A simple step by step method to identify who restarted Windows Server.
It is common to be troubleshooting an issue and notice the server was restarted or crashed and rebooted itself. Finding out the reason why can be important in certain issue investigations.
This article describes an easy method to determine who initiated a system restart and possibly gather more information from the user. For example, why was the system restarted? Or were there any changes made that caused the restart to be initiated?
The answer to these questions can help the troubleshooting process and determine a resolution to the problem.
To quickly and easily identify who restarted Windows Server follow these simple steps:
- Login to Windows Server.
- Launch the Event Viewer (type eventvwr in run).
- In the event viewer console expand Windows Logs.
- Click System and in the right pane click Filter Current Log.
- In the Filter Current Log box, type 1074 as the event ID.
Filtering on the Windows Server Event ID 1074 will only display events associated with ID 1074 – identifying that the system has been shut down by a process/user.
- We can now see the events associated with ID 1074.
The user that initiated the shutdown is listed in the General section of the event
As you can see in the last screenshot, the user that initiated the last restart is listed as e1441. By having this information, you can determine the reason for the restart and any changes that might have happened that triggered the restart.
Get more insights on troubleshooting.