How to Find Who Restarted/Shutdown Windows Server

Photo of author
Jatin Makhija
0

In this blog post, we’ll explore how to determine who restarted or shut down a Windows server. When a server is unexpectedly restarted during production hours and a P1 ticket is raised, it’s crucial to identify the reason behind the restart.

The cause could be an automatic restart triggered by a Windows update, a software component update, or a manual restart by an IT administrator. We can uncover these details by using Event Viewer. Let’s dive in and identify the root cause.

Steps

Below are the steps to identify the user account or service that may have triggered the restart of a Windows server. First, login on the server and follow below steps:

  • Press Windows + R keys to open the Run dialog box.
  • Type eventvwr and press Enter to open Event viewer console.
  • Expand Windows logs > System and right-click on it > Select Filter Current log
Filter Event viewer log
Filter Event viewer log
  • Type 1074 in the Event ID filter and press OK.
Filter using Event ID 1074
Filter using Event ID 1074
  • You will find the list of all Events w.r.t. server restart. Go through each Event and check its details to find out which process and user account triggered server restart.

Below screenshot shows the process SystemSettingsAdminFlows.exe initiated power off on behalf of user Techpress\tpadmin1.

Go through events to find root cause of Server restart
Go through events to find root cause of Server restart

Event ID Details

The process C:\Windows\system32\SystemSettingsAdminFlows.exe (TECHPRESSSVR221) has initiated the power off of computer TECHPRESSSVR221 on behalf of user TechPress\tpadmin1 for the following reason: Other (Unplanned)
 Reason Code: 0x5000000
 Shutdown Type: power off
 Comment:

Use Powershell to find Who Restarted the Server

You can also check Windows Events using Powershell cmdlet. The cmdlet we will use is Get-WinEvent and Get-EventLog.

Get-WinEvent

Get-WinEvent -FilterHashtable @{logname="System";id=1074} | Select TimeCreated,Id,Message | ft -Wrap
Get-WinEvent
Get-WinEvent

Check Last 5 Events for Server restart with Information about the Date, Reason, Process and User details.

Get-EventLog -LogName System |
Where-Object { $_.EventId -eq 1074 } |
Select-Object -First 5 |
ForEach-Object {
    if ($_.ReplacementStrings[4]) {
        [pscustomobject]@{
            EventDate    = $_.TimeGenerated
            InitiatingUser = $_.ReplacementStrings[6]
            RelatedProcess = $_.ReplacementStrings[0]
            ActionTaken    = $_.ReplacementStrings[4]
            ShutdownReason = $_.ReplacementStrings[2]
        }
    }
} | Select-Object EventDate, ActionTaken, ShutdownReason, InitiatingUser, RelatedProcess | Format-Table
Get-EventLog
Get-EventLog

Event ID 6008

If you do not find relevant event logs using Event ID 1074, please check for Event ID 6008 as well. This Event ID is generated when an unexpected shutdown of the server occurs.

Event ID 6008

Read Next

Discover more from TechPress

Subscribe to get the latest posts sent to your email.

Leave a Comment

Detailed Step-by-Step guides for Setup/Troubleshooting/Configuration solutions on Intune, Microsoft 365, Powershell, Windows, Azure, and other Cloud technologies.

About the author
Contact Us
Privacy Policies
Comment Policies
Cookie Policies

Let's Connect!

Discover more from TechPress

Subscribe now to keep reading and get access to the full archive.

Continue reading