Use Case : To find out which user or service either shutdown or restarted a server.
1. Open Event Viewer
Press Windows + R to open the Run dialog.
Type eventvwr.msc and press Enter to open Event Viewer.
2. Identify Relevant Event IDs for Shutdown Events
Windows logs shutdown events under the System log in Event Viewer. The relevant event IDs for shutdown or restart events are:
Event ID 1074: This event indicates that the system was shut down or restarted by a user or process, and it includes the username and reason for the shutdown.
Event ID 6006: The event indicates that the Event Log service was stopped, which usually happens during a system shutdown or restart.
Event ID 6008: This event indicates an unexpected shutdown (i.e., the system did not shut down cleanly).
3. Create a Custom View
To filter these events and create a custom view:
In Event Viewer, in the Actions panel on the right, click Create Custom View.
Set the Filter:
Under the Filter tab:
In the Event IDs field, enter 1074, 6006, 6008 to capture all relevant shutdown events.
You can also choose to filter by Event Level (e.g., Information, Warning, Error) depending on the severity of the event you want to capture.
Optionally, set a Time Range to limit the events to a specific time frame.
Click OK to proceed.
Define the Custom View:
Name the custom view, for example, "Shutdown Events."
You can also provide a Description for the view (e.g., "Tracks who initiated server shutdown or restart events").
Ensure that Event Logs is set to System (since shutdown events are logged in the System log).
Click OK to create the custom view.
4. Review Shutdown Events
After creating the custom view:
Navigate to Custom Views in the left pane of Event Viewer.
You should see the newly created "Shutdown Events" view listed there.
Click on the view, and it will display a list of shutdown events based on the filter you set.
Event ID 1074 will show who initiated the shutdown (including the username).
Event ID 6006 and 6008 provide additional context if the server was shut down unexpectedly.
5. Analyzing the Shutdown Events
When you look at the event details for Event ID 1074, you will see:
The user who initiated the shutdown.
The reason for the shutdown (if provided).
The time the shutdown occurred.
For Example
Event ID 1074:
The process C:\Windows\System32\shutdown.exe (SERVER-NAME) has initiated the shutdown of computer SERVER-NAME on behalf of user USERNAME. The reason provided is 'Other (Unplanned)'.