How to Track User-Initiated Server Reboots in Windows: Forensic Event Log Analysis


1 views

When troubleshooting unexpected server restarts on Windows systems, administrators often find the system event logs show only generic shutdown events (Event ID 1074) without user attribution. This creates forensic challenges in multi-user environments.

# PowerShell command to retrieve shutdown events
Get-WinEvent -LogName System | Where-Object {$_.Id -eq 1074} | Format-List

For deeper analysis, check these additional logs:

  • Security log (Event ID 4648 for explicit logon events)
  • Terminal Services logs (for RDP sessions)
  • Task Scheduler logs (for automated reboots)

When standard logs don't reveal the initiator, try these methods:

# Check user logon times around reboot period
$rebootTime = (Get-WinEvent -FilterHashtable @{LogName='System'; ID=1074} -MaxEvents 1).TimeCreated
$userLogons = Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624} | 
    Where-Object {$_.TimeCreated -gt ($rebootTime.AddMinutes(-15)) -and $_.TimeCreated -lt $rebootTime}

Consider this scenario from a production environment:

  1. Unexpected reboot occurred at 2023-03-15 02:17 UTC
  2. Standard System log showed "The process C:\Windows\System32\svchost.exe has initiated the restart of computer SERVER01 on behalf of user NT AUTHORITY\SYSTEM"

By cross-referencing Terminal Services logs, we discovered:

Event ID 1149 - User DOMAIN\jdoe disconnected from session 3 at 02:16 UTC
Event ID 21 - Remote Desktop Services: Session logon succeeded: DOMAIN\jdoe

To improve future tracking, enable these audit policies via GPO:

auditpol /set /subcategory:"Logoff" /success:enable
auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable
auditpol /set /subcategory:"Detailed Tracking" /success:enable

When built-in logs are insufficient:

  • Implement custom PowerShell tracking scripts
  • Deploy third-party auditing solutions
  • Enable Process Tracking (Audit Process Creation)
# Sample custom tracking script
Register-WmiEvent -Query "SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName='shutdown.exe'" 
    -Action {
        $username = (Get-WmiObject Win32_Process -Filter "ProcessId=$($Event.SourceEventArgs.NewEvent.ProcessID)").GetOwner().User
        Add-Content -Path "C:\logs\shutdown_tracking.log" -Value "$(Get-Date) - Shutdown initiated by $username"
    }

When a Windows server unexpectedly reboots, administrators need to determine whether it was triggered by a user action or system process. Modern Windows systems (2008 R2 and later) provide more detailed logging than older versions, but the approach varies by OS version.

The primary source for reboot information is the System event log. Look for these critical events:

<Event ID="1074"> - User-initiated shutdown/restart
<Event ID="6006"> - Event log service stopped (indicates clean shutdown)
<Event ID="6008"> - Unexpected shutdown

This script extracts shutdown events with user context:

Get-WinEvent -FilterHashtable @{
    LogName='System'
    ID=1074
} | Select-Object TimeCreated, 
    @{Name='User';Expression={$_.Properties[6].Value}},
    @{Name='Process';Expression={$_.Properties[0].Value}},
    @{Name='Reason';Expression={$_.Properties[2].Value}}

Newer Windows versions include more detailed shutdown auditing. Enable these Group Policies first:

Computer Configuration > Windows Settings > Security Settings > 
Local Policies > Audit Policy > Audit privilege use

The security log contains user authentication details that can correlate with shutdown events:

$shutdownTimes = Get-WinEvent -FilterHashtable @{
    LogName='System'
    ID=1074
} | Select-Object -ExpandProperty TimeCreated

$securityEvents = Get-WinEvent -FilterHashtable @{
    LogName='Security'
    ID=4647
    StartTime=($shutdownTimes[0].AddMinutes(-5))
    EndTime=$shutdownTimes[0]
}

For proactive monitoring, implement this PowerShell script that logs to a central database:

$query = @"
<QueryList>
  <Query Id="0" Path="System">
    <Select Path="System">
      *[System[(EventID=1074)]]
    </Select>
  </Query>
</QueryList>
"@

$watcher = New-Object System.Diagnostics.Eventing.Reader.EventLogWatcher($query)
$action = {
    $event = $EventArgs.EventRecord
    $rebootInfo = [PSCustomObject]@{
        Time = $event.TimeCreated
        User = $event.Properties[6].Value
        Process = $event.Properties[0].Value
        Reason = $event.Properties[2].Value
    }
    # Add your logging logic here
}
Register-ObjectEvent -InputObject $watcher -EventName "EventRecordWritten" -Action $action
$watcher.Enabled = $true