通过windows日志系统查找服务器重启、关闭原因

https://www.maketecheasier.com/see-pc-startup-and-shutdown-history-in-windows/

https://serverfault.com/questions/702828/windows-server-restart-shutdown-history

日志ID:6005,6006,6008,6009,1074,1076

命令行摘要日志命令:

Get-EventLog -LogName System |? {$_.EventID -in (6005,6006,6008,6009,1074,1076)} | ft TimeGenerated,EventId,Message -AutoSize –wrap

The clearest most succinct answer I could find is:

which lists these event ids to monitor (quoted but edited and reformatted from article):

  • Event ID 6005 (alternate): “The event log service was started.” This is synonymous to system startup.
  • Event ID 6006 (alternate): “The event log service was stopped.” This is synonymous to system shutdown.
  • Event ID 6008 (alternate): “The previous system shutdown was unexpected.” Records that the system started after it was not shut down properly.
  • Event ID 6009 (alternate): Indicates the Windows product name, version, build number, service pack number, and operating system type detected at boot time.
  • Event ID 6013: Displays the uptime of the computer. There is no TechNet page for this id.

Add to that a couple more from the Server Fault answers listed in my OP:

  • Event ID 1074 (alternate): “The process X has initiated the restart / shutdown of computer on behalf of user Y for the following reason: Z.” Indicates that an application or a user initiated a restart or shutdown.
  • Event ID 1076 (alternate): “The reason supplied by user X for the last unexpected shutdown of this computer is: Y.” Records when the first user with shutdown privileges logs on to the computer after an unexpected restart or shutdown and supplies a reason for the occurrence.

There are times when a user wants to know the startup and shutdown history of a computer. Mostly, system administrators need to know about the history for troubleshooting purposes. If multiple people use the computer, it may be a good security measure to check PC startup and shutdown times to make sure the PC is being used legitimately. In this article we will discuss two ways to keep track of your PC shutdown and startup times.

Using event logs to extract startup and shutdown times

Windows Event Viewer is a wonderful tool which saves all kinds of stuff that is happening in the computer. During each event, the event viewer logs an entry. The event viewer is handled by eventlog service that cannot be stopped or disabled manually, as it is a Windows core service. The event viewer also logs the start and stop times of the eventlog service. We can make use of those times to get an idea of when our computer was started or shut down.

The eventlog service events are logged with two event codes. The event ID 6005 indicates that the eventlog service was started, and the event ID 6009 indicates that the eventlog services were stopped. Let’s go through the complete process of extracting this information from the event viewer.

1. Open Event Viewer (press Win + R and type eventvwr).

See Pc Startup Shutdown History Event Viewer 1

2. In the left pane, open Windows Logs -> System.

See Pc Startup Shutdown History Event Viewer System

3. In the middle pane you will get a list of events that occurred while Windows was running. Our concern is to see only three events. Let’s first sort the event log with Event ID. Click on the Event ID label to sort the data with respect to the Event ID column.

See Pc Startup Shutdown History Event Viewer Sort Events

4. If your event log is huge, then the sorting will not work. You can also create a filter from the actions pane on the right side. Just click on “Filter current log.”

5. Type 6005, 6006 in the Event IDs field labeled as <All Event IDs>. You can also specify the time period under Logged.

See Pc Startup Shutdown History Event Viewer Filter Log

  • Event ID 6005 will be labeled as “The event log service was started.” This is synonymous with system startup.
  • Event ID 6006 will be labeled as “The event log service was stopped.” This is synonymous with system shutdown.

If you want to investigate the Event log further, you can go through the Event ID 6013 which will display the uptime of the computer, and Event ID 6009 indicates the processor information detected during boot time. Event ID 6008 will let you know that the system started after it was not shut down properly.

Using TurnedOnTimesView

TurnedOnTimesView is a simple, portable tool for analyzing the event log for startup and shutdown times. The utility can be used to view the list of shutdown and startup times of local computers or any remote computer connected to the network. Since it is a portable tool, you will only need to unzip and execute the TurnedOnTimesView.exe file. It will immediately list the startup time, shutdown time, duration of uptime between each startup and shutdown, shutdown reason and shutdown code.

event_turnedonview

Shutdown reason is usually associated with Windows Server machines where we have to give a reason if we are shutting down the server.

To view the startup and shutdown times of a remote computer, go to “Options -> Advanced Options” and select “Data source as Remote Computer.” Specify the IP address or name of the computer in the Computer Name field and Press the OK button. Now the list will show the details of the remote computer.

event_remote_computer

While you can always use the event viewer for detailed analysis of startup and shutdown times, TurnedOnTimesView serves the purpose with a very simple interface and to-the-point data. For what purpose do you monitor the startup and shutdown times of your computer? Which method do you prefer for monitoring?

 

 

发表回复

您的电子邮箱地址不会被公开。 必填项已用*标注