• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 863
  • Last Modified:

Windows Event Viewer ID Numbers for Shutdown and Restart

Hi guys!

Would love your help.

Ive been accused of shutting down a Windows 2003 Server instead of pressing the Restart button.
Im wondering if any of you gurus out there can quickly tell me what event ids are for Restart and which for Shutdown so "hopefully" I can clear my name?

Thanks guys.

Any help in providing some evidence that i restarted instead of shut down would be greatly appreciated.

Simon
0
Simon336697
Asked:
Simon336697
  • 4
  • 3
  • 3
  • +1
3 Solutions
 
Jay_Jay70Commented:
Hi Simon336697,

do you not use the shutdown event tracker?
0
 
Simon336697Author Commented:
My Apologies.......it is a Windows 2000 Server.

Simon
0
 
Jay_Jay70Commented:
ahhh i see i see, there is no event ID's that i am aware of, it is simply  "the service started successfully" compare that to the time you shutdown/restarted i guess
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
Pete LongConsultantCommented:
Correct in 2003 and XP you have systeminfo that would tell you straight away, Server 2000 you have a couple of other options to find out how long a server has been "Up"


1.      Install http://www.lencom.com/desc/indexN15496.html and click the Environmental button.
2.      In the windows Resource kit there’s a small tool called uptime (in the NT resource kit its called uptimei)
3.      From command line issue the following commands

i.      net statistics workstation | more
ii.      net statistics server | more

4.      Click Start >Run >perfmon {enter} Click the + button on the toolbar, under “Performance Object” scroll down to “system”. Then under the “Select Counters from list” option select “System Uptime” look at the bottom of the graph and it will be shown in the duration box.

Also see

PSInfo http://www.sysinternals.com/ntw2k/freeware/psinfo.shtml



NOTE: System shutdown and restarts WOULD be entered into the event log if it was set to audit system events and use of priveledge - but this is disabled by defaulr
0
 
Simon336697Author Commented:
Guys thanks for all your help.

So basically what you are saying is that there is no way to tell whether it was shut down or restarted in its current configuration?

0
 
Jay_Jay70Commented:
pretty much mate
0
 
Pete LongConsultantCommented:
The commands above will tell you how long it has been up but not who shut it down :(
0
 
SkUllbloCkCommented:
Hi Simon

Yes unfortunately this is true.
As Jay suggested, you can try go through the event logs, noting the time of other activities from the time you would have restarted the system.
If there is a large "time gap" between the time stamps, then this might mean that the system was shutdown. A way you can check this, is to compare what time the system was "so called" turned back on.
If you are recieving timestamps from between when you restarted the system, and the time the system was rebooted, then the chances are of another cuase in the system shutdown again... Power failure, cords unplugged, another shutdown command.

I hope this helps.
0
 
Simon336697Author Commented:
Thanks everyone for your help!!!

Simon
0
 
Pete LongConsultantCommented:
ThanQ
0
 
Jay_Jay70Commented:
:)
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

  • 4
  • 3
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now