How to check who Restarted the Server

There are times when you want to know the restart history of the system. Mostly system administrators need to know about the history for troubleshooting purposes of a machine.

If multiple users use the system, it may be a good security measure to check system restart to make sure that the system used legitimately.

Windows Event Viewer is a tool, which saves all kinds of stuff happening on the computer. At each event, the event viewer logs an entry. The event viewer is handled by event log service that cannot be stopped or disabled manually as it is a Windows core service.

The event viewer also logs the start and stop times of the event log service. We can make use of those times to get an idea of when our system was restarted.

The event ID’s below will show you these details.

Event ID 1074: Logged when an app (ex: Windows Update) causes the system to restart, or when a user initiates a restart or shutdown.

Event ID 6006: Logged as a clean shutdown. It gives the message “The Event log service was stopped”.

Event ID 6008: Logged as a dirty shutdown. It gives the message “The previous system shutdown at a time on the date was unexpected”.

To find out who restarted the system, log in to the system. The below steps work on Windows Server 2008, 2008 R2 and Server 2012 R2.

Press the Win+R keys to open Run, type eventvwr.msc, and click/tap on OK to open Event Viewer.

In the left pane, open Windows Logs and then click on System.

In the right pane click Filter Current Log.

It will open up the windows to search for the logs. Enter the event ID’s below into the <All Event IDs> field, and click/tap on OK i.e. 1074, 6006, 6008, separated by commas.

You can now view the details of these shutdown event logs filtered by these event IDs.

When finished viewing log details, you can close Event Viewer if you like.