Being a Windows server administrator, you may require to regularly check and review your Windows server reboot and shutdown logs. In this article, we will discuss about how to check reboot and shutdown logs in Windows server. In Windows server, all such information are stored in Windows Event log. We can view all theses event logs using Windows Event Viewer. Windows Event Viewer contains reboot Event ID, shutdown Event ID, Windows server crash Event ID or unexpected server reboot Event ID.
What is Windows Event Viewer?
Windows server logs all important logs and events in Event log. This allows the administrators to review and analyze the events related to any service. We can view all event logs using Windows Event Viewer. You can access it by following the below steps on your server
- Press Windows Key + R start “Run”.
- In dialog box, type eventvwr as shown in the following image:
- Click “Ok” button to open Windows Event Viewer.
Checking Reboot & Shutdown Logs in Windows Server Through Event Viewer
Windows Event log service assigns Event ID to each different event. This helps to filter the service or event specific logs. Following are the important Event IDs which are associated with Windows server reboot and shutdown:
- Event ID 41: This event indicates that your Windows system has rebooted without cleanly shutting down first.
- Event ID 1074: This event is written when an application causes the system to reboot, or when the user initiates a reboot or shutdown by clicking Start or pressing CTRL+ALT+DELETE, and then clicking Shut Down.
- Event ID 6005: The event is logged at boot time noting that the Event Log service was started.
- Event ID 6006: The event is logged at boot time noting that the Event Log service was stopped.
- Event ID 6008: This event gets logged to the system event log when a system shuts down unexpectedly. you will see the message “The previous system shutdown at time on date was unexpected.”
To check the Reboot Logs:
1. Open Windows Event Viewer as shown above.
2. Go to Event Viewer (Local) >> Expand Windows Logs folder >> Go to System as shown below:
3. From Right side Action pane, click on “Filter Current Log…” to filter the event IDs.
4. Filter the event IDs 41, 1074 to check if the system was rebooted unexpectedly or by user/application.
Event IDs 41 and 1074 are associated with server reboot event ID.
To check the Shutdown Logs:
1. Follow the Steps 1 to 3 from “To check the Reboot Logs“.
2. Filter the logs using event IDs 1074, 6008 as shown below:
Event IDs 1074 and 6008 are associated with server shutdown event ID.
Conclusion
Using the above steps, you can find the event details associated with Windows Server reboot, shutdown or unexpected crash. This helps the server administrator to analyze and troubleshoot the issue.