In this post I will show how to find the user who restarted Windows Server Core. With Server Core it’s going to be little tricky to find out who restarted it. But I will make it easy it for you.
Some organizations prefer to use Windows Server Core OS because it eliminates services and features that are not essential for the support of certain commonly used server roles. There are lot of advantages that a Windows Server core offers. Also there are lot of differences between a Server with desktop experience and Server Core.
Coming to the part where you want to find the user who restarted Windows Server core, you have to find a way to read the logs from event viewer. The Windows server core logs all the events like a normal server does but you cannot launch event viewer on server core.
There is something called as Shutdown event tracker. It allows the admins to track why a user initiated shutdown or a restart. However with Windows Server core, you don’t get the shutdown event tracker when you restart the server.
From the list of SCONFIG options, the 13 option allows Windows Server core restart. Clicking Yes restarts the Server without displaying any shutdown event tracker.
So how do you read the event viewer logs from Windows Server core ?. The answer is using PowerShell. In one of my post I covered how to find who restarted Windows Server. In that post I used the event ID 1074 to find the user who restarted windows server. We will use the same event ID 1074 to find who restarted Windows server core.
On your Server Core, by default you see a command prompt. Type the command PowerShell and with this you can now enter PowerShell commands.
We will first use a simple command to get the list of logs in Event Viewer.
Find Who Restarted Windows Server Core
To find who restarted Windows Server core, we will filter the system logs with event ID 1074 or filter the logs with Source as User32. Both should result in same output and you can choose either of them.
Run the following command to filter the System Logs with Source as User32.
Get-EventLog -LogName System | Where Source -eq User32
You may also filter the system logs with Event ID 1074 with the following command.
Get-EventLog -LogName System | Where EventID -eq 1074
Although we now see there are 4 logs that are filtered using event ID 1074 or source as User32 but they cannot be read because the message text is truncated. The Format-List Message comes to help here.
If you want to find the user who restarted the Windows Server core, here is the final command.
Get-EventLog -LogName System | Where EventID -eq 1074 | Format-List Message
Connect to Event Viewer on Windows Server Core
How about launching the event viewer and connecting it to remote computer i.e. the Windows Server core ?. Yes, that will also work and then you can filter the event logs with event ID 1074 and find the user who restarted the Server Core.
One thing that you need to keep in mind is by default the firewall on Server core is ON. So it won’t allow you to connect to the event viewer. So you must take care of that first.
To connect to Event Viewer on Windows Server Core, launch the event viewer on a member server. Right click Event Viewer (Local) and select Connect to Another computer.
On the Select Computer box, enter the Server Core computer name and click OK.
Now you have successfully connected to event viewer on server core. Select the System Logs and filter the current log with event ID 1074. Now you can find the user who restarted your Windows Server core.