How to know Windows did not shutdown normally

Is there something that can tell me Windows did not shutdown normally? Like when someone has unplugged the power or pressed the hardware power button?


Yes, an abnormal shutdown is recorded in the System event log during the next system boot. It will be logged with event ID 6008 from the source Eventlog. Here's a sample event entry:

Source: Event Log 
Type: Error
Description: 
The previous system shutdown at Time on
Date was unexpected.

Time and Date will be replaced with the time of the unexpected shutdown.

If the shutdown was caused by a Bugcheck (i.e. Blue screen error) a corresponding event ID 1001 will be logged from the source Bugcheck. It will contain the Stop code and some minimal additional troubleshooting data. Here's what the text of that event looks like:

The computer has rebooted from a bugcheck. The bugcheck was: 0x00000124 (0x0000000000000000, 0xfffffa8004b19038, 0x0000000000000000, 0x0000000000000000). A dump was saved in: C:\Windows\Minidump\112809-21309-01.dmp. Report Id: 112809-21309-01.

Source

You can look up the Bugcheck/Stop code (0x124 in the above example) on MSDN where you'll find information about each code and how to interpret the four additional parameters included with the error information.


A shutdown is considered abnormal if the application receives an immediate shut down signal from the operating system and does not get a chance to complete shutdown processing.

An alternative good way to get a good glimpse of what happened after an abnormal shutdown is using Nirsoft's TurnedOnTimesView.

TurnedOnTimesView is a simple tool that analyses the event log of Windows operating system, and detects the time ranges that your computer was turned on.

For every period of time that the computer was turned on, the following information is displayed: Startup Time, Shutdown Time, Duration, Shutdown Reason, Shutdown Type, Shutdown Process, and Shutdown Code. TurnedOnTimesView allows you to get this information from your local computer, and from remote computer on your network if you have enough privilege to read the event log of Windows remotely.

enter image description here

Credits: NirSoft®


You could also use Windows Performance Analyzer and Recorder tool (from Windows SDK)

After finished installation, run Windows Performance Recorder shortcut from the start menu.

Set the options according to the screenshot below and click the Start button.

  • Performance scenario: Shutdown
  • Detail level: Verbose
  • Logging mode: File
  • Number of iterations: 1

enter image description here

When Windows is restarted, Windows Performance Recorder will automatically start gathering system shutdown trace information. Once it is done, click the Open in WPA button.

Read More: How To Troubleshoot Windows Startup, LogOff, Login and Shutdown Problems