Windows Event Viewer showing system event logs on a monitoring dashboard

Event ID 1100InformationEventLogWindows

Windows Event ID 1100 – EventLog: Event Logging Service Shutdown

Event ID 1100 indicates the Windows Event Log service has shut down, typically during system shutdown or service restart. This informational event helps track service lifecycle and system state changes.

Emanuel DE ALMEIDA

18 March 20268 min read 0

Event ID 1100EventLog 5 methods 8 min

Event Reference

What This Event Means

Event ID 1100 represents the graceful shutdown of the Windows Event Log service. This service, running as Eventlog, is responsible for collecting, storing, and managing all Windows event data across the System, Application, and Security logs. When the service terminates, it generates this final informational event before ceasing all logging operations.

The event typically occurs during planned system shutdowns, service restarts initiated by administrators, or when Windows Update requires service cycling. In enterprise environments, this event helps administrators track service availability and identify unexpected service interruptions that might indicate system problems or security issues.

From a forensic perspective, Event ID 1100 serves as a critical timestamp. Security analysts use this event to establish when logging stopped, which is essential for incident response and compliance auditing. The event helps identify potential evidence tampering attempts where attackers might stop logging services to hide malicious activities.

The event contains minimal data beyond the timestamp and source information. However, its presence or absence provides valuable insights into system state and logging continuity. Missing Event ID 1100 entries might indicate unexpected service crashes or forced terminations rather than graceful shutdowns.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025

Analysis

Possible Causes

Normal system shutdown or restart initiated by users or administrators
Planned maintenance requiring Event Log service restart
Windows Update installation requiring service cycling
Administrative action stopping the EventLog service manually
Group Policy changes affecting event logging configuration
System hibernation or sleep mode transitions
Service dependency changes requiring EventLog restart
Memory pressure causing service restart by Service Control Manager

Resolution Methods

Troubleshooting Steps

Verify Event Context in Event Viewer

Start by examining the context around Event ID 1100 to understand why the service stopped.

Open Event Viewer by pressing Windows + R, typing eventvwr.msc, and pressing Enter
Navigate to Windows Logs → System
Filter for Event ID 1100 by right-clicking the System log and selecting Filter Current Log
Enter 1100 in the Event IDs field and click OK
Examine the timestamp and look for events immediately before and after Event ID 1100
Check for shutdown events (Event ID 1074), service control events, or error messages that might explain the service stop

Pro tip: Look for Event ID 1102 (EventLog service startup) to see when logging resumed after the shutdown.

Query Event Logs with PowerShell

Use PowerShell to analyze Event ID 1100 patterns and correlate with other system events.

Open PowerShell as Administrator

Query recent Event ID 1100 occurrences:

Get-WinEvent -FilterHashtable @{LogName='System'; Id=1100} -MaxEvents 20 | Format-Table TimeCreated, Id, LevelDisplayName, Message -AutoSize

Correlate with shutdown events:

$StartTime = (Get-Date).AddDays(-7)
$Events = Get-WinEvent -FilterHashtable @{LogName='System'; Id=1100,1074,1102; StartTime=$StartTime}
$Events | Sort-Object TimeCreated | Format-Table TimeCreated, Id, LevelDisplayName, Message -AutoSize

Check for service-related events around the same time:

$EventTime = (Get-WinEvent -FilterHashtable @{LogName='System'; Id=1100} -MaxEvents 1).TimeCreated
Get-WinEvent -FilterHashtable @{LogName='System'; StartTime=$EventTime.AddMinutes(-5); EndTime=$EventTime.AddMinutes(5)} | Where-Object {$_.Id -in @(7034,7035,7036)} | Format-Table TimeCreated, Id, ProviderName, Message

Check EventLog Service Status and Configuration

Verify the EventLog service configuration and current status to ensure proper operation.

Check current service status:

Get-Service -Name EventLog | Format-List Name, Status, StartType, ServiceType

Review service configuration in the registry:

Get-ItemProperty -Path "HKLM\SYSTEM\CurrentControlSet\Services\EventLog" | Select-Object Start, Type, ErrorControl

Open Services.msc and locate Windows Event Log
Right-click the service and select Properties
Verify the Startup type is set to Automatic
Check the Dependencies tab to ensure required services are running
Review the service account under the Log On tab (should be Local System)

Warning: Never manually stop the EventLog service in production environments as it will halt all event logging.

Analyze System Shutdown Patterns

Investigate whether Event ID 1100 correlates with unexpected shutdowns or system issues.

Query shutdown events with detailed information:

Get-WinEvent -FilterHashtable @{LogName='System'; Id=1074} -MaxEvents 10 | ForEach-Object {
    $Message = $_.Message
    $TimeCreated = $_.TimeCreated
    [PSCustomObject]@{
        Time = $TimeCreated
        User = ($Message -split '\n')[1] -replace 'User: ', ''
        Reason = ($Message -split '\n')[4] -replace 'Reason: ', ''
        Type = ($Message -split '\n')[2] -replace 'Process: ', ''
    }
} | Format-Table -AutoSize

Check for unexpected shutdowns (dirty boot events):

Get-WinEvent -FilterHashtable @{LogName='System'; Id=6008} -MaxEvents 5 | Format-Table TimeCreated, Message -Wrap

Review system uptime patterns:

$BootTime = (Get-CimInstance -ClassName Win32_OperatingSystem).LastBootUpTime
$Uptime = (Get-Date) - $BootTime
Write-Host "System uptime: $($Uptime.Days) days, $($Uptime.Hours) hours, $($Uptime.Minutes) minutes"

Check Windows Update history for correlation:

Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 10 | Format-Table HotFixID, Description, InstalledOn -AutoSize

Monitor EventLog Service Health and Performance

Implement monitoring to track EventLog service behavior and prevent unexpected shutdowns.

Create a PowerShell monitoring script:

# Save as Monitor-EventLogService.ps1
while ($true) {
    $Service = Get-Service -Name EventLog
    $Timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
    
    if ($Service.Status -ne 'Running') {
        Write-Warning "$Timestamp - EventLog service is $($Service.Status)"
        # Send alert or restart service if needed
    } else {
        Write-Host "$Timestamp - EventLog service is running normally"
    }
    
    Start-Sleep -Seconds 300  # Check every 5 minutes
}

Set up Event Log monitoring with Windows Performance Toolkit:

wevtutil sl System /ms:1048576000  # Increase System log size to 1GB
wevtutil sl Application /ms:1048576000
wevtutil sl Security /ms:1048576000

Configure automatic service recovery in Services.msc:
Open Services.msc → Windows Event Log → Properties
Go to the Recovery tab and set:
First failure: Restart the Service
Second failure: Restart the Service
Subsequent failures: Restart the Service

Create a scheduled task to monitor service health:

$Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File C:\Scripts\Monitor-EventLogService.ps1"
$Trigger = New-ScheduledTaskTrigger -AtStartup
$Principal = New-ScheduledTaskPrincipal -UserID "SYSTEM" -LogonType ServiceAccount
Register-ScheduledTask -TaskName "EventLog Service Monitor" -Action $Action -Trigger $Trigger -Principal $Principal

Overview

Event ID 1100 from the EventLog source fires when the Windows Event Log service (Eventlog) terminates. This event appears in the System log during normal system shutdowns, service restarts, or when the Event Log service stops for maintenance. The event serves as a timestamp marker indicating when event logging ceased on the system.

This event is particularly valuable for forensic analysis and system monitoring. When investigating system issues or security incidents, Event ID 1100 helps establish the timeline of when logging stopped. The event typically appears as the last entry before a system shutdown or service interruption.

The EventLog service manages all Windows event logging functionality. When this service stops, no further events can be recorded until it restarts. Event ID 1100 provides crucial context for understanding gaps in event logs and correlating system activities with service availability.

Frequently Asked Questions

What does Event ID 1100 mean and should I be concerned?+

Event ID 1100 indicates the Windows Event Log service has shut down gracefully. This is typically normal behavior during system shutdowns, restarts, or planned maintenance. You should only be concerned if you see this event without corresponding shutdown events (ID 1074) or if it occurs frequently during normal operations, which might indicate service instability or system issues.

How can I tell if Event ID 1100 was caused by a normal shutdown or system problem?+

Check the events immediately before Event ID 1100 in the System log. Normal shutdowns will show Event ID 1074 (system shutdown initiated) shortly before the EventLog service stops. Look for the user account and reason code in Event ID 1074. If you see error events, service crashes, or no shutdown event before ID 1100, this might indicate an unexpected service termination or system problem.

Why do I see Event ID 1100 but no corresponding startup event?+

If you see Event ID 1100 without a corresponding Event ID 1102 (EventLog service startup), the service might have crashed or been forcibly terminated. Check for Event ID 7034 (service crashed unexpectedly) or 7031 (service terminated unexpectedly) in the System log. This could indicate memory issues, corrupted event logs, or system instability requiring investigation.

Can Event ID 1100 indicate a security issue or attack?+

While Event ID 1100 itself is benign, attackers sometimes stop the EventLog service to hide malicious activities. Investigate if you find Event ID 1100 during unusual hours, without corresponding shutdown events, or if preceded by suspicious activities. Check for administrative logons, service control events, and any gaps in security logging that might indicate tampering attempts.

How do I prevent frequent Event ID 1100 occurrences that aren't related to shutdowns?+

Frequent unexpected Event ID 1100 events usually indicate service instability. Check system memory usage, disk space for event logs, and review the EventLog service configuration. Increase event log sizes using 'wevtutil sl System /ms:1048576000', ensure adequate system resources, and configure service recovery options in Services.msc. Monitor for memory leaks or applications that might be interfering with the EventLog service.

Documentation

References (2)

Windows Event Log Service OverviewOfficial Microsoft documentation covering the Windows Event Log service architecture and functionality.https://docs.microsoft.com/en-us/windows/win32/eventlog/event-logging

Event Logging Functions ReferenceMicrosoft API reference for event logging functions and service management.https://docs.microsoft.com/en-us/windows/win32/api/_eventlog/

Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Related Windows Events

Event 6013

EventLog

Windows EventInformation

Windows Event ID 6013 – EventLog: System Uptime Information

Event ID 6013 records system uptime information in the System log, indicating how long Windows has been running since the last boot or restart.

March 188 min

Event 6009

EventLog

Windows EventInformation

Windows Event ID 6009 – EventLog: Microsoft Windows Kernel Boot Information

Event ID 6009 records Windows kernel boot information including processor details, memory configuration, and system architecture during system startup.

March 188 min