Windows Event ID 1104 – Microsoft-Windows-Eventlog: Event Log Service Shutdown

Open Event Viewer to examine the Event ID 1104 details and surrounding events:

1. Press Windows + R, type eventvwr.msc, and press Enter
2. Navigate to Windows Logs → System
3. Filter the log by clicking Filter Current Log in the Actions pane
4. Enter 1104 in the Event IDs field and click OK
5. Double-click the Event ID 1104 entry to view details
6. Check the timestamp and correlate with other shutdown events (1074, 6006, 6008)
7. Review the General tab for basic information and Details tab for XML data

Look for patterns in shutdown frequency and timing. Multiple Event ID 1104 entries in short succession may indicate system instability or forced restarts.

Use PowerShell to analyze Event ID 1104 occurrences and correlate with other system events:

# Get recent Event ID 1104 entries
Get-WinEvent -FilterHashtable @{LogName='System'; Id=1104} -MaxEvents 20 | Format-Table TimeCreated, Id, LevelDisplayName, Message -AutoSize

# Correlate with shutdown events
$shutdownEvents = Get-WinEvent -FilterHashtable @{LogName='System'; Id=1074,1104,6006,6008} -MaxEvents 50
$shutdownEvents | Sort-Object TimeCreated -Descending | Format-Table TimeCreated, Id, LevelDisplayName, Message -AutoSize

# Export shutdown timeline for analysis
$shutdownEvents | Export-Csv -Path "C:\temp\shutdown_timeline.csv" -NoTypeInformation

This method provides comprehensive shutdown event correlation and helps identify patterns in system behavior.

Check the Event Log service configuration and status to ensure proper operation:

# Check Event Log service status
Get-Service -Name EventLog | Format-List Name, Status, StartType, ServiceType

# View service dependencies
Get-Service -Name EventLog -DependentServices
Get-Service -Name EventLog -RequiredServices

# Check service configuration in registry
Get-ItemProperty -Path "HKLM\SYSTEM\CurrentControlSet\Services\EventLog" | Select-Object Start, Type, ErrorControl

Verify the service is configured for automatic startup and examine any dependency issues that might affect shutdown behavior. The Event Log service should have a Start value of 2 (automatic) in the registry.

Create comprehensive reports to identify shutdown patterns and potential issues:

# Generate shutdown frequency report
$last30Days = (Get-Date).AddDays(-30)
$shutdowns = Get-WinEvent -FilterHashtable @{LogName='System'; Id=1104; StartTime=$last30Days}

# Group by date to identify shutdown frequency
$shutdowns | Group-Object {$_.TimeCreated.Date} | Sort-Object Name | Format-Table Name, Count -AutoSize

# Check for unexpected shutdowns (Event ID 6008)
$unexpectedShutdowns = Get-WinEvent -FilterHashtable @{LogName='System'; Id=6008; StartTime=$last30Days} -ErrorAction SilentlyContinue
if ($unexpectedShutdowns) {
    Write-Host "Unexpected shutdowns detected:" -ForegroundColor Yellow
    $unexpectedShutdowns | Format-Table TimeCreated, Message -AutoSize
}

This analysis helps identify whether shutdowns are planned or unexpected, and can reveal system stability issues requiring attention.

Set up proactive monitoring for Event Log service shutdowns and system events:

# Create custom event log view for shutdown monitoring
$filterXML = @"

  
    *[System[(EventID=1104 or EventID=1074 or EventID=6006 or EventID=6008)]]
  

"@

# Query using custom filter
Get-WinEvent -FilterXml $filterXML -MaxEvents 50 | Format-Table TimeCreated, Id, LevelDisplayName, Message -AutoSize

For enterprise monitoring, configure Windows Event Forwarding (WEF) to centralize Event ID 1104 collection:

1. Open Group Policy Management Console
2. Navigate to Computer Configuration → Administrative Templates → Windows Components → Event Forwarding
3. Enable Configure target Subscription Manager
4. Set the collector server URL: Server=http://collector.domain.com:5985/wsman/SubscriptionManager/WEC

Create subscription filters to collect shutdown events across your infrastructure for centralized analysis and alerting.