Windows OS Hub
  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux
  • Home
  • About

Windows OS Hub

  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux

 Windows OS Hub / Windows Server 2019 / How to Check Who Restarted (Shutdown) Windows Server

June 8, 2023

How to Check Who Restarted (Shutdown) Windows Server

If your company has several system administrators, sometimes you may want to know who rebooted the server. In this article. I will show you how to identify a user who restarted or shutdown a computer/server running Windows by the event logs.

Information about the user account that sent the restart command is stored in Windows Event Log.

  1. Open the Event Viewer console (eventvwr.msc) and go to Windows Logs -> System;
  2. Use the Event Log filter by clicking Filter Current Log in the context menu; filter event viewer log
  3. In the filter box, enter the EventID 1074 and click OK; Filter by Event ID 1074: System has been shutdown by a process/user
  4. Only shutdown (reboot) events will be left in the log list. Open the last event;
  5. The event with User32 as a source shows a user who initiated a Windows restart. In this example, it is user novak; How to find out who restarted Windows using Event Viewer?
The process C:\Windows\Explorer.EXE has initiated the restart of computer MUN-DC03 on behalf of user WOSHUB\novak for the following reason: Other (Unplanned)
Reason Code: 0x5000000
Shutdown Type: restart
Comment:
Using GPO, you may allow non-admin users to restart Windows Server.

Let’s look at more examples of Windows restart/shutdown events. You may see NT AUTHORITY\SYSTEM as a user who restarted an operating system.

This means that the restart was initiated by a Windows service or program run as a SYSTEM. For example, it may be a wuauserv service process that completed updating Windows and restarted a computer according to the configured Windows Update GPO settings or using a task of the PSWindowsUpdate module.

The process C:\Windows\uus\AMD64\MoUsoCoreWorker.exe has initiated the restart of computer MUN-DC03 on behalf of user NT AUTHORITY\SYSTEM for the following reason: Operating System: Service pack (Planned)
Reason Code: 0x80020010
Shutdown Type: restart
Comment:

If your Windows guest is running in a VMware virtual machine and you run Restart Guest in the VMware management console, the shutdown event looks as follows:

The process C:\Program Files\VMware\VMware Tools\vmtoolsd.exe has initiated the shutdown of computer MUN-DC03 on behalf of user NT AUTHORITY\SYSTEM for the following reason: Legacy API shutdown
Reason Code: 0x80070000
Shutdown Type: shutdown

In this case, Windows shutdown is also initiated by NT AUTHORITY\SYSTEM, since VMware Tools integration services are run on behalf of the System.

You can get information about restart events using PowerShell. The following command displays all events with the EventID 1074:

Get-WinEvent -FilterHashtable @{logname=’System’;id=1074}|ft TimeCreated,Id,Message

The command returned the descriptions of all Windows restart and shutdown events.

Find restart Info event 1074 using PowerShell

You can use the following PowerShell script that returns a list of the last ten events with the names of users or processes initiated server restart/shutdown.

Get-EventLog -LogName System |
where {$_.EventId -eq 1074} |select-object -first 10 |
ForEach-Object {
$rv = New-Object PSObject | Select-Object Date, User, Action, process, Reason, ReasonCode
if ($_.ReplacementStrings[4]) {
$rv.Date = $_.TimeGenerated
$rv.User = $_.ReplacementStrings[6]
$rv.Process = $_.ReplacementStrings[0]
$rv.Action = $_.ReplacementStrings[4]
$rv.Reason = $_.ReplacementStrings[2]
$rv
}
} | Select-Object Date, Action, Reason, User, Process |ft

check who restarted windows with powershell script

You can use PowerShell to get the name of the user who restarted a remote computer. You can access the Event Log on a remote host using Get-EventLog -ComputerName command or connect to the computer using the Invoke-Command cmdlet and PSRemoting:

Invoke-Command -ComputerName mun-dc03 -ScriptBlock {Get-WinEvent -FilterHashtable @{logname=’System’;id=1074} |select-object TimeCreated,Id,Message -first 1}

get restart history from remote computer

By the Event ID 1074, you can find only the reasons for correct server reboots. If Windows was restarted due to an emergency situation (for example, if a power failure or a BSOD appears), you have to search for an EventID 6008.

The previous system shutdown at 3:24:29 AM on ‎9/‎17/‎2022 was unexpected.

EventID 6008 The previous system shutdown was unexpected

Of course, you won’t be able to find out who restarted Windows if the event logs have been cleared or if more recent events have been overwritten by earlier ones (it is recommended to increase the max size of event logs using GPO in the domain).

0 comment
0
Facebook Twitter Google + Pinterest
PowerShellWindows 10Windows Server 2019
previous post
How to Find Duplicate Files Using PowerShell
next post
Configuring RDP/RDS Sessions Limits (Timeouts) on Windows

Related Reading

How to Repair EFI/GPT Bootloader on Windows 10...

March 16, 2024

How to Restore Deleted EFI System Partition in...

March 11, 2024

How to Run Program without Admin Privileges and...

June 8, 2023

Fix: Remote Desktop Licensing Mode is not Configured

August 24, 2023

How to Install Remote Server Administration Tools (RSAT)...

March 17, 2024

Refresh AD Groups Membership without Reboot/Logoff

March 15, 2024

How to Repair Windows Boot Manager, BCD and...

March 11, 2024

How to Find the Source of Account Lockouts...

March 12, 2024

Leave a Comment Cancel Reply

join us telegram channel https://t.me/woshub
Join WindowsHub Telegram channel to get the latest updates!

Recent Posts

  • Map a Network Drive over SSH (SSHFS) in Windows

    May 13, 2025
  • Configure NTP Time Source for Active Directory Domain

    May 6, 2025
  • Cannot Install Network Adapter Drivers on Windows Server

    April 29, 2025
  • Change BIOS from Legacy to UEFI without Reinstalling Windows

    April 21, 2025
  • How to Prefer IPv4 over IPv6 in Windows Networks

    April 9, 2025
  • Load Drivers from WinPE or Recovery CMD

    March 26, 2025
  • How to Block Common (Weak) Passwords in Active Directory

    March 25, 2025
  • Fix: The referenced assembly could not be found error (0x80073701) on Windows

    March 17, 2025
  • Exclude a Specific User or Computer from Group Policy

    March 12, 2025
  • AD Domain Join: Computer Account Re-use Blocked

    March 11, 2025

Follow us

  • Facebook
  • Twitter
  • Telegram
Popular Posts
  • Install and Manage Windows Updates with PowerShell (PSWindowsUpdate)
  • How to Download Offline Installer (APPX/MSIX) for Microsoft Store App
  • Fix: Remote Desktop Licensing Mode is not Configured
  • How to Delete Old User Profiles in Windows
  • Configuring Port Forwarding in Windows
  • How to Install Remote Server Administration Tools (RSAT) on Windows
  • Start Menu or Taskbar Search Not Working in Windows 10/11
Footer Logo

@2014 - 2024 - Windows OS Hub. All about operating systems for sysadmins


Back To Top