When troubleshooting Windows Server 2008 R2 restarts, the Shutdown Event Tracker provides valuable user-provided reasons for system shutdowns/reboots. These logs are stored in the System log with Event ID 1074.

1. Open Event Viewer (eventvwr.msc)
2. Navigate to: Windows Logs → System
3. Click "Filter Current Log" in the right pane
4. Enter 1074 in the "All Event IDs" field
5. Check the "Information" event level

For automated retrieval, use this PowerShell script:

Get-WinEvent -LogName System | Where-Object {
    $_.Id -eq 1074 -and 
    $_.Version -eq 0
} | Format-List TimeCreated,Message

A typical log entry contains:

• Process that initiated shutdown (usually explorer.exe)
• User-provided reason code and comment
• Shutdown type (restart/shutdown)
• Planned/unplanned flag

Sample event data structure:

Log Name:      System
Source:        USER32
Event ID:      1074
Level:         Information
Description:   The process explorer.exe (COMPUTER) has initiated the restart of computer COMPUTER 
               on behalf of user DOMAIN\user for the following reason: Operating System: Upgrade (Planned)
               Reason Code: 0x80020002
               Shutdown Type: restart
               Comment: Applying critical security updates

For servers with heavy logging, refine your query with XML filtering:

<QueryList>
  <Query Id="0" Path="System">
    <Select Path="System">
      *[System[(EventID=1074)]]
    </Select>
  </Query>
</QueryList>

• Ensure "Display Shutdown Event Tracker" group policy is enabled
• Logs rotate - older entries may be overwritten
• Domain controllers store additional shutdown events in Directory Service logs
• For clustered servers, check Cluster logs simultaneously

When troubleshooting Windows Server 2008 R2 shutdowns, the Shutdown Event Tracker records valuable diagnostic information that isn't stored in the obvious System or Application logs. These records contain the user-provided reasons for shutdown/restart operations.

Contrary to expectations, shutdown tracker messages appear in the System log (not a dedicated log) with Event ID 1074. To find them:

1. Open Event Viewer (eventvwr.msc)
2. Navigate to: Windows Logs → System
3. Filter Current Log with:
   - Event IDs: 1074
   - Event sources: User32
4. Click OK to apply filter

For scripted retrieval or bulk analysis, use this PowerShell command:

Get-WinEvent -LogName System | 
Where-Object {$_.Id -eq 1074 -and $_.ProviderName -eq "User32"} |
Format-List TimeCreated, Message

A typical 1074 event contains these key fields:

• Process Name: Which executable initiated the shutdown
• Reason Code: Microsoft's classification (e.g., 0x80020002 for planned maintenance)
• Comment: The free-text reason you entered in Shutdown Event Tracker

For long-term tracking, export shutdown events with this script:

$events = Get-WinEvent -FilterHashtable @{
    LogName='System'
    ID=1074
    ProviderName='User32'
} -MaxEvents 100

$events | Select-Object TimeCreated,
    @{Name="User";Expression={$_.Properties[6].Value}},
    @{Name="Reason";Expression={$_.Properties[2].Value}},
    @{Name="Comment";Expression={$_.Properties[4].Value}} |
Export-Csv -Path "C:\shutdown_logs.csv" -NoTypeInformation

If you're not seeing expected shutdown entries:

• Verify the Shutdown Event Tracker is enabled (gpedit.msc → Computer Configuration → Administrative Templates → System)
• Check that the System log isn't configured to overwrite events too quickly
• Remember that abrupt power losses won't generate these logs