How to find who restarted the windows server or any windows machine if you want to know who restarted computer using event logs then you are at the right place, here in this article we explain how to find it.
When your end-users have lost their application or a transaction due to sudden server reboot and the client wants to know the root cause for reboot then system administrator has to investigate, if you are working as a system admin for a large enterprise solution then you must have encountered this situation, well we can track the reboot cause using windows events.
There is an event shutdown event tracker with event id 1074 we can get the admin or user details as who restarted the windows server.
This article explains how to check the shutdown or restart event ID 1074, please follow the below steps.
Log in to windows server which got restarted and open Event Viewer, you can open it via run and type eventvwr command and hit enter.
This will bring the Event Viewer dialog box as showing in the below snippet
Select the System log and in the action pane view, the left side window you will find an option called Filter Current Log click on it and it will bring below dialog box.
In Filter Current Log provide the reboot ID number as 1074 click on ok button
Once you click the ok button all the 1074 events will be displayed and you can double click on the recent ID the topmost entry and then scroll down or look at the bottom of the screen the general information screen you will find the user name and when it was rebooted.
The log comments are mentioned below with a modified hostname.
The process C:\Windows\System32\RuntimeBroker.exe (DESKDFD-DFDDF) has initiated the power off of computer DESKTOP-SV9FF3Q on behalf of user DESKTDESKDFD-DFDDF\Raj for the following reason: Other (Unplanned)
Reason Code: 0x0
Shutdown Type: power off
Thank you for reading this article, please feel free to comment if you have any questions.
Thank you for reading this article, if you have any questions please let us know.
Thank you for visiting my site, for any scripts in these articles you are testing please make sure you have tested this script in our lower environment before you run in production.