How to Track Windows Server Boot/Shutdown Timestamps via Event Logs for System Monitoring


2 views

Windows Server records system events with specific IDs in the Event Viewer:

Event ID 6005: System startup (Logged when Event Log service starts)
Event ID 6006: Clean shutdown (Logged when Event Log service stops)
Event ID 6008: Unexpected shutdown (Crash or power loss)

For automated monitoring, use this PowerShell script to extract boot/shutdown events:

# Get last 50 system events
Get-EventLog -LogName System -EntryType Information -InstanceId 6005,6006,6008 -Newest 50 | 
Select-Object TimeGenerated, InstanceId, Message | 
Format-Table -AutoSize

# Export to CSV for historical tracking
Get-EventLog -LogName System -InstanceId 6005,6008 | 
Export-Csv -Path "C:\SystemEvents.csv" -NoTypeInformation

For precise filtering across multiple servers:

<QueryList>
  <Query Id="0" Path="System">
    <Select Path="System">
      *[System[Provider[@Name='EventLog'] and 
      (EventID=6005 or EventID=6006 or EventID=6008)]]
    </Select>
  </Query>
</QueryList>

For real-time monitoring across your domain:

  1. Open Event Viewer
  2. Right-click "Subscriptions"
  3. Create new subscription with these filters:
    • Log: System
    • Event sources: EventLog
    • Event IDs: 6005,6006,6008

If events don't appear:

  • Verify "Windows Event Log" service is running
  • Check system uptime with systeminfo | find "System Boot Time"
  • Increase system log size (default 20MB often wraps too quickly)

Windows systems log all significant events in the Event Viewer, including system startups and shutdowns. For programmers needing to track system uptime programmatically, the Event Log provides structured data through several channels:

// PowerShell example to query System log
Get-WinEvent -LogName System | Where-Object {
    $_.Id -eq 6005 -or $_.Id -eq 6006 
} | Format-Table TimeCreated, Id, Message -AutoSize

The critical Event IDs to monitor are:

  • 6005 (EventLog service started - indicates system startup)
  • 6006 (EventLog service stopped - indicates clean shutdown)
  • 6008 (Unexpected shutdown)
  • 6013 (System uptime)

Here's a complete C# solution using EventLogReader:

using System;
using System.Diagnostics.Eventing.Reader;

class EventLogQueryExample {
    static void Main() {
        string query = "*[System/EventID=6005 or System/EventID=6006]";
        EventLogQuery eventsQuery = new EventLogQuery("System", PathType.LogName, query);
        
        using (EventLogReader logReader = new EventLogReader(eventsQuery)) {
            for (EventRecord eventInstance = logReader.ReadEvent();
                eventInstance != null; 
                eventInstance = logReader.ReadEvent()) {
                
                Console.WriteLine($"{eventInstance.TimeCreated}: {eventInstance.Id} - {eventInstance.FormatDescription()}");
            }
        }
    }
}

For production environments, consider these enhancements:

// PowerShell with time filtering
$StartTime = (Get-Date).AddDays(-7)
Get-WinEvent -FilterHashtable @{
    LogName='System'
    ID=6005,6006
    StartTime=$StartTime
} | Export-Csv -Path ".\BootLog.csv" -NoTypeInformation

To query remote machines in a domain environment:

# PowerShell remoting example
Invoke-Command -ComputerName Server01,Server02 -ScriptBlock {
    Get-WinEvent -LogName System -MaxEvents 20 | 
    Where-Object {$_.Id -eq 6005 -or $_.Id -eq 6006}
} | Select-Object MachineName, TimeCreated, Id, Message

For legacy systems where Event Log access is restricted:

// C# WMI query example
ManagementScope scope = new ManagementScope("\\\\.\\root\\cimv2");
ObjectQuery query = new ObjectQuery(
    "SELECT * FROM Win32_NTLogEvent WHERE LogFile='System' AND (EventCode=6005 OR EventCode=6006)");
    
using (ManagementObjectSearcher searcher = new ManagementObjectSearcher(scope, query)) {
    foreach (ManagementObject log in searcher.Get()) {
        Console.WriteLine($"Event: {log["EventCode"]} at {log["TimeGenerated"]}");
    }
}