How to monitor computer start-ups and shut-downs?

Keeping track of computer startup and shutdown enables an organization to monitor computer usage, and helps in accelerating forensic analysis in case of a mishap.

Review your computer start-up and shut-down periods Free, fully functional 30-day trial
  • With Native AD Auditing

  • With ADAudit Plus

Comprehensive reports to track computer start-ups and shut-downs.

ADAudit Plus is a comprehensive Active Directory auditing solution that will help you monitor, and audit local logon and logoffs by domain users. It can also track other critical events that can lead to network disruptions. Using ADAudit Plus, you can keep a track of startups and shutdowns in all the computers within your domain.

The pre-built reports of the solution that provide the details on computer startups and shutdowns can be automatically generated and emailed to you at specified intervals. You can also export these reports to a format of your choice. Here is how you can access the computer startup and shutdown reports using ADAudit Plus:

Login to ADAudit Plus → Go to the Reports tab → Under Local Logon-Logoff Reports → navigate to the Computer Startup and Shutdown report.

  • file access report
    • The details you can get in this report are:
      1. Computer name
      2. The user who initiated the action
      3. The time at which computer startup occurred
      4. The time at which computer shutdown occurred
      5. The time of the last logoff
      6. Active hours (the amount of time the computer was logged in / duration between a startup and corresponding shutdown)
      7. Type of shutdown (there are two types of shutdown - the one that occurs when the computer is actually shutdown and the temporary shutdown that occurs when the device is restarted. )
      8. The computer process which triggered the shutdown
  • You can also track when a computer was last started up and shut down using the "Computer Last Startup and Shutdown " report. This report can provide details regarding who performed the action, when it occurred and the process that triggered the startup or shutdown.

    Login to ADAudit Plus → Go to the Reports tab → Under Local Logon-Logoff Reports → navigate to the Computer Startup and Shutdown report.

  • file access report

With native AD auditing, here is how you can monitor the computer startups and shutdowns:

  • Step 1: Enable 'Audit logon events' policy
  • Launch 'Server Manager' in your Windows Server instance.

  • Under Manage, select 'Group Policy Management' and launch the Group Policy Management console.

  • Navigate to Forest --> Domain --> Your domain --> Domain Controllers.

  • Create a new GPO and link it to the domain containing the computer object, or edit any existing GPO that is linked to the domain to open the 'Group Policy Management Editor'.

  • Navigate to Computer Configuration -> Windows Settings -> Security Settings ->Local Policies -> Audit Policy.

  • Under Audit Policy, select 'Audit system events' and turn auditing on for both Success and Failure events.

  • Step 2: Enable 'Logon/Logoff' auditing
  • Now, navigate to Computer Configuration -> Windows Settings -> Security Settings ->Advanced Audit Policy Configuration -> System Audit Policies - Local Group Policy Object -> System.

  • Under System, enable auditing for 'Audit Security State Change', (Turn on auditing for both successes and failures).

  • Step 3: Track Computer startup and shutdown in Event Viewer
  • Every time a user starts or shuts down a computer, an event log will be recorded in the Event Viewer. These event logs can be used to track computer active hours. To view these audit logs, go to the Event Viewer. Under Windows Logs, select System. You can find all the audit logs in the middle pane as displayed below.

  • To filter the event logs to view just the logs associated with computer startup and shutdown, select 'Filter Current Log' from the right pane. Simply search for the event ID 6005 (Computer was started), 6006 (Computer was shut down). You can see when the computer was started up and shut down.

  • Using this information, you can identify when a computer was shut down or started up. This process needs to be repeated several times if you want to monitor multiple devices.

Native auditing becoming a little too much?

Simplify computer startup and shutdown auditing and reporting with ADAudit Plus.

Get Your Free Trial Fully functional 30-day trial

Related How-tos

Request Support


One of our solution experts will get in touch with you shortly.

    Please enter business email address
  • By clicking 'Send Request', you agree to processing of personal data according to the Privacy Policy.

© 2019 Zoho Corp. All rights reserved.