Windows 7 Shutdown Tracking ?

At a site there is a user complaining that the Windows 7 machine they are using reboots periodically throughout the day (usually when they are out to lunch). Is there some way, perhaps through extended logging to the event logs or some type of Windows 7 Shutdown Event Tracker that one could track the frequency of the shutdowns as well as the cause of the shutdown ? In other words, if a GPO or Windows Update caused the shutdown have it detail that, or if there was a user-initiated interactive Shut Down from the Start Button to log and detail that as well ? If the Event Logs and Auditing can be used for this, what specific Auditing features must be enabled and what events should be tracked in the Event Logs (assuming the System Event Log) ? TIA



I would first look in Windows Event Viewer at time when the restart occurs and see what errors are there.

Second, look in Action Center, Maintenance, Review Reliability History. What errors are occurring when the restart occurs.

Are there updates waiting to occur? Check Windows Update.

So first, use the tools Windows has, see what they say and then let's go from there.



I would first look in Windows Event Viewer at time when the restart occurs and see what errors are there.

Second, look in Action Center, Maintenance, Review Reliability History. What errors are occurring when the restart occurs.

Are there updates waiting to occur? Check Windows Update.

So first, use the tools Windows has, see what they say and then let's go from there.



Run the following powershell scripts:
get-eventlog -logname system -message "*restart*" | out-file restart.txt
get-eventlog -logname system -message "*shutdown*" | out-file shutdown.txt

Analyze the content of both files to see what might be the cause.



There are a couple of options for this:
To log shutdown and startup times you can watch for 6006 which is the event log shutting down. 6005 will be logged when the event log service starts back up.

Using a basic remote tool like TurnedOnTimesView can show you exact shutdown and startup times for a remote PC on your network. This doesn't provide detailed information, but can give you quick access to the information.


This won't give you the ability to see who/what caused the shutdown, but it's the first step in getting there.



Modify the script to following to get more details:
get-eventlog -logname system -message "*restart*" | fl* | out-file restart.txt
get-eventlog -logname system -message "*shutdown*" | fl* | out-file shutdown.txt



All great answers, thanks all !

Share this

Related Posts

There was an error in this gadget