🖥️ How to Check Windows Server Restart History Using PowerShell
Knowing when a Windows Server was restarted, who initiated the reboot and whether the shutdown was unexpected is extremely important for server management and troubleshooting.
System administrators, IT teams and even general users often need to track Windows restart history for maintenance, uptime monitoring and issue investigation.
In this guide, you will learn how to:
- Check Windows Server reboot history
- Find out who restarted the server
- Detect unexpected shutdowns
- Identify the process responsible for the reboot
- Analyze Windows Event Logs using PowerShell
📌 PowerShell Command to Check Restart History
Use the following PowerShell command to retrieve Windows reboot and shutdown logs:
Get-WinEvent -FilterHashtable @{
LogName='System'
ID=1074,6006,6008,41
} | Select-Object TimeCreated, Id,
@{Name="User";Expression={$_.Properties[6].Value}},
@{Name="Process";Expression={$_.Properties[0].Value}},
Message | Sort-Object TimeCreated -Descending
Run PowerShell as Administrator for best results.
📌 What Does This Command Do?
| Section | Description |
|---|---|
Get-WinEvent |
Reads Windows Event Logs. |
LogName='System' |
Targets the Windows System log. |
ID=1074,6006,6008,41 |
Filters reboot and shutdown related events. |
TimeCreated |
Shows the event timestamp. |
User |
Displays the user who initiated the reboot. |
Process |
Shows the application or process responsible for the reboot. |
Message |
Displays detailed event information. |
📌 Event ID Meanings
| Event ID | Description |
|---|---|
| 1074 | A user or application restarted the system. |
| 6006 | Windows shut down properly. |
| 6008 | The previous shutdown was unexpected. |
| 41 | The system experienced a crash or sudden power loss. |
📌 Example Output
TimeCreated Id User Process
----------- --- ----- --------
05/26/2026 01:15 1074 Administrator shutdown.exe
05/26/2026 01:14 6006
05/26/2026 01:13 6008
05/26/2026 01:13 41
In this example:
- The server was restarted.
- The reboot was initiated by the Administrator user.
- The process responsible was shutdown.exe.
- An unexpected shutdown occurred previously.
📌 Why Monitoring Windows Restart History Is Important
- Track server uptime and downtime
- Detect unauthorized reboots
- Investigate unexpected shutdowns
- Identify power outages or crashes
- Review maintenance activities
- Troubleshoot server stability issues
- Monitor Windows Server health
📌 How to Open PowerShell
- Click the Start Menu
- Type PowerShell
- Right-click Windows PowerShell
- Select “Run as Administrator”
- Paste the command and press Enter
✅ Conclusion
Using PowerShell to check Windows Server restart history is a quick and effective way to monitor reboot activities, detect unexpected shutdowns and identify who restarted the system.
This method is especially useful for Windows Server administrators who need better visibility into server uptime, maintenance and troubleshooting processes.
Arif Akyüz
Bilgi Teknolojileri
Sistem Network Yöneticisi
ve Siber Güvenlik Uzmanı
[email protected]
- What is an LLM (Large Language Model)?
- CVE-2026-31431 (Copy Fail) – Ubuntu Security Mitigation Guide
- Windows Active Directory’de AD Kullanıcıları Raporlama – PowerShell ile Adım Adım
- Learn WiFi Password Using CMD (Windows Guide)
- What is RBAC (Role-Based Access Control)?
- PowerShell Get-WinEvent for Windows Event Log Analysis, Security Auditing and Digital Forensics
- Application Security: How to Check if a Software is Safe to Use
- How to Check Windows Server Restart History Using PowerShell
- GENAI and the Growing Cyber Threat: Raising Awareness for a Safer Digital Future
- PowerShell RDP Log Analysis Guide
- Windows 11 Recovery Bölümünü Silerek Disk Genişletme
- Windows Server Installed Programs List & Software Inventory Report – PowerShell HTML Script
- Microsoft 365 Copilot Agents: Microsoft-Developed Agents
- Top Professional Titles for Experts in AI Agent Management
- Quick File Finder with Powershell
- Let’s Encrypt SSL Certificate Setup for Wazuh Dashboard
- Automatically Connecting Windows 11 Devices to a Hidden SSID Without Sharing the Password
- Ubuntu Server Initial Setup and Configuration Guide
- Intel Core i5 Processor Generations (2009–2025)
- WAZUH ile pfSense Logları ile Trafik Analizi ve Filtreleme
- Intel Core i7 Processor Generations (2008–2025)
- pfSense Log Filtering Guide for Wazuh Discover
- Intel Core i9 Processor Generations (2017–2025)
- Opening a Port and Testing TCP Connections with PowerShell
- Testing Your Antivirus with PowerShell (Safe EICAR Script)
- Python Virtual Environment (venv) Setup: Windows, Linux & macOS
- test-antivirus-powershell
- Listing Unique IP Addresses in a File with PowerShell
- Adding Entries to Windows 11 Hosts File Using CMD
- .bak the process of opening and importing a SQL file
- .NET Framework 3.5 installation fails
- 1. Change user password with CMD
- 2. Create users with CMD
- 3. Delete a user with CMD
- 4. Open Port Inquiry CMD
- 5. Learning external IP with CMD
- 6. Domaine Alma with CMD
- 8. Creating a Folder with CMD
- 9. Shut Down a Remote Computer with CMD
- Account keeps locking
- Active Directory Security
- Active Directory Unlock Account Permission
- Add a Program to the Right-Click Menu
- Add Google Ads conversion tracking code to WordPress
- Add Opencart Google Ads conversion tracking code (add snippets)
- Add Whatsapp order button
- Adobe Illustrator Convert Type to Vector
- ALL ARTICLES
- Allow a standard user to run an application as an administrator in Windows
- ARİF AKYÜZ – SITE CONTENT
- Articles
- Backup Policy
- BC Search for Files and Folders with CMD
- Bitlocker Commissioned
- C# XML File Data Pull, Add, Delete, Update Operations
- Centos 7 IP Switching
- Change MAC Address
- Change the ADD to WooCommerce cart post
- Cisco Router Configuration
- Cisco Switch Model Learning Command
- Cisco Switch Setup
- CMD commands
- Combine columns one after the other in Excel
- Convert Picture to Text Converting Picture to Word
- Create a table of contents in Word
- Critical Files on Linux
- Cryptolocker Extension List
- CSS icon Package
- Cyber Security Certifications
- Cybersecurity Courses Passive Information Collection
- Data recovery via formatted disk
- Define the same proxy address for all users on Terminal Servers
- Delete Files and Folders with Task Scheduler Delete a File and Folder with PowerShell
- Deleting User Profile Files with Powershell
- DHCP Fail-over on Windows Server 2019
- Directory Structure on Linux
- Diskpart
- DNS Cache Clearing
- DOWNLOAD
- Exchange version information learning command
- Exchange: Bypass Malware Filtering
- File commands on Linux
- File Permissions on Linux
- Find out which port the app is using in Windows
- Forti Firewall IP Export
- Forti IP Export
- Google Advertising
- Google Advertising with ADS
- Google DNS
- Google Tag Manager Click Tracking
- Google Tag Manager Installation Turkish Lecture
- Group policy see command CMD applied to the computer
- How to Build an E-Commerce Site
- How to configure Proton VPN on pfSense using WireGuard
- How to Create a Shortcut to a Hyper-V Virtual Machine
- How to Create Trusted Self-Signed SSL Certificates and Local Domains for Testing
- How to Find Out the Motherboard Model?
- How to Get Facebook Pixel Code
- How to install FortiGate FortiOS 7.0
- How to Make a Vector Logo with Adobe Illustrator
- How to Put Password on Word Document
- How to Stay Safe From Stealer Attacks
- How to write IPv6 as a URL
- How to: Create CSR Code Through IIS
- HPE StoreOnce Systems
- IE Prevent running First Run Wizard
- Import Google Chrome passwords
- Instagram ad account closed
- INSTAGRAM ADVERTISING TRAINING
- Internal Network Attacks
- IPv6 Proxy
- Kali Linux Installation
- LAPS Installation and Configuration
- Learning Exchange CU Info command
- Learning MAC address with IP
- List files in an Excel folder
- Log4j scan for Linux
- Log4j Scan for Windows
- Mbps to kbps Converter
- Microsoft Endpoint Manager
- Microsoft Intune EDR import Server
- Microsoft Security Compliance Toolkit 1.0
- Most used ports
- My Instagram Ad Account Has Been Closed, How Can I Open?
- Network Settings for Viritual Box Virtual Machines
- NMAP Commands
- Open the UBUNTU SSH Port
- Opencart social media icon pack
- Package Management on Linux
- Password Expiration Date AD User
- Password Policy
- Paste into Excel Filtered Cells
- PDF Encryption and PDF file encryption
- Persistent user account lockout
- Ping IPv6
- Process Management on Linux
- Pull List of Domain Admin Group Members
- Pull local admin accounts of devices in the domain with Powershell
- Pulling a List of Applications Installed on the Computer with CMD
- Random MAC Address Generation
- Random password generator
- Random Password Generator
- RDP Event Viewer ID
- Real-Time Cyber Threat Map
- Reliable and fast DNS Server List 2022
- Remove additional information, product description, and product review from the WooCommerce product page
- Remove vmware workstation encryption
- RVTools
- Samsung phone throwing rom
- Samsung tablet rom throwing
- See the open and closed ports on the Cisco switch
- Send Outlook future mail
- Server room Checklist
- Server Sustainability
- Showing the Lowest Price on Products with WooCommerce Options
- SMB Signing Disabled
- Social Engineering Attacks
- Speed test
- SQL Injection Attack
- SQL Server 2019 setup
- Switch commands
- This computer can't run windows 11 error solution
- Turn off Insecure TLS Versions
- User management on Linux
- What is a bot?
- What is Biometric Photography?
- What is EternalBlue?
- What is GRC?
- What is IPv6?
- WHAT IS NBTSTAT
- What is Penetration Testing? What is vulnerability scanning?
- What is Split Tunnel? What is Full Tunnel?
- Who reset the User's Password on AD
- Whoami commands
- Windows 10 Password Cracking Programless
- Windows 10 release history
- Windows 11 theme appearance customization
- Windows 2016 Startup Folder
- Woocommerce Closing to Shopping
- WordPress Search button removal hiding
- WordPress Whatsapp button add