Here is what every Windows Admin will have to learn sooner or later., how do we know when the server got rebooted ? Who rebooted it ? was that a clean shutdown or an unexpected one ?

So, how do we tell this ? Just follow the ever friendly Event Viewer.

There are 5 Event IDs that you have to dig through to understand each type:

1. 6005: Windows Event Log start-up
   • This event will be simply logged at the time of Windows Event Log Service is started and can come handy helpful to estimate when the server got started after the last shutdown/reboot.
   • It Simply states “The Event log service was started”
2. 6006: Windows shutdown (Clean Shutdown)
   • You see this message when the Server undergoes a clean reboot, when some one / something actually restarts the server gracefully.
   • It simply states “The Event log service was stopped”.
3. 6008: Windows shutdown (Unexpected Shutdown)
   • You see this message when the Server undergoes a forced or unexpected reboot.
   • It simply states “The previous system shutdown at time on date was unexpected”.
4. 1074: Type of shutdown:When a clean Shutdown/Restart happens, you can go through this event log to find more details on the event like, Who did it, When it has happened, Comments, so on.
5. 1076: This event refers to the failure indicated by the previous EventLog 6008 event. The User32 1076 event is written when the first user with shutdown privileges logs on to the computer after an unexpected restart or shutdown and supplies a reason for the occurrence. An unexpected restart or shutdown is one that the system cannot anticipate, such as when the user pushes the computer’s reset button or unplugs the power cord.

In addition to this, if you are interested on learning more on Shutdown Event Tracker Tools and Settings, visit this link from Microsoft.