Windows: 5038: Code integrity determined that the image hash of a file is not valid: Windows: 5039: A registry key was virtualized. BranchCache:%2 instance(s) of event id%1 occurred. Windows: 6406%1 registered to Windows Firewall to control filtering for the following: Windows: 6407%1: Windows.
Active1 year, 10 months ago
I'm trying to build up a list of event Ids that can be used to determine when the machine has been shutdown, started up, locked and unlocked. So far, I've found 6 event IDs which seem to be best candidates but I was wondering if there was a better way of determining it.
Below is a list of event IDs I've found to be useful (1, 1074, 6005, 6006, 4800, 4801) from the 'Power-Troubleshooter', 'User32', 'EventLog' and 'Microsoft Windows security auditing' sources. These are from Windows 10 (v1511) and currently Windows 10 is my only target requirement as this is what all of the client machines run.
Here is an example filter query I've built up which
I've deliberately split the sources out in the query and they can be joined together but this sacrifices readability IMO.
My question is whether there is a better group of event Ids or a better query that I can use? Are there event IDs that I'm missing or that I'm doubling up on?
Dan Atkinson
Dan AtkinsonDan Atkinson
1 Answer
Refering to your request about starting and shutdown event IDs, I made the list below based on a Windows 10 machine. The main point is that depending on the shutdown action (planned reboot, planned shutdown, unexpected shutdown or LSASS process crash), the generated events will be differents:
- 1074 The process Explorer.EXE has initiated the shutdown of computer on behalf of user for the following reason: Other (Unplanned)
- 6006 The Event log service was stopped.
- 109 The kernel power manager has initiated a shutdown transition.
- 13 The operating system is shutting down at system time
- 20 The last shutdown's success status was true. The last boot's success status was true.
- 12 The operating system started at system time
- 6005 The Event log service was started.
- 6013 The system uptime is 10 seconds.
To make a clear overview on those different shutdown actions, I made the following table. Hope it will help.
Michel de CrevoisierMichel de Crevoisier
Not the answer you're looking for? Browse other questions tagged windowswindows-event-logeventviewer or ask your own question.
Windows only: If you've ever come back to your PC and noticed it was rebooted, you might be curious to know exactly when it was shut down, and the Guiding Tech blog has a quick tip to help.
Windows Event Id Codes Free
To figure out when your PC was last rebooted, you can simply open up Event Viewer, head into the Windows Logs -> System log, and then filter by Event ID 6006, which indicates that the event log service was shut down—one of the last things that happens before a reboot. This technique won't help you figure out when there was a power outage, but you can filter by Event ID 6005 to see when the system was last turned on—that event shows when the event log service was started again.
Advertisement
It's a simple tip, but could come in handy if you come back to your PC and want to figure out whether Windows Update or somebody else restarted your PC in the middle of the night, or you're just curious how many times you've rebooted in the recent past.
Windows Event Id List
How To Know the Last ShutDown Time Of Your Windows PC [Guiding Tech via TinyHacker]