Issue
There are Event Ids from the Windows Event logs that may be important in investigating a specific issue. Here are Event Ids from the Windows Event logs (logname=System) that are associated with system shutdown, uptime, restarts that can be a challenge to filter when using the Eventviewer.
1. Event ID 6005: The Event log was started.
2. Event ID 6006: The Event log service was stopped. This event is recorded if your Windows computer shuts down correctly.
3. Event ID 1074: The process nnn has initiated the restart of computer. Your computer records this event when an application forces your laptop to shut down or restart.
4. Event ID 41: The System has rebooted without cleanly shutting down.
5. Event ID 6008: The previous system shutdown at <time> on <date> was unexpected. Computer shuts down abnormally or unexpectedly.
6. Event ID 6009: Windows product name, version, build number, service pack number, and operating system type detected at boot time.
7. Event ID 1076: "The reason supplied by user X for the last unexpected shutdown of this computer is: Reason Code... ". Records when the first user with shutdown privileges logs on to the computer after an unexpected restart or shutdown and supplies a reason for the occurrence.
8. Event ID 6013: System Uptime
Environment
Environment=Windows Systems
Resolution
A) Log on to the Windows Client with Admin permissions. There are 3 environments to run the scripts below.
1. Run the script locally on the Windows system.
2. Run the script on an Archived Event Log of the Windows System.
3. Export and download the Event Log from the Windows System and run the script. The examples below are for a System Event Log and can be tailored for other Event Log types. If it is an "Application" Event Log (ex. MCC 7500), you may need to export it to a similar system (ex. lab environment ) as the Event Log Library needs to match in order to obtain the proper translation.
B) Using PowerShell script to filter specific EventIDs from the Event Logs associated to normal shutdowns, unexpected shutdowns, reboots and uptime on Windows systems.
1. Launch PowerShell as Administrator.
2. For Current Event Logs:
Syntax: Get-WinEvent -FilterHashtable @{logname = 'System'; id = <Event ID>} | Format-Table -wrap
Example: Event ID 41:
Type: Get-WinEvent -FilterHashtable @{logname = 'System'; id = 41} | Format-Table -wrap
3. For Archived or Exported Event Logs, add the path of the Event Log and add the -Oldest option for Exported Event Logs.
Syntax: Get-WinEvent -FilterHashtable @{Path="<Path>"; id = <Event ID>} | Format-Table -wrap
Example: Event ID 6013:
Type: Get-WinEvent -FilterHashtable @{Path="C:\Windows\System32\config\backup\20230803_040000_System.evtx"; id = 6013} | Format-Table -wrap
C) Using PowerShell script to filter EventIDs from the Event Viewer logs associated to shutdowns, unexpected shutdowns, reboots, uptime on a Windows system (recent 10000 System Event logs)
1. Launch PowerShell as Administrator.
2. Using Get-WinEvent:
Syntax: Get-WinEvent -MaxEvents <integer> -FilterHashtable @{logname='<logname>'; id = <EventID1, EventID2,..> } | Format-Table TimeCreated,ID,Message -wrap
Example: Event IDs= 41,1074,1076,6005,6006,6008,6009
Type: Get-WinEvent -MaxEvents 1000 -FilterHashtable @{logname='System'; id = 41,1074,1076,6005,6006,6008,6009} | Format-Table TimeCreated,ID,Message -wrap