Windows 7 Shutdown Tracking ?

At a site there is a user complaining that the Windows 7 machine they are using reboots periodically throughout the day (usually when they are out to lunch). Is there some way, perhaps through extended logging to the event logs or some type of Windows 7 Shutdown Event Tracker that one could track the frequency of the shutdowns as well as the cause of the shutdown ? In other words, if a GPO or Windows Update caused the shutdown have it detail that, or if there was a user-initiated interactive Shut Down from the Start Button to log and detail that as well ?  If the Event Logs and Auditing can be used for this, what specific Auditing features must be enabled and what events should be tracked in the Event Logs (assuming the System Event Log) ?  TIA
LGroup1Asked:
Who is Participating?
 
Mohammed KhawajaConnect With a Mentor Manager - Infrastructure:  Information TechnologyCommented:
Modify the script to following to get more details:

get-eventlog -logname system -message "*restart*" | fl* | out-file restart.txt
get-eventlog -logname system -message "*shutdown*" | fl* | out-file shutdown.txt
0
 
John HurstConnect With a Mentor Business Consultant (Owner)Commented:
I would first look in Windows Event Viewer at time when the restart occurs and see what errors are there.

Second, look in Action Center, Maintenance, Review Reliability History. What errors are occurring when the restart occurs.

Are there updates waiting to occur?  Check Windows Update.

So first, use the tools Windows has, see what they say and then let's go from there.
0
 
Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
Run the following powershell scripts:

get-eventlog -logname system -message "*restart*" | out-file restart.txt
get-eventlog -logname system -message "*shutdown*" | out-file shutdown.txt

Analyze the content of both files to see what might be the cause.
0
2018 Annual Membership Survey

Here at Experts Exchange, we strive to give members the best experience. Help us improve the site by taking this survey today! (Bonus: Be entered to win a great tech prize for participating!)

 
Acosta Technology ServicesConnect With a Mentor Commented:
There are a couple of options for this:

To log shutdown and startup times you can watch for 6006 which is the event log shutting down.  6005 will be logged when the event log service starts back up.

Using a basic remote tool like TurnedOnTimesView can show you exact shutdown and startup times for a remote PC on your network.  This doesn't provide detailed information, but can give you quick access to the information.


This won't give you the ability to see who/what caused the shutdown, but it's the first step in getting there.
0
 
LGroup1Author Commented:
All great answers, thanks all !
0
 
Sir LearnalotCommented:
There is a registry tweak that enables Shutdown Tracking for Windows 7 (the feature in Windows Server). Would this help? If so, enable shutdown tracking by following these steps:

Using Group Editor:
Type gpedit.msc in start search and hit Enter

Click on Computer Configuration -> Administrative Templates -> System -> Double-click the  "Display Shutdown Event Tracker" policy. Select "Enabled" and pick "Always" from the drop down menu.

If you enable this setting and choose “Always” from the drop-down menu, the Shutdown Event Tracker is displayed when you shut down.

If you don't configure this setting, the default behavior for the Shutdown Event Tracker occurs; it is only displayed on the Windows Server family.

Using the Registry Editor

Type regedit in start search and hit Enter

Navigate to the following key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Reliability

Double click on each of the following values and change them to 1.

    ShutdownReason
    OnShutdownReasonUI

Done :) You now have a dialogue box prompting for a reason for shutdown and a log where this is all tracked every time a shutdown is commenced.
0
 
John HurstBusiness Consultant (Owner)Commented:
@LGroup1  - Thank you and I was happy to help.
0
 
Sir LearnalotCommented:
wow lol by the time i finished writing my answer you have like 5 answers above me. Hope you got it done!
0
 
LGroup1Author Commented:
Sorry I missed that one before I closed the post Sir Learnalot,
0
All Courses

From novice to tech pro — start learning today.