To totally unlock this section you need to Log-in
There are times when a user wants to know the startup and shutdown history of a computer. Mostly, system administrators need to know about the history for troubleshooting purposes. If multiple users use the computer, it may be a good security measure to check PC startup and shutdown times to make sure that the PC is being used legitimately.
Using event logs to extract startup and shutdown times
Windows Event Viewer is a wonderful tool which saves all kinds of stuff happening in the computer. At each event, the event viewer logs an entry. The event viewer is handled by eventlog service that cannot be stopped or disabled manually as it is a Windows core service. The event viewer also logs the start and stop times of the eventlog service. We can make use of those times to get an idea of when our computer was started or shut down.
The eventlog service events are logged with two event codes. The event ID 6005 indicates that the eventlog service was started, and the event ID 6009 indicates that the eventlog services were stopped. Let’s go through the complete process of extracting this information from the event viewer.
Open Event Viewer (press “Ctrl + R” and type “eventvwr.msc“). If you are using Windows 8, you can run the Event Viewer with the “Windows Key + X + V” shortcut.
In the left pane, open Windows Logs -> System.
In the pane on the right, you will get a list of events that occurred while Windows was running. Our concern is to see only three events. Let’s first sort the event log with Event ID. Click on the Event ID label to sort the data with respect to the Event ID column.
If your event log is huge, then the sorting will not work. You can also create a filter from the actions pane on the right-hand side. Just click on “Filter current log”.
Write 6005, 6006 in the Event IDs field labeled as
Event ID 6005 will be labeled as “The event log service was started”. This is synonymous to system startup.
Event ID 6006 will be labeled as “The event log service was stopped”. This is synonymous to system shutdown.
If you want to investigate the Event log further, you can go through the Event ID 6013 which will display the uptime of the computer, and Event ID 6009 indicates the processor information detected during boot time. Event ID 6008 will let you know that the system started after it was not shut down properly.
TurnedOnTimesView is a simple, portable tool, by Nirsoft, for analyzing the event log for startup and shutdown times. The utility can be used to view the list of shutdown and startup times of local computers or any remote computer connected to the network.
Since it is a portable tool, you will only need to unzip and execute the TurnedOnTimesView.exe file. It will immediately list the startup time, shutdown time, duration of uptime between each startup and shutdown, shutdown reason and shutdown code.
Shutdown reason is usually associated with Windows Server machines where we have to give a reason if we are shutting down the server.
To view the startup and shutdown times of a remote computer, go to “Options -> Advanced Options” and select “Data source as Remote Computer”. Specify the IP address or name of the computer in the Computer Name field and Press the OK button. Now the list will show the details of the remote computer.
While you can always use the event viewer for detailed analysis of startup and shutdown times, TurnedOnTimesView serves the purpose with a very simple interface and to the point data.