Windows 7 Shutdown Tracking ?

At a site there is a user complaining that the Windows 7 machine they are using reboots periodically throughout the day (usually when they are out to lunch). Is there some way, perhaps through extended logging to the event logs or some type of Windows 7 Shutdown Event Tracker that one could track the frequency of the shutdowns as well as the cause of the shutdown ? In other words, if a GPO or Windows Update caused the shutdown have it detail that, or if there was a user-initiated interactive Shut Down from the Start Button to log and detail that as well ?  If the Event Logs and Auditing can be used for this, what specific Auditing features must be enabled and what events should be tracked in the Event Logs (assuming the System Event Log) ?  TIA
LGroup1Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
I would first look in Windows Event Viewer at time when the restart occurs and see what errors are there.

Second, look in Action Center, Maintenance, Review Reliability History. What errors are occurring when the restart occurs.

Are there updates waiting to occur?  Check Windows Update.

So first, use the tools Windows has, see what they say and then let's go from there.
Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
Run the following powershell scripts:

get-eventlog -logname system -message "*restart*" | out-file restart.txt
get-eventlog -logname system -message "*shutdown*" | out-file shutdown.txt

Analyze the content of both files to see what might be the cause.
AaronCommented:
There are a couple of options for this:

To log shutdown and startup times you can watch for 6006 which is the event log shutting down.  6005 will be logged when the event log service starts back up.

Using a basic remote tool like TurnedOnTimesView can show you exact shutdown and startup times for a remote PC on your network.  This doesn't provide detailed information, but can give you quick access to the information.


This won't give you the ability to see who/what caused the shutdown, but it's the first step in getting there.
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
Modify the script to following to get more details:

get-eventlog -logname system -message "*restart*" | fl* | out-file restart.txt
get-eventlog -logname system -message "*shutdown*" | fl* | out-file shutdown.txt

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
LGroup1Author Commented:
All great answers, thanks all !
Sir LearnalotCommented:
There is a registry tweak that enables Shutdown Tracking for Windows 7 (the feature in Windows Server). Would this help? If so, enable shutdown tracking by following these steps:

Using Group Editor:
Type gpedit.msc in start search and hit Enter

Click on Computer Configuration -> Administrative Templates -> System -> Double-click the  "Display Shutdown Event Tracker" policy. Select "Enabled" and pick "Always" from the drop down menu.

If you enable this setting and choose “Always” from the drop-down menu, the Shutdown Event Tracker is displayed when you shut down.

If you don't configure this setting, the default behavior for the Shutdown Event Tracker occurs; it is only displayed on the Windows Server family.

Using the Registry Editor

Type regedit in start search and hit Enter

Navigate to the following key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Reliability

Double click on each of the following values and change them to 1.

    ShutdownReason
    OnShutdownReasonUI

Done :) You now have a dialogue box prompting for a reason for shutdown and a log where this is all tracked every time a shutdown is commenced.
JohnBusiness Consultant (Owner)Commented:
@LGroup1  - Thank you and I was happy to help.
Sir LearnalotCommented:
wow lol by the time i finished writing my answer you have like 5 answers above me. Hope you got it done!
LGroup1Author Commented:
Sorry I missed that one before I closed the post Sir Learnalot,
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 7

From novice to tech pro — start learning today.