Check Your PC for Shutdown and Startup Log - Forensic Way

[ritesh.techie]

Originally Posted at Source

Before we begin its better to know what an Event Viewer is, Event Viewer is a Microsoft Management Console (MMC) snap-in that enables you to browse and manage event logs. It is an indispensable tool for monitoring the health of systems and troubleshooting issues when they arise.

Event Viewer enables you to perform the following tasks:

1. View events from multiple event logs
2. Save useful event filters as custom views that can be reused
3. Schedule a task to run in response to an event
4. Create and manage event subscriptions
5. Now most important thing where to use it, well if I rely on my source than by using the following procedures Forensic Department knows when you started your PC and when you shut it down.

So in order to view the exact shutdown time and start-up time follow the below steps -

1. Open Run Dialog box by pressing WIN +R

2. In Run dilog box type eventvwr.msc and press Enter

*beingpc.com/wp-content/uploads/2010/02/event-viewer.JPG

3. Click on System left navigation pane

4. Now look for the following Event code, At the far right pane click on find, and enter the following event code to look for them.

6005 – System start up

6006 -System shutdown

*beingpc.com/wp-content/uploads/2010/02/6005.JPG

A detailed note on Event ID’s that may interests you -

• Event 6005 is logged at boot time noting that the Event Log service was started. It gives the message “The Event log service was started”.
• Event 6006 is logged as a clean shutdown. It gives the message “The Event log service was stopped”.
• Event 6008 is logged as a dirty shutdown. It gives the message “The previous system shutdown at time on date was unexpected”.
• Event 6009 is logged during every boot and indicates the operating system version, build number, service pack level, and other pertinent information about the system. Depending on your current configuration, it gives a message similar to: “Microsoft (R) Windows NT 4.0 1381 Service Pack 6 Multiprocessor free”.

And now you have just made your way to Forensic department

 

[maxmk]

hey.. thanks for the post it's really informative...but I think it should be in Tutorial section (I might be incorrect)..

 

[hot zubs]

interesting info mate... Forensic science is really great...

 

[ritesh.techie]

Yeah thanks for comment.

Mods: Please move it to tutorial section.

 

[vickyadvani]

good info...thanks

 

[ruturaj3]

Hey ritesh, event ID of windows startup is 12 and for shutdown it is 13.
Plz check tat it gives info about time of startup. And u can create custom log to keep track of it.

 

[bishwash]

yeha its interesting to know thkx for info..

 

[saqib_khan]

Mods: Please move it to tutorial section.

Yes, this is a good article, Mods should move this to Tutorials section. But wait, are there any ACTIVE mods here.

 

[zebediah]

Thanks dude