How to check who restarted (shutdown) Windows Server? , Ranjan.info

If there are multiple system administrators in your company, sometimes you may want to know who rebooted the server. in this article. I will show you how to identify a user who restarted or shut down a computer/server running Windows by the event log.

Information about the user account that sent the restart command is stored in the Windows event log.

  1. Open Event Viewer Console (eventvwr.msc) and go to Windows Logs -> Management,
  2. Use the event log filter by clicking Filter Current Log in the context menu; Filter Event Viewer Log
  3. In the Filter box, enter EventID 1074 and click OK; Filter by Event ID 1074: The system has been shutdown by a process/user
  4. Only shutdown (reboot) events will be left in the log list. Open last event;
  5. with the event user 32 Shows a user as a source who has initiated Windows Restart. In this example, it is the user novak, How to find out who restarted Windows using Event Viewer?
The process C:\Windows\Explorer.EXE has initiated the restart of computer MUN-DC03 on behalf of user WOSHUB\novak for the following reason: Other (Unplanned)
Reason Code: 0x5000000
Shutdown Type: restart
Comment:

Let’s look at more examples of Windows restart/shutdown events. you can see nt authority\system As a user who restarted an operating system.

This means that the restart was initiated by a Windows service or a program running as SYSTEM. For example, it could be a wooserve The service process that completed updating Windows and restarting the computer according to the configured Windows Update GPO settings or by using the PSWindowsUpdate module function.

The process C:\Windows\uus\AMD64\MoUsoCoreWorker.exe has initiated the restart of computer MUN-DC03 on behalf of user NT AUTHORITY\SYSTEM for the following reason: Operating System: Service pack (Planned)
Reason Code: 0x80020010
Shutdown Type: restart
Comment:

If your Windows guest is running in a VMware virtual machine and you run restart guest in the VMware Management Console, the shutdown event looks like this:

The process C:\Program Files\VMware\VMware Tools\vmtoolsd.exe has initiated the shutdown of computer MUN-DC03 on behalf of user NT AUTHORITY\SYSTEM for the following reason: Legacy API shutdown
Reason Code: 0x80070000
Shutdown Type: shutdown

In this case, Windows shutdown is also initiated by NT AUTHORITY\SYSTEM , because VMware Tools Integration Services is run on behalf of the system.

You can find information about restart events using PowerShell. The following command displays all events with EventID 1074:

Get-WinEvent -FilterHashtable @{logname=’System’;id=1074}|ft TimeCreated,Id,Message

The command returned details of all Windows restart and shutdown events.

Detect restart information event 1074 using PowerShell

You can use the following powershell script which returns a list last ten events Started server restart/shutdown with the name of the users or processes.

Get-EventLog -LogName System |
where {$_.EventId -eq 1074} |select-object -first 10 |
ForEach-Object {
$rv = New-Object PSObject | Select-Object Date, User, Action, process, Reason, ReasonCode
if ($_.ReplacementStrings[4]) {
$rv.Date = $_.TimeGenerated
$rv.User = $_.ReplacementStrings[6]$rv.Process = $_.ReplacementStrings[0]$rv.Action = $_.ReplacementStrings[4]$rv.Reason = $_.ReplacementStrings[2]$rv
}
} | Select-Object Date, Action, Reason, User, Process |ft

You can use powershell to get the name of the user who restarted the remote computer. You can access the event log on the remote host Get-EventLog -ComputerName Command or connect to the computer using the Invoke-Command cmdlet and PSRemoting:

Invoke-Command -ComputerName mun-dc03 -ScriptBlock {Get-WinEvent -FilterHashtable @{logname=’System’;id=1074} |select-object TimeCreated,Id,Message -first 1}

get restart history from remote computer

By Event ID 1074, you can only find the reason for the true server reboot. If Windows was restarted due to an emergency (for example, if a power failure or BSOD appears), you will need to find an Event ID 6008,

The previous system shutdown at 3:24:29 AM on ‎9/‎17/‎2022 was unexpected.

EventID 6008 The previous system shutdown was unexpected

Of course, you won’t be able to find out who has restarted Windows, if the event log has been cleared or if recent events have been overwritten by an earlier one (this can be done in the event log using GPO in the domain). It is recommended to increase the maximum size of) )

Leave a Comment