When was my server last rebooted? Who shutdown my machine? Read on to see how easy it is to find out using the Windows Server Event Logs.
Reading the logs is a dry and boring task. Nobody likes reading them; however, they are often a gold mine. Using the System Event Log you can discern some useful things about your system.
When Was the Machine Last Booted Up, Shutdown, or Restarted?
Before diving into the Event Logs, this can be found out easily at the command line.
|
1 |
systeminfo | find "System Boot Time" |
A slightly more general way:
The system start can also be found in the System Event Log:
Some of the basic event IDs to filter:
- 1074 = shutdown (planned)
- 1076 = reason supplied was Other-Unplanned
- 6005 = event log started (machine boots)
- 6006 = event log service stopped (usually indicative of a reboot)
- 6008 = the previous system shutdown was unexpected (crash)
- 6009 = system started up
You can find out the lookups to map many Event IDs here – Events to Monitor
Some other potentially useful Event IDs to monitor:
- When was the machine last booted up / shutdown / rebooted? (6005,6006,6008,6009)
- Was an account locked out? (4740)
- Attempt to reset account password? (4724)
- Was a user added to a privileged group? (4728,4732,4756)
- Successful and failed user logins? (4724,4625)
Don’t Forget About PowerShell
Event logs can be easily queried using Powershell:
|
1 2 3 4 5 |
Get-EventLog -Logname System # this will spew everything out to the screen Get-EventLog -LogName System -After $(Get-Date).AddMonths(-1) | Where {6009, 6005, 6006 -contains $_.EventID} # filters according to specified EventIDs |
Thanks for reading!
If you liked this post then you might also like my post about How to Analyze the SQL Server Error Log
Do you care about InfoSec and Privacy? Then YOU need to use a VPN.