A few weeks ago, a Windows Server 2008 restarted without reason (as I got that "shutdown dialog" asking me why the server shut down unexpectedly and I was asked to give a reason). At that time, I was too busy to look into the matter. Now I'd like to trace back the problem but I forgot when that happened. Is it possible to get the list of shutdown event with date and time? I just see that if I type shutdown, I get a list. But this list has no date and time. TIA

hi Horinius,Fastest way to identify is to look for event 6006 under system event log have you disabled shutdown event tracker ?

Hello Horinius, To get a list of shutdown event with date and time, we can take use of Event Viewer to filter Event ID: 1074 in System Event log Steps: 1. Open Event Viewer with Eventvwr.exe 2. Navigate to Windows Logs\System 3. Right-Click on it and select "Filter Current Log…" 4. Filter: Event log: System Event ID: 1074 5. When you filter them, you can track down its shutdown type, date and time, and who has shutdown it. For more information about shutdown event, please check this KB article: Description of the Shutdown Event Tracker http://support.microsoft.com/default.aspx/kb/293814 Hope this can be helpful. Best Regards, David ShenThis posting is provided "AS IS" with no warranties, and confers no rights.

Thanks to both of you for your replies, but that didn't give what I wanted. When I wrote "restarted without reason" in my original post, I should have written "the server rebooted without a proper shutdown phase", as I've explained within the brackets. Since it has no correct shutdown, that event isn't recorded in the event log. OTOH, since it hasn't gone through the correct shutdown phase, the first time when we log in, there's a special dialog asking the reason of previous unexpected shutdown. And it's this list that I wanted.

In this case you have to generate the crash dump and find out whats the real reason for the restart, there might be some third party application interfereing which crashes the OS.Thankshttp://technetfaqs.wordpress.com

That's off-topic...

Hi Horinius,If the server rebooted without a proper shutdown phase, I am afraid that the system won't record the process in event viewer.This posting is provided "AS IS" with no warranties, and confers no rights.

I know it's not in event log, or else I won't ask it here. That's why I just asked for the list, without specifying where.

Hi Horinius,Windows operating system has provided a centralized utility called event viewer which is used to register the events of an operating system, IMHO if the event is not registered in event viewer then there is no chance of getting the list of events unless you have a 3rd party event viewer which is monitoring your environment.

That is not true. If you type "shutdown" in a command window, as I've written in my first post, you can get a list of shutdown events. And this list remains even if you clear your logs. The problem is there's no time and date.

I have just encountered same situation as you. Got below info. from event viewer Log Name : System Event ID: 41 Description: The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.

Assuming the event William has proposed above is what you're after, you can pull a list with Powershell using the following command: Get-EventLog -LogName System -InstanceId 41 If you wanted to pipe that off to a file, you can add the Export-Csv option as follows: Get-EventLog -LogName System -InstanceId 41 | Export-Csv -Path D:\Temp\events.csv -NoTypeInformation Cheers, Lain

I don't have event id 41 in my system, so I tried to replace it with some other known values that I've seen: 6008, 6005, 7036, etc, but I always got Get-EventLog : No matches found For me, this method doesn't work.

Try the following. I had forgotten that the InstanceId is actually an Int64 when using Powershell. Get-EventLog -LogName System -EntryType Warning -Source "USER32" | where { ($_.InstanceId -bAnd 0xFFFF) -eq 1076 } You can also pipe these results out to a CSV as I've illustrated above (so I won't waste space repeating it). For reference, the event you're actually after - if I've understood you correctly after re-reading all these posts for about the fourth time, is 1076. Cheers, Lain

By other means, I've found that for some event id (instance id), the number is different, eg: 6006 --> 2147489654 6009 --> 2147489657 6005 --> 2147489653

Try the following. I had forgotten that the InstanceId is actually an Int64 when using Powershell. Get-EventLog -LogName System -EntryType Warning -Source "USER32" | where { ($_.InstanceId -bAnd 0xFFFF) -eq 1076 } You can also pipe these results out to a CSV as I've illustrated above (so I won't waste space repeating it). For reference, the event you're actually after - if I've understood you correctly after re-reading all these posts for about the fourth time, is 1076. Cheers, Lain It's actually 1074 instead of 1076. I'm going to try it tomorrow.

Dear David, this karthick from Hyderabad India thank you very much your suggestion is worked out of my knowledge and its helped to our organization too. and once again thank you very much. regards karthick