ETW - System uptime | artifacts.help

File: System.evtx.

Channels:

User32.
Events: 1074.

Microsoft-Windows-Kernel-General.
Events: 12, 13.

Microsoft-Windows-Kernel-Power.
Events: 41, 42, 109.

Microsoft-Windows-Power-Troubleshooter.
Events: 1.

EventLog.
Events: 6013, 6005, 6006.

Overview

Channel	Events
Channel: `User32`. File: `System.evtx`.	Event `1074: The process <PROCESS_EXE> has initiated the xxx of computer <HOSTNAME> on behalf of user <USERNAME> for the following reason: <SHUTDOWN_REASON_TEXT>`
Channel: `Microsoft-Windows-Kernel-General`. File: `System.evtx`.	Event `12: The operating system started at system time <TIME>`
Channel: `Microsoft-Windows-Kernel-General`. File: `System.evtx`.	Event `13: The operating system is shutting down at system time <TIME>`
Channel: `Microsoft-Windows-Kernel-Power`. File: `System.evtx`.	Event `41: The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly`
Channel: `Microsoft-Windows-Kernel-Power`. File: `System.evtx`.	Event `42: The system is entering sleep`
Channel: `Microsoft-Windows-Kernel-Power`. File: `System.evtx`.	Event `109: The kernel power manager has initiated a shutdown transition. Shutdown Reason: <SHUTDOWN_REASON_INT>`
Channel: `Microsoft-Windows-Power-Troubleshooter`. File: `System.evtx`.	Event `1: The system has resumed from sleep`
Channel: `EventLog`. File: `System.evtx`.	Event: `6013: The system uptime is <INT> seconds.`
Channel: `EventLog`. File: `System.evtx`.	Event `6005: The Event log service was started`
Channel: `EventLog`. File: `System.evtx`.	Event `6006: The Event log service was stopped`

Tool(s)

The TurnedOnTimesView utility can be used to parse System.evtx files and determine the time ranges that a system was turned on (by looking as a set of the aforementioned events).

References

Nir Sofer - TurnedOnTimesView README

Tags:

View on GitHub