我怎样才能得到 Windows 上次重启的原因

小开

最佳答案

This article explains in detail how to find the reason for last startup/shutdown. In my case, this was due to windows SCCM pushing updates even though I had it disabled locally. Visit the article for full details with pictures. For reference, here are the steps copy/pasted from the website:

Press the Windows + R keys to open the Run dialog, type eventvwr.msc, and press Enter.

If prompted by UAC, then click/tap on Yes (Windows 7/8) or Continue (Vista).

In the left pane of Event Viewer, double click/tap on Windows Logs to expand it, click on System to select it, then right click on System, and click/tap on Filter Current Log.

Do either step 5 or 6 below for what shutdown events you would like to see.

To see the dates and times of all user shut downs of the computer

A) In Event sources, click/tap on the drop down arrow and check the USER32 box.

B) In the All Event IDs field, type 1074, then click/tap on OK.

C) This will give you a list of power off (shutdown) and restart shutdown type of events at the top of the middle pane in Event Viewer.

D) You can scroll through these listed events to find the events with power off as the shutdown type. You will notice the date and time, and what user was responsible for shutting down the computer per power off event listed.

E) Go to step 7.

To see the dates and times of all unexpected shut downs of the computer

A. In the All Event IDs field type 6008, then click/tap on OK.

B. This will give you a list of unexpected shutdown events at the top of the middle pane in Event Viewer. You can scroll through these listed events to see the date and time of each one.

When finished, you can close Event Viewer.

Other useful event IDs (source)

ID	Description
41	The system has rebooted without cleanly shutting down first.
1074	The system has been shutdown properly by a user or process.
1076	Follows after Event ID 6008 and means that the first user with shutdown privileges logged on to the server after an unexpected restart or shutdown and specified the cause.
6005	The Event Log service was started. Indicates the system startup.
6006	The Event Log service was stopped. Indicates the proper system shutdown.
6008	The previous system shutdown was unexpected.
6009	The operating system version detected at the system startup.
6013	The system uptime in seconds.

Take a look at the Event Log API. Case a) (bluescreen, user cut the power cord or system hang) causes a note ('system did not shutdown correctly' or something like that) to be left in the 'System' event log the next time the system is rebooted properly. You should be able to access it programmatically using the above API (honestly, I've never used it but it should work).

ID	Description
41	The system has rebooted without cleanly shutting down first.
1074	The system has been shutdown properly by a user or process.
1076	Follows after Event ID 6008 and means that the first user with shutdown privileges logged on to the server after an unexpected restart or shutdown and specified the cause.
6005	The Event Log service was started. Indicates the system startup.
6006	The Event Log service was stopped. Indicates the proper system shutdown.
6008	The previous system shutdown was unexpected.
6009	The operating system version detected at the system startup.
6013	The system uptime in seconds.

You may automate your investigation for the last 5 days with this powershell script:

$today = Get-Date
$startDay = $today.AddDays(-5)
$eventIds=(6005,6006,6008,6009,1074,1076,12,13,43,109)
$systEvents=Get-WinEvent -LogName System
$rebootEvents=$systEvents| Where-Object {$_.TimeCreated -gt $startDay} | Where-Object {$_.Id -in $eventIds}
format-table TimeCreated,Id,Message -AutoSize -wrap -InputObject $rebootEvents