Startup and shutdown history of Microsoft Windows

There are cases of emergencies when a Windows system administrator wishes to know if system is started up or shutdown in a particular date or time. Fortunately, you can use the Event Viewer in Windows XP  to determine the approximate time and date of startup and shutdown.

Event Log service, which is responsible for Windows logging operations, also logs its own start and stop events. By default this service starts at computer startup and stops at computer shutdown. Since this service could not be manually stopped by conventional means (!), there is a very good chance that these start/stop events have happened around the same time as computer’s startup/shutdown.

The Event Log service start time is logged by two entries in System log: a 6009 event followed by a 6005 event. The types of both events are Information, both come from the “eventlog” source. Event 6009’s description contains the operation system’s version, build, service pack number, etc. Event 6005 bears the message “The Event log service was started.”

The Even Log service stop time is logged by one single entry: a 6006 event (Information type from “eventlog” source) which bears the message “The Event log service was stopped.”

The following steps describes how to find these events and their time and date:

  1. Right-click on a My Computer icon and select Manage from the context menu. The Computer Management console should appear within seconds.
  2. From the left pane, expand the System Tools node (if it is not already expanded), then expand the Event Viewer node.
  3. Under the Event Viewer node, select System. The right pane should display the entire System log. This log is probably vast and you probably don’t like scrolling through it to find what you need. You need to filter the log to see only what you need.
  4. From the View menu, select Filter… System Properties dialog box should pop up.
  5. From the “Event source” drop-down list, select “eventlog“.
  6. Click OK. System Properties dialog box should disappear and the right pane of Computer Management console should show only what we need: Event Log service’s start and stop events.
  7. Look at the numbers in Event column. 6006 represents a stop (corresponding to a system shutdown.) 6005 and 6009 represent a start (corresponding to a system startup.) Then look at the Date and Time column of each entry to find out when they happened.

This method, of course, has its own flaws. Systems which have their Event Log services disabled or stopped by unconventional means do not allow you to exploit this method. More importantly, this method at best yields only the startup and shutdown times of the operating system not the entire computer. It won’t allow you to see the entire system up time, especially when a multi-boot scenario is in place or a live operating system like Windows PE is run. However, since a large number of computer users have a single operating system on their computers and usually don’t even know what a live operating system is (never mind using one) this method would be a gem when used in the right place.

Advertisements

Posted on 15 September 2007, in Windows Administration and tagged , , , , , , , , , , , . Bookmark the permalink. 2 Comments.

  1. Thank you very much~! But is there any possible way to extend the number of date save log? Like more then 3 moth?

  1. Pingback: Computer hibernation: In medias res « Confidential Files!

Leave a comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: