In this blog post, we’ll explore how to find out who restarted or shut down a Windows server. When a server is unexpectedly restarted during production hours and a P1 ticket is raised, it’s important to identify the reason behind the restart.
The cause could be an automatic restart triggered by a Windows update, a software component update, or a manual restart by an IT administrator. We can uncover these details by using Event Viewer. Let’s dive in and identify the root cause.
Steps
Below are the steps to identify the user account or service that may have triggered the restart of a Windows server. First, login to the server and follow below steps:
- Press Windows + R keys to open the Run dialog box.
- Type
eventvwrand press Enter to open Event viewer console. - Expand Windows logs > System and right-click on it > Select Filter Current log…
- Type 1074 in the Event ID filter and press OK.
- You will find the list of all Events w.r.t. server restart. Go through each Event and check its details to find out which process and user account triggered the server restart.
Below screenshot shows the process SystemSettingsAdminFlows.exe initiated power off on behalf of user Techpress\tpadmin1.
Event ID Details
The process C:\Windows\system32\SystemSettingsAdminFlows.exe (TECHPRESSSVR221) has initiated the power off of computer TECHPRESSSVR221 on behalf of user TechPress\tpadmin1 for the following reason: Other (Unplanned)
Reason Code: 0x5000000
Shutdown Type: power off
Comment:
Use PowerShell to find Who Restarted the Server
You can also check Windows Events using PowerShell cmdlet. The cmdlet we will use is Get-WinEvent and Get-EventLog.
Get-WinEvent
Get-WinEvent -FilterHashtable @{logname="System";id=1074} | Select TimeCreated,Id,Message | ft -Wrap
Check Last 5 Events for Server restart with Information about the Date, Reason, Process, and User details.
Get-EventLog -LogName System |
Where-Object { $_.EventId -eq 1074 } |
Select-Object -First 5 |
ForEach-Object {
if ($_.ReplacementStrings[4]) {
[pscustomobject]@{
EventDate = $_.TimeGenerated
InitiatingUser = $_.ReplacementStrings[6]
RelatedProcess = $_.ReplacementStrings[0]
ActionTaken = $_.ReplacementStrings[4]
ShutdownReason = $_.ReplacementStrings[2]
}
}
} | Select-Object EventDate, ActionTaken, ShutdownReason, InitiatingUser, RelatedProcess | Format-Table
Event ID 6008
If you do not find relevant event logs using Event ID 1074, please check for Event ID 6008 as well. This Event ID is generated when an unexpected shutdown of the server occurs.
