A Windows Event Log is a system log that records detailed information about events occurring on a Windows operating system.
These logs are generated by the operating system, applications, and system services to capture critical events such as system errors, warnings, informational messages and security-related actions.
Below are the steps to access the event log on Windows Server.
1. Login and access to the server through "Remote Desktop Connection (RDC)" from your local computer.
2. Search for "Event Viewer" in the Start Menu and open it.
3. In the Event Viewer window, expand "Windows Logs" on the left panel and click on System to open system event logs.
4. In the right-hand panel, click on Filter Current Log to refine your search and focus on specific events related to reboots.
5. Enter the relevant Event IDs and click OK to apply the filter.
To investigate reboot history, use these Event IDs.
- Event IDs 12, 13, 6005, 6009: These events help to track reboot history, startup and shutdown times.
To determine the type of reboot, use these Event IDs.
- Event IDs 13, 41, 1074, 6008, 6009: These events identify the nature of the reboot, whether it was a manual restart, system failure or unexpected shutdown
To analyze the potential cause of reboot, check for these Event IDs.
- Event IDs 19, 41, 1001, 1074, 7045: These events often indicate issues like power failures, system errors, application crashes, or hardware problem that triggered the reboot.