If your organization has several system administrators, you may periodically have the question “Who rebooted the server?”. In this article, I will show you how to find the definitions of a user who restarted or shut down a Windows computer/server.
Information about the account that sent the Windows restart command is stored in the event log.
- Open the Event Viewer console ( eventvwr.msc ) and navigate to Windows Logs -> System;
- Enable the event log filter by selecting the Filter Current Log item from the context menu;
- Enter EventID 1074 in the filter field and click OK;
- Only shutdown (reboot) events will remain in the event log, open any of them;
- The event from the User32 source will indicate the user who initiated the Windows restart. In this example, the user is a.novak.
The process C:\Windows\Explorer.EXE (MSK-DC03) has initiated the restart of computer MSK-DC03 on behalf of user SITE\a.novak for the following reason: Other (Unplanned)
Reason Code: 0x5000000
Shutdown Type: restart
Comment:
With GPO, you can allow standard users (without administrator rights) to restart Windows Server.
Let's look at a few more examples of Windows restart/shutdown events. The user that initiated the reboot of the operating system can be NT AUTHORITY\SYSTEM.
This means that one of the Windows services or programs running as SYSTEM. initiated the reboot. For example, it could be a service process wuauserv that finished installing Windows updates and rebooted according to the configured Windows Update policy or using the PSWindowsUpdate module job.
The process C:\Windows\uus\AMD64\MoUsoCoreWorker.exe (WKS-PC11S22) has initiated the restart of computer WKS-PC11S22 on behalf of user NT AUTHORITY\SYSTEM for the following reason: Operating System: Service pack (Planned)
Reason Code: 0x80020010
Shutdown Type: restart
Comment:
If your Windows is running inside a VMware virtual machine, then if you run Restart Guest from the VMware management console, the (shutdown) event will look like this:
The process C:\Program Files\VMware\VMware Tools\vmtoolsd.exe (MSK-DC03) has initiated the shutdown of computer MSK-DC03 on behalf of user NT AUTHORITY\SYSTEM for the following reason: Legacy API shutdown
Reason Code: 0x80070000
Shutdown Type: shutdown
In this case, Windows shutdown is also initiated by NT AUTHORITY\SYSTEM, as VMware Tools integration services are running on behalf of the system.
You can get information about reboot events using PowerShell. The following command will select all events with EventID 1074:
Get-WinEvent -FilterHashtable @{logname=’System’;id=1074}|ft TimeCreated,Id,MessageThe command returned descriptions of all Windows restart and shutdown events.
You can use the following PowerShell script, which returns a shorter list with the last ten events with usernames, and the processes that initiated the restart/shutdown of the server.
Get-EventLog -LogName System |
where {$_.EventId -eq 1074} |select-object -first 10 |
ForEach-Object {
$rv = New-Object PSObject | Select-Object Date, User, Action, process, Reason, ReasonCode
if ($_.ReplacementStrings[4]) {
$rv.Date = $_.TimeGenerated
$rv.User = $_.ReplacementStrings[6]
$rv.Process = $_.ReplacementStrings[0]
$rv.Action = $_.ReplacementStrings[4]
$rv.Reason = $_.ReplacementStrings[2]
$rv
}
} | Select-Object Date, Action, Reason, User, Process |ft
You can also use PowerShell to quickly get the username of the user who rebooted the remote computer. You can access the event log on a remote host using the Get-EventLog -ComputerName format, or you can connect to a computer via PSRemoting using the Invoke-Command cmdlet:
Invoke-Command -ComputerName rds2-12 -ScriptBlock {Get-WinEvent -FilterHashtable @{logname=’System’;id=1074} |select-object TimeCreated,Id,Message -first 1}
By event 1074, you can find only the causes of correct (regular) server reboots. If Windows was rebooted abnormally (for example, due to a power failure, or a BSOD), then you need to look for events with EventID 6008.
The previous system shutdown at 4:34:49 AM on 1/17/2022 was unexpected.
And of course, you will not be able to understand who rebooted Windows if the event logs were cleared, or old events were overwritten with newer ones (it is desirable to configure an increased size of event logs using GPO in the domain).