How To Check Who Restarted The Windows Server

Introduction

When managing a Windows server, knowing when and who restarted it can be crucial for maintaining system uptime and security. Unexpected or frequent restarts can indicate underlying problems, and monitoring these events can help prevent future issues.

Importance of Monitoring Server Restarts

Server restarts can occur for various reasons, such as software updates, configuration changes, or hardware failures. Monitoring these restarts helps in:

  • Identifying unauthorized access or potential security breaches.
  • Tracking changes made to the server configuration.
  • Diagnosing and resolving unexpected shutdowns or system crashes promptly.

We might experience reboot issues with a few of the Windows servers/machines and might have noticed that the machine got restarted unexpectedly without our notice and it makes us annoyed.

There are a few ways to figure out the exact cause of the reboot and who performed the reboot by following the below-mentioned steps

Event Viewer

Event viewer is the application that records every action that we performed or executed on Windows PC.

We can use Event Viewer to find who rebooted the Windows server/machine by using the event log codes

  • Event log code 1074 is used to record reboot logs
  • Click the Start menu or Windows search bar and type Event logs and open it
  • Navigate to Event Viewer, browse Windows Logs, and click System
  • In the Actions plane view click “Filter Current Log
  • In the Filter Current Log window type the event log code “1074” in the Event ID field and click OK
  • We could see the filtered view with event log 1074 where we can find who rebooted the machine by double-clicking on the logs based on the date and time.

 

PowerShell

PowerShell is a command-line shell and scripting language that enables system administrators to perform advanced tasks, including querying event logs.

Opening PowerShell:

To open PowerShell, press Win+X on your keyboard, and select Windows PowerShell from the menu.

 Using Get-EventLog Command:

In PowerShell, you can use the Get-EventLog command to access the event logs.

 Querying Specific Server Restart Events:

To query server restart events, use the following command:

Get-EventLog -LogName System -Source USER32 -InstanceId 1074

Monitoring Server Restarts Proactively

To stay ahead of server restarts and address potential issues, consider the following proactive approaches:

 Configuring Event Log Triggers:

You can configure event log triggers to execute specific actions when particular events occur. This helps automate responses to server restarts.

 Creating Custom PowerShell Scripts:

Craft custom PowerShell scripts to gather and analyze server restart data regularly. These scripts can provide valuable insights into restart patterns.

Conclusion

Knowing how to check who restarted the Windows server is essential for effective server management. Utilizing tools like Event Viewer and PowerShell, and adopting proactive monitoring practices, empowers administrators to maintain system reliability and address potential issues promptly.

FAQs:

  1. Q: Can I check who restarted the server remotely?
    • A: Yes, using remote management tools and appropriate permissions, you can access the event logs and PowerShell remotely to check for restart events.
  2. Q: Are there third-party tools for monitoring server restarts?
    • A: Yes, there are various third-party tools available that offer more advanced monitoring and reporting features for server restarts.
  3. Q: How do I differentiate between a planned restart and an unexpected one?
    • A: In Event Viewer, look for corresponding events indicating whether the restart was planned or unexpected.