- How to See PC Startup And Shutdown History in Windows 10
- Using event logs to extract startup and shutdown times
- Using TurnedOnTimesView
- Windows: Shutdown/Reboot Event IDs – Get Logs
- Shutdown Event IDs
- Display Shutdown Logs in Event Viewer
- Find Shutdown Logs using PowerShell
- Windows 10 Logs Off when Shutdown or Hibernate is used
- Cause
- Resolution: Windows Logs Off User when Shutdown or Hibernate is used
- How to check the Shutdown and Startup Log in Windows 10
- What is the Windows Event Viewer?
- How to use the Event Viewer?
- Types of events in Windows 10 related to shutting down and restarting
- How to find the shutdown log in Windows 10
- 1] View shutdown and restart events from Event Viewer
- 2] See the last shutdown time using Command Prompt
How to See PC Startup And Shutdown History in Windows 10
There are times when a user wants to know the startup and shutdown history of a computer. Mostly, system administrators need to know about the history for troubleshooting purposes. If multiple people use the computer, it may be a good security measure to check PC startup and shutdown times to make sure the PC is being used legitimately. In this article we will discuss two ways to keep track of your PC shutdown and startup times.
Using event logs to extract startup and shutdown times
Windows Event Viewer is a wonderful tool which saves all kinds of stuff that is happening in the computer. During each event, the event viewer logs an entry. The event viewer is handled by eventlog service that cannot be stopped or disabled manually, as it is a Windows core service. The event viewer also logs the start and stop times of the eventlog service. We can make use of those times to get an idea of when our computer was started or shut down.
The eventlog service events are logged with two event codes. The event ID 6005 indicates that the eventlog service was started, and the event ID 6009 indicates that the eventlog services were stopped. Let’s go through the complete process of extracting this information from the event viewer.
1. Open Event Viewer (press Win + R and type eventvwr ).
2. In the left pane, open Windows Logs -> System.
3. In the middle pane you will get a list of events that occurred while Windows was running. Our concern is to see only three events. Let’s first sort the event log with Event ID. Click on the Event ID label to sort the data with respect to the Event ID column.
4. If your event log is huge, then the sorting will not work. You can also create a filter from the actions pane on the right side. Just click on “Filter current log.”
5. Type 6005, 6006 in the Event IDs field labeled as . You can also specify the time period under Logged.
- Event ID 6005 will be labeled as “The event log service was started.” This is synonymous with system startup.
- Event ID 6006 will be labeled as “The event log service was stopped.” This is synonymous with system shutdown.
If you want to investigate the Event log further, you can go through the Event ID 6013 which will display the uptime of the computer, and Event ID 6009 indicates the processor information detected during boot time. Event ID 6008 will let you know that the system started after it was not shut down properly.
Using TurnedOnTimesView
TurnedOnTimesView is a simple, portable tool for analyzing the event log for startup and shutdown times. The utility can be used to view the list of shutdown and startup times of local computers or any remote computer connected to the network. Since it is a portable tool, you will only need to unzip and execute the TurnedOnTimesView.exe file. It will immediately list the startup time, shutdown time, duration of uptime between each startup and shutdown, shutdown reason and shutdown code.
Shutdown reason is usually associated with Windows Server machines where we have to give a reason if we are shutting down the server.
To view the startup and shutdown times of a remote computer, go to “Options -> Advanced Options” and select “Data source as Remote Computer.” Specify the IP address or name of the computer in the Computer Name field and Press the OK button. Now the list will show the details of the remote computer.
While you can always use the event viewer for detailed analysis of startup and shutdown times, TurnedOnTimesView serves the purpose with a very simple interface and to-the-point data. For what purpose do you monitor the startup and shutdown times of your computer? Which method do you prefer for monitoring?
Content Manager at Make Tech Easier. Enjoys Android, Windows, and tinkering with retro console emulation to breaking point.
Windows: Shutdown/Reboot Event IDs – Get Logs
While troubleshooting an issue that causes an unexpected reboot or shutdown of a Windows machine, it is important to know which event IDs are related to system reboot/shutdown and how to find the appropriate logs.
In this note i am publishing all the event IDs related to reboots/shutdowns.
I am also showing how to display the shutdown events with date and time, using a Windows Event Viewer or from the command-line using a PowerShell.
Cool Tip: How to boot Windows in Safe Mode! Read more →
Shutdown Event IDs
The list of the Windows event IDs, related to the system shutdown/reboot:
| Event ID | Description |
|---|---|
| 41 | The system has rebooted without cleanly shutting down first. |
| 1074 | The system has been shutdown properly by a user or process. |
| 1076 | Follows after Event ID 6008 and means that the first user with shutdown privileges logged on to the server after an unexpected restart or shutdown and specified the cause. |
| 6005 | The Event Log service was started. Indicates the system startup. |
| 6006 | The Event Log service was stopped. Indicates the proper system shutdown. |
| 6008 | The previous system shutdown was unexpected. |
| 6009 | The operating system version detected at the system startup. |
| 6013 | The system uptime in seconds. |
Display Shutdown Logs in Event Viewer
The shutdown events with date and time can be shown using the Windows Event Viewer.
Start the Event Viewer and search for events related to the system shutdowns:
- Press the Win keybutton, search for the eventvwr and start the Event Viewer
- Expand Windows Logs on the left panel and go to System
- Right-click on System and select Filter Current Log.
- Type the following IDs in the field and click OK :
Cool Tip: Get history of previously executed commands in PowerShell! Read more →
Find Shutdown Logs using PowerShell
For example, to filter the 10000 most recent entries in the System Event Log and display only events related to the Windows shutdowns, run:
Cool Tip: Start/Stop a service in Windows from the CMD & PowerShell! Read more →
Windows 10 Logs Off when Shutdown or Hibernate is used
Over these years, at least since the Windows 7 era, we’ve seen several cases where the system logs you off when clicking on the Shutdown or Hibernate option in the Start menu. The problem may be seen in Windows 8 or Windows 10 computers as well. Some users have indicated that the problem occurred after installing Windows 10 v1903.
What causes Windows to log off the user instead when shutdown or hibernate option is used?
Cause
During hibernation, Windows reads the contents in the memory and dumps it into a file named hiberfil.sys on the system drive’s root. The crash dump feature uses the same technology to dump the memory contents to a file (.dmp) in your hard disk in the aftermath of a system crash. Both hibernate and crash dump features use a special filter driver named dumpfve.sys to do the task of dumping the memory to file.
The file dumpfve.sys is mentioned in the following registry key, in a REG_MULTI_SZ value named DumpFilters
The multi-string registry value allows third-party providers to add the crash dump filter drivers — e.g., Truecrypt.sys from TrueCrypt, MfeEpeOpal.sys from McAfee Endpoint Encryption, or Daemon Tools filter driver, etc. Most disk encryption products typically also want to encrypt hibernation & crash dump files and add their dump filters in the above registry key.
The dump filter drivers mentioned in the registry key are loaded when crash dump or hibernation is initialized. If Windows is unable to load the filter drivers during the hibernate process, it generates an event log entry with the Event ID 45. The event log entry looks like the following:
Additionally, when you go to the Details tab in this event and then select friendly view, you may notice the following:
The problem may occur during the shutdown as well. How?
If Fast Startup is enabled, the system logs off all the user sessions completely and then hibernates the system instead of performing a clean shut down. Fast Startup relies upon the hibernation feature, and it dumps the kernel memory to hiberfil.sys file. When fast startup is enabled and a user shuts down the computer, all sessions are logged off, and the computer enters hibernation. As part of the hibernation process, Windows initializes the system’s memory dump configuration. If the filter driver(s) is not loaded, it fails to hibernate, and brings you back to the Windows Lock Screen of the sign-in screen.
To avoid the problem from happening during shutdown (not hibernate), you can disable fast startup or bypass fast startup during shutdown on a per-session basis by running shutdown.exe /s /t 0 to shut down the computer. To disable Fast Startup:
- Open Control Panel → All Control Panel Items → Power Options (or run powercfg.cpl )
- Click Choose what the power buttons do
- Click Change settings that are currently unavailable
- Uncheck Turn on fast startup
- Click OK.
However, turning off fast startup is a compromise. It’s not a feasible thing to do for most users, as the restart process in Windows continues to perform a full boot cycle, without the hibernation performance benefits.
Resolution: Windows Logs Off User when Shutdown or Hibernate is used
To fix the problem, remove third-party crash dump filter driver references from the registry using the following steps:
- Start the Registry Editor ( regedit.exe ) and go to the following key:
- Backup the key by exporting it to a .reg file.
- Double-click the DumpFilters multi-string value.
- Remove all the third-party filter drivers listed in the value. Note that the Windows default driver dumpfve.sys should not be removed.
- Exit the Registry Editor.
- Restart Windows.
The hibernate and shutdown features should now work correctly — with or without Fast Startup enabled.
How to check the Shutdown and Startup Log in Windows 10
Finding out the last time the PC was correctly turned off or booted up is the way to start for troubleshooting many Windows issues. Another scenario is a public system. Thanks to the Event Viewer, administrators can view and monitor unauthorized use of the computer.
Whatever reason it is, you can find out when last your PC was put on and shut down directly from Windows. You don’t need a third-party app for this; the Windows Event Viewer can handle it perfectly.
What is the Windows Event Viewer?
The Windows Event Viewer is a Microsoft Management Console (MCC) – a core service of Windows that cannot be stopped or disabled. It keeps track of every activity that takes place on your PC.
During every event, the Event Viewer logs entries. It also logs the start and stop times of the event log service (Windows), giving correct date, time, and user details of every shutdown process.
How to use the Event Viewer?
Aside from keeping a log of when your Windows start and stop, you can use the Event Viewer for the following:
- Create custom views by saving useful events filters.
- You can see events from different event logs.
- You can also create and manage different event subscriptions.
- Create and schedule a task to run when triggered by another event.
Types of events in Windows 10 related to shutting down and restarting
They are more than four events related to shutting down and restarting the Windows 10 operating system; we will list the important five. They are:
- Event ID 41: This event indicates that Windows rebooted without a complete shutdown.
- Event ID 1074: This event is written down when an application is responsible for the system shut down or restart. It also indicates when a user restarted or shut down the system by using the Start menu or by pressing CTRL+ALT+DEL.
- Event ID 6006: This event indicates that Windows was adequately turned off.
- Event ID 6008: This Event indicates an improper or dirty shutdown. It shows up when the most recent shutdown was unexpected.
How to find the shutdown log in Windows 10
They are different ways to find out any of the events listed above. The traditional way is through the Event Viewer app itself. Most events can be accessed with the Command Prompt, as you will see below.
1] View shutdown and restart events from Event Viewer
Open the Run dialogue box, and input eventvwr.msc then hit Ok. In Event Viewer, select Windows Logs > System from the left pane. From the right, click on the Filter Current Log link.
Type in 41,1074,6006,6008 into the box below Includes/Exclude Event IDs. Hit Ok. Windows then displays all shutdown-related events.
The Event Viewer shows detailed information on every operation carried out on the system. Learn how to view full event viewer logs in this article.
2] See the last shutdown time using Command Prompt
Open the Command Prompt, copy and paste the following code in the window, and hit Enter:
To view the timestamp of the last shutdown without other details, copy and paste the code below then hit Enter:
As much as this method gets the job done, we often suggest you use method one, which is the Event Viewer. Not only is it more straightforward, but it also doesn’t involve copying and pasting commands.
