Originally Posted at Source
Before we begin its better to know what an Event Viewer is, Event Viewer is a Microsoft Management Console (MMC) snap-in that enables you to browse and manage event logs. It is an indispensable tool for monitoring the health of systems and troubleshooting issues when they arise.
Event Viewer enables you to perform the following tasks:
- View events from multiple event logs
- Save useful event filters as custom views that can be reused
- Schedule a task to run in response to an event
- Create and manage event subscriptions
- Now most important thing where to use it, well if I rely on my source than by using the following procedures Forensic Department knows when you started your PC and when you shut it down.
So in order to view the exact shutdown time and start-up time follow the below steps -
1. Open Run Dialog box by pressing WIN +R
2. In Run dilog box type
eventvwr.msc and press Enter
3. Click on System left navigation pane
4. Now look for the following Event code, At the far right pane click on find, and enter the following event code to look for them.
6005 – System start up
6006 -System shutdown
A detailed note on Event ID’s that may interests you -
Quote:
- Event 6005 is logged at boot time noting that the Event Log service was started. It gives the message “The Event log service was started”.
- Event 6006 is logged as a clean shutdown. It gives the message “The Event log service was stopped”.
- Event 6008 is logged as a dirty shutdown. It gives the message “The previous system shutdown at time on date was unexpected”.
- Event 6009 is logged during every boot and indicates the operating system version, build number, service pack level, and other pertinent information about the system. Depending on your current configuration, it gives a message similar to: “Microsoft (R) Windows NT 4.0 1381 Service Pack 6 Multiprocessor free”.
|
And now you have just made your way to Forensic department 
Check Your PC for Shutdown and Startup Log - Forensic Way
Linear Mode
