump and find out whats the real reason for the restart, there might be some third party application interfereing which crashes the OS.

If the server rebooted without a proper shutdown phase, I am afraid that the system won’t record the process in event viewer. This posting is provided «AS IS» with no warranties, and confers no rights.

Windows operating system has provided a centralized utility called event viewer which is used to register the events of an operating system,

IMHO if the event is not registered in event viewer then there is no chance of getting the list of events unless you have a 3rd party event viewer which is monitoring your environment.

That is not true.

If you type «shutdown» in a command window, as I’ve written in my first post, you can get a list of shutdown events. And this list remains even if you clear your logs. The problem is there’s no time and date.

I have just encountered same situation as you. Got below info. from event viewer

Log Name : System

Description: The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.

Assuming the event William has proposed above is what you’re after, you can pull a list with Powershell using the following command:

If you wanted to pipe that off to a file, you can add the Export-Csv option as follows:

I don’t have event id 41 in my system, so I tried to replace it with some other known values that I’ve seen: 6008, 6005, 7036, etc, but I always got

Get-EventLog : No matches found

For me, this method doesn’t work.

Try the following. I had forgotten that the InstanceId is actually an Int64 when using Powershell.

You can also pipe these results out to a CSV as I’ve illustrated above (so I won’t waste space repeating it).

For reference, the event you’re actually after — if I’ve understood you correctly after re-reading all these posts for about the fourth time, is 1076.

By other means, I’ve found that for some event id (instance id), the number is different, eg:

6006 —> 2147489654
6009 —> 2147489657
6005 —> 2147489653

Try the following. I had forgotten that the InstanceId is actually an Int64 when using Powershell.

You can also pipe these results out to a CSV as I’ve illustrated above (so I won’t waste space repeating it).

For reference, the event you’re actually after — if I’ve understood you correctly after re-reading all these posts for about the fourth time, is 1076.

this karthick from Hyderabad India thank you very much your suggestion is worked out of my knowledge and its helped to our organization too. and once again thank you very much.

I built a custom filter with the following IDs and it found everything I wanted. Your mileage may differ:

Stephen Paul West

Get-EventLog -LogName System -Source USER32 | Export-Csv C:\temp\shut-reboots.csv

Get-EventLog -LogName System -Source USER32 | Export-Csv C:\temp\shut-reboots.csv

Yes, it would be better NOT to include «-EntryType Warning» because a normal shutdown event is informational instead warning. Otherwise, the list of shutdown event won’t be complete. OTOH, it would be nice to be able to use several ID at the same time. I use 1074 and 6008 on Event Viewer but I don’t filter on USER32. If you are thinking of Event it is actually repeating Event while the latter is more precise. But I don’t know how to write the correct PS cmd.

For the last suggested PowerShell cmd, it’s better not to filter on USER32 because event (unexpected shutdown) comes from EventLog source instead of USER32.