In this post I will show you the steps to find out who restart Windows Server. If you are working for a big organization, you might have lot of Windows servers in your setup. Ensuring the servers are up and working fine is the duty of system administrators.
Sometimes things don’t go well. Suppose you get an email saying that a server has been restarted and this needs to be investigated.
You cannot ask each IT individual about who initiated the server restart. So how do you find who restarted Windows Server ?.
Yes there is a way to do that. This post will come handy if you looking to find who restarted windows server. Of course event viewer is where we look for the information.
There is something called as Shutdown event tracker. This will allow the admins to track why a user initiated shutdown or a restart.
It also gathers the reason why the users restarted or shutdown the computer. More info about it is documented here.
How to find out who restarted Windows Server
To find out who restarted windows server :-
- Login to Windows Server.
- Launch the Event Viewer (type eventvwr in run).
- In the event viewer console expand Windows Logs.
- Click System and in the right pane click Filter Current Log.
In the Filter Current log box, type 1074 as the event ID. This will filter the events and you will see events only with ID 1074.
We can now see the event with ID 1074.
Double click the recent event. In the event properties box, you can see the person who initiated the restart of server.
The process C:\Windows\System32\RuntimeBroker.exe (CORPAD) has initiated the restart of computer CORPAD on behalf of user PRAJWAL\sccmadmin for the following reason: Other (Unplanned)
Reason Code: 0x5000000
Shutdown Type: restart
Comment:
Click Close.
Thanks.
If you want to use Powershell:
Get-EventLog -LogName System -ComputerName server.fqdn | Where-Object {$_.EventID -eq 1074}
or use remote PS and ommit -ComputerName.
Thank you @Prajwal. It was very helpful
Hi Prajwal,
Need your help over the following error from event viewer:
The processing of Group Policy failed. Windows attempted to read the file \\xyz.com\sysvol\xyz.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
Is it possible to reset the Group Policy to default?
Thanks,
This guide was really helpful. Thanks Prajwal Desai
How do l deal with a situation where the logs are available and points to a workstation where the remote restarting was done.no cameras,door was open and 3 people who works in the room has the password.they all deny having restarted the server.
Get-EventLog -LogName System -UserName DOMAIN\Username | Where-Object {$_.EventID -eq 1074}
WEVTUtil query-events System /count:1 /rd:true /format:text /q:”Event[System[(EventID=1074)]]”
Hi Prajwal,
I really appreciate your efforts. But I have got few more doubts. Is it possible by an application service to restart/shutdown the server on high CPU/Memory consumption? If possible what kind of event will be triggered in Application logs and System logs?
I also want to know the answer for the question asked by our friend Mr. Subramanya.
Please reply ASAP, these will help us a lot.
In my organization many people are working on configuration changes and restarts the application services in Windows server 2012R2.But when i check in the event viewer it’s just showing the “service is entered the stopped state” or “service is entered the running state” and i can’t able to find who restarted the service. Can you please suggest me how can i able to find/configure the audit policy to track the users who is stopping/Starting the services i windows server 2012 R2.
Clear, accurate information and straight to the point. Thank you, Prajwal!
Using above method will we able to find out who has rebooted the server 5 days back .. ?? Or if logs are overwritten how we will find it
If you have the event available, yes you can find who restarted the server. If the logs are overwritten then you cannot find.
Good point! 🙂
Thanks Prajwal Desai.
Very informative and straight to the point.
Thank you. Glad to hear that.
Thanks a lot!
Thank you, Prajwal. It is kind of you to provide this valuable information.
Nice! Thank you.
Hi, I did not get the User who restarted the Application server. For validation purpose, I tried to restart my laptop, but there user is shown : SYSTEM, although it should actual user name who restarted the server. Is there any configuration that needs to be done that can help get the actual user who restarted the Application server.
The event ID 1074 should show the user who restarted the server.
This article helped me today.. Thank you! .. coming from a fairly new Sys Admin of Windows VMs/Servers but with 20+ years of IT experience, I never needed this before… and my initial searches were only giving me the event ID showing when a server rebooted, not by whom.
For core servers
Excellent post. Thank you Prajwal
Hi Prajwal,
In my organization many people are working on configuration changes and restarts the application services in Windows server 2012R2.But when i check in the event viewer it’s just showing the “service is entered the stopped state” or “service is entered the running state” and i can’t able to find who restarted the service.Can you please suggest me how can i able to find/configure the audit policy to track the users who is stopping/Starting the services i windows server 2012 R2.