Windows Server restart/shutdown events in the event viewer 

In Windows Server, events related to system startup, restart, or shutdown are logged in the Event Viewer. Specific event IDs can help you identify these occurrences. Here are some of the most relevant event IDs for tracking system start-ups or shutdowns:

• Event ID 6005: Indicates that the Event Log service has started. This event is considered confirmation that your system has started up correctly.
• Event ID 6006: Is recorded when the Event Log service stops. This event is considered confirmation that your system is shutting down correctly.
• Event ID 6008: Indicates that the system was shut down unexpectedly or there was a power failure. This event is useful for identifying unplanned shutdowns or system problems.
• Event ID 6009: This event is logged at startup, right after event 6005, and displays specific information about the operating system version, such as the Windows version, processor, number of processors, BIOS version, etc.
• Event ID 6013: Displays the system uptime, i.e., how long the system has been running since the last start. This can help you understand how long the system was active before a restart or shutdown.

To view these events, you can open the Event Viewer on your Windows Server and navigate to the System logs. The events mentioned above are typically found under the “System” log. These event IDs will allow you to monitor and analyze the startup and shutdown cycles of your server for maintenance, auditing, or troubleshooting purposes.

Windows is shutting down, what do I do?

To determine why Windows Server is shutting down, it’s useful to monitor several event IDs in addition to those already mentioned. These events can provide clues about system issues, software failures, hardware problems, or user actions that might be leading to system shutdown. Here are some additional event IDs that might be relevant:

• Event ID 1074: This event indicates that a process or user has initiated the shutdown or restart of the system. It provides details about who initiated the action, the involved process, and the reason given for the restart or shutdown. This is particularly useful for identifying planned shutdowns or those managed by policies.
• Event ID 6000: The Event Log service has started. This event, along with 6005, indicates the start of the event logging service but not necessarily the complete startup of the system.
• Event ID 109: This event is logged by the Windows kernel and signals that a device has been disconnected or removed from the system. While not directly related to shutdowns, it can be useful for diagnosing hardware issues that could cause unstable system behavior.
• Event ID 41: This critical event indicates that the system was rebooted without cleanly shutting down first. This event is often an indicator of power losses, hardware failures, or critical system errors resulting in unexpected restarts.
• Event ID 1101: Is recorded when there are issues with the processing of group policies. Although not directly related to shutdowns, if group policies are attempting to apply settings that cannot be completed, this could lead to system issues.

These event IDs, along with a detailed analysis of the circumstances surrounding each recorded incident, can provide a clearer view of the underlying causes of system shutdowns or restarts. You can find these events using the Event Viewer, navigating to the System or Application logs as appropriate. It’s important to combine this information with other diagnostic data, such as error reports, specific application logs, and hardware health monitoring, for a comprehensive diagnosis.

How do I access the event viewer?

To access the Event Viewer in Windows Server or on Windows operating systems in general, you can follow these steps:

Using Windows Search

1. Press the Windows key or click on the Start icon on the taskbar.
2. Type Event Viewer in the search box.
3. Click on the Event Viewer result to open the application.

Using the Run Menu

1. Press Windows + R to open the Run dialog box.
2. Type eventvwr.msc and press Enter or click OK. This will directly open the Event Viewer.

Using Server Manager (in Windows Server)

1. In Server Manager, go to Tools in the upper right menu.
2. Select Event Viewer from the dropdown list.

Navigating the Event Viewer

Once inside the Event Viewer, you can navigate through the different sections to find specific logs. The most common logs you might want to review include:

• Application Logs: Contains events logged by applications or programs. Here you can find errors, informational messages, or warnings generated by applications.
• Security Logs: Displays security-related events, such as login attempts and actions related to system security.
• System Logs: Includes events generated by Windows and system components. This is where you’ll find event IDs related to system startup and shutdown.
• Setup Logs: For newer operating systems, these logs include events related to system setup.

Use the action panel or right-click context menu for specific actions like filtering current logs, creating custom views, or accessing properties of specific events. These tools will help you analyze and diagnose issues within your system.