Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / Windows Server 2019 / How to Check Who Restarted (Shutdown) Windows Server?

October 12, 2022 PowerShellWindows 10Windows Server 2019

How to Check Who Restarted (Shutdown) Windows Server?

If your company has several system administrators, sometimes you may want to know who rebooted the server. In this article. I will show you how to identify a user who restarted or shutdown a computer/server running Windows by the event logs.

Information about the user account that sent the restart command is stored in Windows Event Log.

  1. Open the Event Viewer console (eventvwr.msc) and go to Windows Logs -> System;
  2. Use the Event Log filter by clicking Filter Current Log in the context menu; filter event viewer log
  3. In the filter box, enter the EventID 1074 and click OK; Filter by Event ID 1074: System has been shutdown by a process/user
  4. Only shutdown (reboot) events will be left in the log list. Open the last event;
  5. The event with User32 as a source shows a user who initiated a Windows restart. In this example, it is user novak; How to find out who restarted Windows using Event Viewer?
The process C:\Windows\Explorer.EXE has initiated the restart of computer MUN-DC03 on behalf of user WOSHUB\novak for the following reason: Other (Unplanned)
Reason Code: 0x5000000
Shutdown Type: restart
Comment:
Using GPO, you may allow non-admin users to restart Windows Server.

Let’s look at more examples of Windows restart/shutdown events. You may see NT AUTHORITY\SYSTEM as a user who restarted an operating system.

This means that the restart was initiated by a Windows service or program run as a SYSTEM. For example, it may be a wuauserv service process that completed updating Windows and restarted a computer according to the configured Windows Update GPO settings or using a task of the PSWindowsUpdate module.

The process C:\Windows\uus\AMD64\MoUsoCoreWorker.exe has initiated the restart of computer MUN-DC03 on behalf of user NT AUTHORITY\SYSTEM for the following reason: Operating System: Service pack (Planned)
Reason Code: 0x80020010
Shutdown Type: restart
Comment:

If your Windows guest is running in a VMware virtual machine and you run Restart Guest in the VMware management console, the shutdown event looks as follows:

The process C:\Program Files\VMware\VMware Tools\vmtoolsd.exe has initiated the shutdown of computer MUN-DC03 on behalf of user NT AUTHORITY\SYSTEM for the following reason: Legacy API shutdown
Reason Code: 0x80070000
Shutdown Type: shutdown

In this case, Windows shutdown is also initiated by NT AUTHORITY\SYSTEM, since VMware Tools integration services are run on behalf of the System.

You can get information about restart events using PowerShell. The following command displays all events with the EventID 1074:

Get-WinEvent -FilterHashtable @{logname=’System’;id=1074}|ft TimeCreated,Id,Message

The command returned the descriptions of all Windows restart and shutdown events.

Find restart Info event 1074 using PowerShell

You can use the following PowerShell script that returns a list of the last ten events with the names of users or processes initiated server restart/shutdown.

Get-EventLog -LogName System |
where {$_.EventId -eq 1074} |select-object -first 10 |
ForEach-Object {
$rv = New-Object PSObject | Select-Object Date, User, Action, process, Reason, ReasonCode
if ($_.ReplacementStrings[4]) {
$rv.Date = $_.TimeGenerated
$rv.User = $_.ReplacementStrings[6]
$rv.Process = $_.ReplacementStrings[0]
$rv.Action = $_.ReplacementStrings[4]
$rv.Reason = $_.ReplacementStrings[2]
$rv
}
} | Select-Object Date, Action, Reason, User, Process |ft

check who restarted windows with powershell script

You can use PowerShell to get the name of the user who restarted a remote computer. You can access the Event Log on a remote host using Get-EventLog -ComputerName command or connect to the computer using the Invoke-Command cmdlet and PSRemoting:

Invoke-Command -ComputerName mun-dc03 -ScriptBlock {Get-WinEvent -FilterHashtable @{logname=’System’;id=1074} |select-object TimeCreated,Id,Message -first 1}

get restart history from remote computer

By the Event ID 1074, you can find only the reasons for correct server reboots. If Windows was restarted due to an emergency situation (for example, if a power failure or a BSOD appears), you have to search for an EventID 6008.

The previous system shutdown at 3:24:29 AM on ‎9/‎17/‎2022 was unexpected.

EventID 6008 The previous system shutdown was unexpected

Of course, you won’t be able to find out who restarted Windows if the event logs have been cleared or if more recent events have been overwritten by earlier ones (it is recommended to increase the max size of event logs using GPO in the domain).

0 comment
0
Facebook Twitter Google + Pinterest
previous post
How to Find Duplicate Files Using PowerShell?
next post
Configuring RDP/RDS Sessions Limits (Timeouts) on Windows

Related Reading

Configuring Event Viewer Log Size on Windows

May 24, 2023

How to Detect Who Changed the File/Folder NTFS...

May 24, 2023

Enable Single Sign-On (SSO) Authentication on RDS Windows...

May 23, 2023

Allow Non-admin Users RDP Access to Windows Server

May 22, 2023

How to Create, Change, and Remove Local Users...

May 17, 2023

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMWare
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • Configuring Event Viewer Log Size on Windows

    May 24, 2023
  • How to Detect Who Changed the File/Folder NTFS Permissions on Windows?

    May 24, 2023
  • Enable Single Sign-On (SSO) Authentication on RDS Windows Server

    May 23, 2023
  • Allow Non-admin Users RDP Access to Windows Server

    May 22, 2023
  • How to Create, Change, and Remove Local Users or Groups with PowerShell?

    May 17, 2023
  • Fix: BSOD Error 0x0000007B (INACCESSABLE_BOOT_DEVICE) on Windows

    May 16, 2023
  • View Success and Failed Local Logon Attempts on Windows

    May 2, 2023
  • Fix: “Something Went Wrong” Error When Installing Teams

    May 2, 2023
  • Querying Windows Event Logs with PowerShell

    May 2, 2023
  • Configure Windows LAPS (Local Administrator Passwords Solution) in AD

    April 25, 2023

Follow us

  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Manage Windows Updates with PSWindowsUpdate PowerShell Module
  • Installing RSAT Administration Tools on Windows 10 and 11
  • Configuring Port Forwarding in Windows
  • Start Menu or Taskbar Search Not Working in Windows 10/11
  • How to Delete Old User Profiles in Windows?
  • Get-ADUser: Find Active Directory User Info with PowerShell
  • Adding Drivers into VMWare ESXi Installation Image
Footer Logo

@2014 - 2023 - Windows OS Hub. All about operating systems for sysadmins


Back To Top