Using Event Logs to Extract Startup and Shutdown Times
Windows Event Viewer is a wonderful tool which saves all kinds of stuff that is happening in the computer. During each event, the event viewer logs an entry. The event viewer is handled by the eventlog service that cannot be stopped or disabled manually, as it is a Windows core service. The event viewer also logs the startup and shutdown history of the eventlog service. You can make use of those times to get an idea of when your computer was started or shut down. The eventlog service events are logged with two event codes. The event ID 6005 indicates that the eventlog service was started, and the event ID 6009 indicates that the eventlog services were stopped. Let’s go through the complete process of extracting this information from the event viewer.
- Open Event Viewer (press Win + R and type eventvwr).
- In the left pane, open “Windows Logs -> System.”
- In the middle pane, you will get a list of events that occurred while Windows was running. Our concern is to see only three events. Let’s first sort the event log with Event ID. Click on the Event ID label to sort the data with respect to the Event ID column.
- If your event log is huge, then the sorting will not work. You can also create a filter from the actions pane on the right side. Just click on “Filter current log.”
- Type 6005, 6006 in the Event IDs field labeled as
. You can also specify the time period under Logged.
Event ID 6005 will be labeled as “The event log service was started.” This is synonymous with system startup.Event ID 6006 will be labeled as “The event log service was stopped.” This is synonymous with system shutdown.
If you want to investigate the Event log further, you can go through the Event ID 6013, which will display the uptime of the computer, and Event ID 6009 indicates the processor information detected during boot time. Event ID 6008 will let you know that the system started after it was not shut down properly. You can also set up custom Event Viewer views to just view this information in the future. This saves you time, and you can set up custom views for the specific events you want to see. You can set up multiple Event Viewer views based on your needs, not just the startup and shutdown history.
Using TurnedOnTimesView
TurnedOnTimesView is a simple, portable tool for analyzing the event log for startup and shutdown history. The utility can be used to view the list of shutdown and startup times of local computers or any remote computer connected to the network. Since it is a portable tool, you will only need to unzip and execute the TurnedOnTimesView.exe file. It will immediately list the startup time, shutdown time, duration of uptime between each startup and shutdown, shutdown reason, and shutdown code. Shutdown reason is usually associated with Windows Server machines where we have to give a reason if we are shutting down the server. To view the startup and shutdown times of a remote computer, go to “Options -> Advanced Options” and select “Data source as Remote Computer.” Specify the IP address or name of the computer in the Computer Name field and Press the OK button. Now the list will show the details of the remote computer. While you can always use the event viewer for detailed analysis of startup and shutdown times, TurnedOnTimesView serves the purpose with a very simple interface and to-the-point data. For what purpose do you monitor the startup and shutdown times of your computer? Which method do you prefer for monitoring? Suspicious that someone else is logging on to your computer? See how to find who’s been using your computer when you’re away. The above methods can also help give you a clue that someone might be using your PC without your permission.