How to Monitor Windows Event Log for Reboots

When was my server last rebooted? Who shutdown my machine? Read on to see how easy it is to find out using the Windows Server Event Logs.

Feature Image / License

Reading the logs is a dry and boring task. Nobody likes reading them; however, they are often a gold mine. Using the System Event Log you can discern some useful things about your system.

When Was the Machine Last Booted Up, Shutdown, or Restarted?

Before diving into the Event Logs, this can be found out easily at the command line.

A slightly more general way:

The system start can also be found in the System Event Log:

Some of the basic event IDs to filter:

  • 1074 = shutdown (planned)
  • 1076 = reason supplied was Other-Unplanned
  • 6005 = event log started (machine boots)
  • 6006 = event log service stopped (usually indicative of a reboot)
  • 6008 = the previous system shutdown was unexpected (crash)
  • 6009 = system started up

You can find out the lookups to map many Event IDs here – Events to Monitor

Some other potentially useful Event IDs to monitor:

  • When was the machine last booted up / shutdown / rebooted? (6005,6006,6008,6009)
  • Was an account locked out? (4740)
  • Attempt to reset account password? (4724)
  • Was a user added to a privileged group? (4728,4732,4756)
  • Successful and failed user logins? (4724,4625)

Don’t Forget About PowerShell

Event logs can be easily queried using Powershell:

Thanks for reading!

If you liked this post then you might also like my post about How to Analyze the SQL Server Error Log

Do you care about InfoSec and Privacy? Then YOU need to use a VPN.

Did you find this helpful? Please subscribe!

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.