Tracing the Culprit: How to Find Out Who Restarted Your Windows Server

This step-by-step guide will help you find out who restarted your Windows Server. You can discover the user or application responsible for the shutdown or restart of your Windows Server.

This data can be accessed using Event Viewer, a built-in utility that records each event on your server and provides a means to view this information.

To determine who restarted Windows Server, simply follow these steps:

To gain further insights into these procedures, continue with this guide.

To get started, you need to open Event Viewer. For that, search for the event viewer in the Taskbar search box and click on the individual search result. Alternatively, press Win+R to open the Run prompt, type eventvwr, and hit the Enter button.

After that, expand the Windows Logs section and select System.

Next, right-click on the System menu and click the Filter Current Log option.

Then, enter 1074 in the empty box and click the OK button.

For your information, Event ID 1074 denotes the restart and shutdown caused by a user or application. In other words, if a user or application restarts or shuts down your server, Event Viewer logs that with an Event ID 1074.

After that, filter the data, click on an event, and find the details accordingly.

The process C:WindowsSystem32RuntimeBroker.exe has initiated the restart of computer [computer-name] on behalf of user [username] for the following reason:

Reason

Reason code

Shutdown Type: restart

Comment:

You can find the user, date/time, reason code, etc. This detail box is not limited to one event. You can click on any past event to find the information that meets your requirements.

Read: How to check the Shutdown and Startup Log in Windows

To check the restart history on the Windows Server, you need to open the Event Viewer. Open the Event Viewer on your computer and select Windows Logs > System. Then, right-click on the System and select Filter Current Log. Next, enter the Event ID 1074 and click the OK button. It displays all the restart and shutdown-related events that happened in the past. You can click on any event to find the details.

To check why your Windows restarted, open the Event Viewer. Then, click on Windows Logs and select the System menu. Right-click on the System menu and select Filter Current Log. Next, enter Event ID 1074 and click on OK. Then, select a restart or shut-down event according to the timing and find the details in the bottom tab. Here, it displays the reason why your Windows restarted and by whom.

Read: How to find and view BSOD log files in Event Viewer.

Published on September 6, 2024

Tags: Restart, Server

July 25, 2024

July 18, 2024

September 5, 2024

September 4, 2024


Posted

in

by

Tags: