View Shutdown Event Tracker logs under Windows Server 2008 R2

I'm trying to view the Shutdown Event Tracker logs in the Event Viewer, on windows server 2008 r8, but I can't find the messages that I supplied when previously restart the server.

Where in the Event Viewer can I see these logs?


Solution 1:

Open event viewer. Expand windows logs. Click system, then either find or filter for event ID 1074. And you will see all your shut down logs.

Solution 2:

I know this is a very old question. But this might help someone who is looking for the same solution. you can use a single line in powershell (which is available in all OS later than win 2003) to find out the reboot history. Just open powershell.exe from run prompt and enter the below command.

Get-EventLog System | Where-Object {$_.EventID -eq "1074" -or $_.EventID -eq "6008" -or $_.EventID -eq "1076"} | ft Machinename, TimeWritten, UserName, EventID, Message -AutoSize -Wrap

Solution 3:

If you or others are just trying to find the most recent boot time, the easiest way I've found is to run this in cmd:

systeminfo | find "System Boot Time"

From powercram.com

Solution 4:

Another useful approach I've found, since we frequently monitor our ISP hosted servers for outages, is to create a custom event view as follows:

Open Event Viewer then

  • Right click Custom Views
  • Click Create Custom View
  • Under the Filter tab
    • Keep Logged as Any time
    • Select all the Event level types (Critical, Warning, etc.)
    • Choose by source = Windows Logs > System
    • For Event ID under the Includes/Excludes Event IDs section enter 1074 for the Event ID
  • Click Ok
  • Enter a name like Shutdown Events and any description then
  • Click Ok again to complete the custom event log.

Your new custom view should show up in the list of custom views with the correct filter applied.

Solution 5:

Slightly cleaner Powershell one-liner that I use to filter out shutdown related EventIDs:

Get-EventLog system |?{$_.EventID -in 6008,41,1074,1001}| ft -w

To restrict that to just the most useful properties:

Get-EventLog system | ?{6008,41,1074,1076,1001 -eq $_.EventID}| select EventID, TimeGenerated, Message| ft -w

Alternatively, to search by message text:

Get-EventLog system -m "*Shutdown*" | select EventID, TimeGenerated, Message| ft -w