Windows Forensics - PSJoshi/Notes GitHub Wiki

Windows Shutdown events

In Windows 10, there are three events connected with shut down and restart.

• Event ID 1074 - Indicates that the shut down process was initiated by an app. For example, it can be Windows Update.
• Event ID 6006 - The clean shut down event. This means Windows 10 was turned off correctly.
• Event ID 6008 - Indicates a dirty/improper shutdown. Appears in the log when the previous shutdown was unexpected, e.g. due to power loss or BSoD (Bug check).

Event ID 6006 gives you the last time your computer was Shut Down. And the first entry with ID 6005 gives you the time when PC was started again. The difference between both the timestamps gives you the net downtime – or the duration for which the computer was in a completely powered down state. Also, the difference between your current time and the last start time can give you the total uptime of your computer.

Command line to find out uptime and other parameters

C:\> net stats workstation

Interesting forensic links:

• Windows desktop forensics - https://www.slideshare.net/rx178titan/desktop-forensics-windows
• Windows forensics evidences - https://www.eshlomo.us/windows-forensics-analysis-evidence/
• Investigating windows registry for evidence - https://netseedblog.com/security/windows-registry-forensics-investigating-the-registry-for-evidence/
• UserAssistKey in Windows - https://www.scitepress.org/Papers/2017/64167/64167.pdf