1. #1
    riteshtechie's Avatar
    riteshtechie is offline Software Developer
    Join Date
    Mar 2009
    Posts
    880

    Lightbulb Check Your PC for Shutdown and Startup Log - Forensic Way

    Before we begin its better to know what an Event Viewer is, Event Viewer is a Microsoft Management Console (MMC) snap-in that enables you to browse and manage event logs. It is an indispensable tool for monitoring the health of systems and troubleshooting issues when they arise.

    Event Viewer enables you to perform the following tasks:

    1. View events from multiple event logs
    2. Save useful event filters as custom views that can be reused
    3. Schedule a task to run in response to an event
    4. Create and manage event subscriptions
    5. Now most important thing where to use it, well if I rely on my source than by using the following procedures Forensic Department knows when you started your PC and when you shut it down.


    So in order to view the exact shutdown time and start-up time follow the below steps -

    1. Open Run Dialog box by pressing WIN +R

    2. In Run dilog box type eventvwr.msc and press Enter



    3. Click on System left navigation pane

    4. Now look for the following Event code, At the far right pane click on find, and enter the following event code to look for them.

    6005 – System start up

    6006 -System shutdown



    A detailed note on Event ID’s that may interests you -

    • Event 6005 is logged at boot time noting that the Event Log service was started. It gives the message “The Event log service was started”.
    • Event 6006 is logged as a clean shutdown. It gives the message “The Event log service was stopped”.
    • Event 6008 is logged as a dirty shutdown. It gives the message “The previous system shutdown at time on date was unexpected”.
    • Event 6009 is logged during every boot and indicates the operating system version, build number, service pack level, and other pertinent information about the system. Depending on your current configuration, it gives a message similar to: “Microsoft (R) Windows NT 4.0 1381 Service Pack 6 Multiprocessor free”.

    And now you have just made your way to Forensic department


    Originally Posted at Source

  2. #2
    nitinagarwal1988's Avatar
    nitinagarwal1988 is offline Microsoft MVP
    Join Date
    Jan 2009
    Location
    Pilani, India
    Posts
    1,570

    Default

    I start my PC round about 11am in morning and automatic scheduler shutdown it at 8am of the next day, its the daily routine.. . except the powercut or any other 3rd party disturbance...:P

  3. #3
    riteshtechie's Avatar
    riteshtechie is offline Software Developer
    Join Date
    Mar 2009
    Posts
    880

    Default

    So I guess you are the one who has got the highest rank in Carbon Footprints

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Log in

Log in

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22