none
How to get the list of shutdown event with date?

    Question

  • A few weeks ago, a Windows Server 2008 restarted without reason (as I got that "shutdown dialog" asking me why the server shut down unexpectedly and I was asked to give a reason).

    At that time, I was too busy to look into the matter.  Now I'd like to trace back the problem but I forgot when that happened.  Is it possible to get the list of shutdown event with date and time?  I just see that if I type shutdown, I get a list.  But this list has no date and time.

    TIA
    Monday, January 04, 2010 9:08 AM

All replies

  • hi Horinius,

    Fastest way to identify is to look for event 6006 under system event log
    have you disabled shutdown event tracker ?
    Monday, January 04, 2010 9:15 AM
    Moderator
  • Hello Horinius,

     

    To get a list of shutdown event with date and time, we can take use of Event Viewer to filter Event ID: 1074 in System Event log

     

    Steps:

     

    1. Open Event Viewer with Eventvwr.exe

    2. Navigate to Windows Logs\System

    3. Right-Click on it and select "Filter Current Log…"

    4. Filter: Event log: System Event ID: 1074

    5. When you filter them, you can track down its shutdown type, date and time, and who has shutdown it.

     

    For more information about shutdown event, please check this KB article:

     

    Description of the Shutdown Event Tracker

    http://support.microsoft.com/default.aspx/kb/293814

     

    Hope this can be helpful.

     

    Best Regards,

    David Shen


    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by David Shen Monday, January 11, 2010 2:59 AM
    • Unmarked as answer by Horinius Monday, January 11, 2010 8:46 AM
    Tuesday, January 05, 2010 7:42 AM
  • Thanks to both of you for your replies, but that didn't give what I wanted.

    When I wrote "restarted without reason" in my original post, I should have written "the server rebooted without a proper shutdown phase", as I've explained within the brackets.  Since it has no correct shutdown, that event isn't recorded in the event log.  OTOH, since it hasn't gone through the correct shutdown phase, the first time when we log in, there's a special dialog asking the reason of previous unexpected shutdown.  And it's this list that I wanted.
    Monday, January 11, 2010 8:57 AM
  • In this case you have to generate the crash dump and find out whats the real reason for the restart, there might be some third party application interfereing which crashes the OS.


    Thanks
    http://technetfaqs.wordpress.com
    Monday, January 11, 2010 9:11 AM
  • That's off-topic...
    Monday, January 11, 2010 11:24 AM
  • Hi Horinius,

    If the server rebooted without a proper shutdown phase, I am afraid that the system won't record the process in event viewer.
    This posting is provided "AS IS" with no warranties, and confers no rights.
    Wednesday, January 13, 2010 7:05 AM
  • I know it's not in event log, or else I won't ask it here.  That's why I just asked for the list, without specifying where.
    Wednesday, January 13, 2010 8:47 AM
  • Hi Horinius,

    Windows operating system has provided a centralized utility called event viewer which is used to register the events of an operating system,

    IMHO if the event is not registered in event viewer then there is no chance of getting the list of events unless you have a 3rd party event viewer which is monitoring your environment.
    Friday, January 15, 2010 7:30 AM
    Moderator
  • That is not true.

    If you type "shutdown" in a command window, as I've written in my first post, you can get a list of shutdown events.  And this list remains even if you clear your logs.  The problem is there's no time and date.
    Friday, January 15, 2010 8:33 AM
  • I have just encountered same situation as you. Got below info. from event viewer

    Log Name : System

    Event ID: 41

    Description: The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.

    Wednesday, April 04, 2012 1:30 AM
  • Assuming the event William has proposed above is what you're after, you can pull a list with Powershell using the following command:

    Get-EventLog -LogName System -InstanceId 41

    If you wanted to pipe that off to a file, you can add the Export-Csv option as follows:

    Get-EventLog -LogName System -InstanceId 41 | Export-Csv -Path D:\Temp\events.csv -NoTypeInformation

    Cheers,
    Lain

    • Proposed as answer by Jayawardhane Wednesday, April 04, 2012 10:23 AM
    • Unproposed as answer by Horinius Wednesday, April 04, 2012 12:30 PM
    Wednesday, April 04, 2012 4:41 AM
  • I don't have event id 41 in my system, so I tried to replace it with some other known values that I've seen: 6008, 6005, 7036, etc, but I always got

    Get-EventLog : No matches found

    For me, this method doesn't work.

    Wednesday, April 04, 2012 12:30 PM
  • Try the following. I had forgotten that the InstanceId is actually an Int64 when using Powershell.

    Get-EventLog -LogName System -EntryType Warning -Source "USER32" | where { ($_.InstanceId -bAnd 0xFFFF) -eq 1076 }

    You can also pipe these results out to a CSV as I've illustrated above (so I won't waste space repeating it).

    For reference, the event you're actually after - if I've understood you correctly after re-reading all these posts for about the fourth time, is 1076.

    Cheers,
    Lain

    • Edited by Lain Robertson Wednesday, April 04, 2012 3:31 PM Grammar correction.
    Wednesday, April 04, 2012 3:30 PM
  • By other means, I've found that for some event id (instance id), the number is different, eg:


    6006 --> 2147489654
    6009 --> 2147489657
    6005 --> 2147489653

    Wednesday, April 04, 2012 3:44 PM
  • Try the following. I had forgotten that the InstanceId is actually an Int64 when using Powershell.

    Get-EventLog -LogName System -EntryType Warning -Source "USER32" |

    where { ($_.InstanceId -bAnd 0xFFFF) -eq 1076 }

    You can also pipe these results out to a CSV as I've illustrated above (so I won't waste space repeating it).

    For reference, the event you're actually after - if I've understood you correctly after re-reading all these posts for about the fourth time, is 1076.

    Cheers,
    Lain

    It's actually 1074 instead of 1076.  I'm going to try it tomorrow.
    Wednesday, April 04, 2012 5:37 PM
  • Dear David,

    this karthick from Hyderabad India thank you very much your suggestion is worked out of my knowledge and its helped to our organization too. and once again thank you very much.

    regards

    karthick

    Monday, May 28, 2012 5:07 AM
  • I built a custom filter with the following IDs and it found everything I wanted. Your mileage may differ:

    Filter for Server Reboots by Novelist Stephen Paul West


    Stephen Paul West

    Tuesday, June 11, 2013 7:26 PM
  •  Get-EventLog -LogName System -Source USER32 | Export-Csv C:\temp\shut-reboots.csv

    Tuesday, August 27, 2013 5:47 PM
  •  Get-EventLog -LogName System -Source USER32 | Export-Csv C:\temp\shut-reboots.csv

    With respect to the previously suggested (and corrected) PowerShell command:
    Get-EventLog -LogName System -EntryType Warning -Source "USER32" | where { ($_.InstanceId -bAnd 0xFFFF) -eq 1074 }

    Yes, it would be better NOT to include "-EntryType Warning" because a normal shutdown event is informational instead warning.  Otherwise, the list of shutdown event won't be complete. OTOH, it would be nice to be able to use several ID at the same time.  I use 1074 and 6008 on Event Viewer but I don't filter on USER32.  If you are thinking of Event ID = 41, it is actually repeating Event ID = 6008 while the latter is more precise.  But I don't know how to write the correct PS cmd.

    For the last suggested PowerShell cmd, it's better not to filter on USER32 because event ID = 6008 (unexpected shutdown) comes from EventLog source instead of USER32.
    Thursday, September 26, 2013 1:41 PM
  • There's a couple of ways you can use multiple events. Powershell V3 makes use of the "-in" operator which is nifty, but there's a strong possibility you may not have access to that on the machine you're running the command on, so I'll provide a V2 equivalent.

    Get-EventLog -LogName System | where { @(1076,1074) -contains ($_.InstanceId -bAnd 0xFFFF) }

    This example is a little basic in that it will match 1076 and 1074 events from other sources now that you've yanked the -Source parameter out, but you can fiddle with the command yourself to easily filter it to whatever sources and additional events you're now after. The only point I'm illustrating is how to filter on multiple events without using multiple "-or" operators - which you can do, but the command will become lengthy quickly (which you may or may not care about).

    Cheers,
    Lain

    • Edited by Lain Robertson Friday, October 04, 2013 9:00 AM Removed the newest 50 parameter which was only for illustrative purposes.
    Friday, October 04, 2013 8:56 AM
  • Hello people,

    When I need this information I filter the System Log (Event Viewer -> Windows Logs -> System) to find Event ID 12 and 13 of the source Kernel-General (Right click on System -> Filter Current Log...), examples:

    12: The operating system started at system time ‎2013‎-‎10‎-‎24T17:30:02.500000000Z.

    13: The operating system is shutting down at system time ‎2013‎-‎10‎-‎24T17:12:51.509375000Z.

    Regards

    Josué Monteiro Viana 


    Josué Monteiro Viana

    Thursday, October 24, 2013 7:36 PM