Windows event codes for startup/shutdown lock/unlock

eventviewerwindowswindows-event-log

I'm trying to build up a list of event Ids that can be used to determine when the machine has been shutdown, started up, locked and unlocked. So far, I've found 6 event IDs which seem to be best candidates but I was wondering if there was a better way of determining it.

Below is a list of event IDs I've found to be useful (1, 1074, 6005, 6006, 4800, 4801) from the 'Power-Troubleshooter', 'User32', 'EventLog' and 'Microsoft Windows security auditing' sources. These are from Windows 10 (v1511) and currently Windows 10 is my only target requirement as this is what all of the client machines run.

List of event Ids

Here is an example filter query I've built up which

<QueryList>
  <Query Id="0" Path="System">
    <!-- Shutdown -->
    <Select Path="System">*[System[Provider[@Name='User32'] and (EventID=1074) and TimeCreated[@SystemTime &gt;= '2017-11-28T00:00:00.0000000']]]</Select>

    <!-- Event Service Stop/Start -->
    <Select Path="System">*[System[Provider[@Name='eventlog'] and (EventID=6005 or EventID=6006) and TimeCreated[@SystemTime &gt;= '2017-11-28T00:00:00.0000000']]]</Select>

    <!-- Startup -->
    <Select Path="System">*[System[Provider[@Name='Microsoft-Windows-Power-Troubleshooter'] and (EventID=1) and TimeCreated[@SystemTime &gt;= '2017-11-28T00:00:00.0000000']]]</Select>

    <!-- Machine Lock/Unlock -->
    <Select Path="Security">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4800 or EventID=4801) and TimeCreated[@SystemTime &gt;= '2017-11-28T00:00:00.0000000']]]</Select>
  </Query>
</QueryList>

I've deliberately split the sources out in the query and they can be joined together but this sacrifices readability IMO.

My question is whether there is a better group of event Ids or a better query that I can use? Are there event IDs that I'm missing or that I'm doubling up on?

Additional:
Sometimes (for instance if you're in a managed domain), you may need to enable the events for logging on and off via the Local Group Policy Editor (gpedit). You can do this by following the below steps:

  1. Open the Task Manager then File > Run new task.
  2. Type gpedit.msc and check Create this task with administrative privileges.) and click OK.
  3. In the Local Group Policy Editor, go to Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies - Local Group Policy Object > Logon/Logoff.
  4. In the side panel, ensure the following categories have been set to Success and Failure. If they're not, double-click and enable them:
    • Audit Other Login/Logoff Events (Success and Failure)
    • Audit Logon (Success and Failure)
    • Audit Logoff (Success and Failure)

Best Answer

Refering to your request about starting and shutdown event IDs, I made the list below based on a Windows 10 machine. The main point is that depending on the shutdown action (planned reboot, planned shutdown, unexpected shutdown or LSASS process crash), the generated events will be differents:

  • 1074 The process Explorer.EXE has initiated the shutdown of computer on behalf of user for the following reason: Other (Unplanned)
  • 6006 The Event log service was stopped.
  • 109 The kernel power manager has initiated a shutdown transition.
  • 13 The operating system is shutting down at system time ‎
  • 20 The last shutdown's success status was true. The last boot's success status was true.
  • 12 The operating system started at system time
  • 6005 The Event log service was started.
  • 6013 The system uptime is 10 seconds.

To make a clear overview on those different shutdown actions, I made the following table. Hope it will help.

shutdown events

Related Topic