File: System.evtx.

Channels:

User32.
Events: 1074.

Microsoft-Windows-Kernel-General.
Events: 12, 13.

Microsoft-Windows-Kernel-Power.
Events: 41, 42, 109.

Microsoft-Windows-Power-Troubleshooter.
Events: 1.

EventLog.
Events: 6013, 6005, 6006.

Overview

Channel Events
Channel:
User32.

File: System.evtx.		 Event 1074: The process <PROCESS_EXE> has initiated the xxx of computer <HOSTNAME> on behalf of user <USERNAME> for the following reason: <SHUTDOWN_REASON_TEXT>
Channel:
Microsoft-Windows-Kernel-General.

File: System.evtx.		 Event 12: The operating system started at system time <TIME>
Channel:
Microsoft-Windows-Kernel-General.

File: System.evtx.		 Event 13: The operating system is shutting down at system time <TIME>
Channel:
Microsoft-Windows-Kernel-Power.

File: System.evtx.		 Event 41: The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly
Channel:
Microsoft-Windows-Kernel-Power.

File: System.evtx.		 Event 42: The system is entering sleep
Channel:
Microsoft-Windows-Kernel-Power.

File: System.evtx.		 Event 109: The kernel power manager has initiated a shutdown transition. Shutdown Reason: <SHUTDOWN_REASON_INT>
Channel:
Microsoft-Windows-Power-Troubleshooter.

File: System.evtx.		 Event 1: The system has resumed from sleep
Channel:
EventLog.

File: System.evtx.		 Event: 6013: The system uptime is <INT> seconds.
Channel:
EventLog.

File: System.evtx.		 Event 6005: The Event log service was started
Channel:
EventLog.

File: System.evtx.		 Event 6006: The Event log service was stopped

Tool(s)

The TurnedOnTimesView utility can be used to parse System.evtx files and determine the time ranges that a system was turned on (by looking as a set of the aforementioned events).

References

Tags: windows_etw windows_system_information

View on GitHub