ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows Event Viewer showing system event logs on a monitoring dashboard
Event ID 6InformationKernel-GeneralWindows

Windows Event ID 6 – Kernel-General: System Shutdown Initiated

Event ID 6 from Kernel-General indicates a system shutdown has been initiated. This informational event logs when Windows begins the shutdown process, providing essential audit trail information for system administrators.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 20269 min read 0
Event ID 6Kernel-General 5 methods 9 min
Event Reference

What This Event Means

Event ID 6 represents a fundamental system-level notification that Windows generates when the kernel begins executing shutdown procedures. This event occurs regardless of whether the shutdown was initiated by a user, administrator, application, or system process. The Kernel-General source indicates this event originates from the Windows kernel itself, making it one of the most authoritative shutdown indicators available.

The event captures essential metadata including the shutdown initiation timestamp, which becomes crucial for forensic analysis and system monitoring. In enterprise environments, this event helps administrators track system availability metrics and identify patterns in shutdown behavior that might indicate hardware issues, software conflicts, or unauthorized access.

Windows 2026 versions have enhanced Event ID 6 with improved correlation capabilities, allowing administrators to better link shutdown events with preceding warning signs or system stress indicators. The event integrates with Windows Event Forwarding (WEF) and can be centrally collected for organization-wide shutdown monitoring. This makes it invaluable for maintaining SLA compliance and investigating service disruptions.

The timing of Event ID 6 is significant because it occurs before most application and service shutdown events, providing a clear marker for when the shutdown process began. This temporal relationship helps administrators understand the sequence of events leading to system unavailability and can reveal whether shutdowns were graceful or forced.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • User-initiated shutdown through Start menu or Alt+F4
  • Administrative shutdown via shutdown.exe command or PowerShell
  • Automatic shutdown triggered by Windows Update installations
  • System shutdown initiated by third-party applications or scripts
  • Remote shutdown commands executed via RDP or management tools
  • Scheduled shutdown tasks configured in Task Scheduler
  • Group Policy enforced shutdown policies
  • System Management Interrupt (SMI) triggered shutdowns
  • Critical system error recovery shutdowns
  • Power management initiated shutdowns due to battery or thermal conditions
Resolution Methods

Troubleshooting Steps

01

Review Event Viewer for Shutdown Context

Start by examining the Event ID 6 details and surrounding events to understand the shutdown context.

  1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
  2. Navigate to Windows LogsSystem
  3. Filter the log by clicking Filter Current Log in the Actions pane
  4. Enter 6 in the Event IDs field and click OK
  5. Double-click the most recent Event ID 6 to view detailed information
  6. Note the timestamp and examine events occurring 5-10 minutes before the shutdown
  7. Look for related events like Event ID 1074 (user shutdown), 1076 (shutdown reason), or application error events
Pro tip: Check the General tab for shutdown reason codes and the Details tab for additional XML data that might reveal the shutdown trigger.
02

Use PowerShell to Analyze Shutdown Patterns

Leverage PowerShell to query and analyze Event ID 6 occurrences for patterns and trends.

  1. Open PowerShell as Administrator
  2. Query recent Event ID 6 entries:
    Get-WinEvent -FilterHashtable @{LogName='System'; Id=6} -MaxEvents 20 | Format-Table TimeCreated, Id, LevelDisplayName, Message -AutoSize
  3. Analyze shutdown frequency over the past 30 days:
    $shutdowns = Get-WinEvent -FilterHashtable @{LogName='System'; Id=6; StartTime=(Get-Date).AddDays(-30)}
$shutdowns | Group-Object {$_.TimeCreated.Date} | Sort-Object Name | Format-Table Name, Count
  4. Export shutdown data for further analysis:
    Get-WinEvent -FilterHashtable @{LogName='System'; Id=6} -MaxEvents 100 | Export-Csv -Path "C:\temp\shutdown_events.csv" -NoTypeInformation
  5. Correlate with Event ID 1074 for user-initiated shutdowns:
    $timeRange = (Get-Date).AddHours(-1)
Get-WinEvent -FilterHashtable @{LogName='System'; Id=1074; StartTime=$timeRange} | Format-List TimeCreated, Message
03

Configure Advanced Shutdown Logging

Enable enhanced shutdown logging to capture more detailed information about future shutdown events.

  1. Open Registry Editor as Administrator
  2. Navigate to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability
  3. Create a new DWORD value named ShutdownReasonOn and set it to 1
  4. Navigate to HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Reliability
  5. Create a DWORD named ShutdownReasonUI and set it to 1 to enable shutdown reason dialog
  6. Configure Group Policy for enhanced logging:
    • Open gpedit.msc
    • Navigate to Computer ConfigurationAdministrative TemplatesSystem
    • Enable Display Shutdown Event Tracker
  7. Restart the system for changes to take effect
Warning: Enabling Shutdown Event Tracker will prompt users for shutdown reasons, which may impact user experience in desktop environments.
04

Implement Centralized Shutdown Monitoring

Set up Windows Event Forwarding to centrally monitor Event ID 6 across multiple systems.

  1. Configure the collector server:
    winrm quickconfig
wecutil qc
  2. Create a custom subscription XML file:
    <Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
  <SubscriptionId>ShutdownMonitoring</SubscriptionId>
  <SubscriptionType>SourceInitiated</SubscriptionType>
  <Description>Monitor Event ID 6 shutdowns</Description>
  <Enabled>true</Enabled>
  <Uri>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</Uri>
  <Query><![CDATA[<QueryList><Query Id="0"><Select Path="System">*[System[EventID=6]]</Select></Query></QueryList>]]></Query>
</Subscription>
  3. Import the subscription:
    wecutil cs shutdown_monitoring.xml
  4. Configure source computers to forward events:
    winrm set winrm/config/client @{TrustedHosts="CollectorServerName"}
  5. Verify subscription status:
    wecutil gs ShutdownMonitoring
05

Advanced Forensic Analysis with WPA and ETW

Use Windows Performance Analyzer and Event Tracing for Windows for deep shutdown analysis.

  1. Install Windows Performance Toolkit from Windows SDK
  2. Create a custom ETW session for shutdown tracking:
    wpr -start GeneralProfile -start CPU -start DiskIO
  3. Reproduce the shutdown scenario or wait for the next occurrence
  4. Stop the trace after shutdown:
    wpr -stop C:\temp\shutdown_trace.etl
  5. Analyze the trace with WPA:
    wpa C:\temp\shutdown_trace.etl
  6. In WPA, load the System Activity graph and filter for shutdown-related events
  7. Examine the timeline leading up to Event ID 6 to identify triggering processes
  8. Cross-reference with Process and Thread Activity to identify the shutdown initiator
  9. Export findings for documentation:
    wpa -i C:\temp\shutdown_trace.etl -o C:\temp\shutdown_analysis.txt -profile shutdown_analysis.wpaProfile
Pro tip: ETW traces can reveal kernel-level shutdown triggers that don't appear in standard event logs, making this method invaluable for investigating mysterious shutdowns.

Overview

Event ID 6 from the Kernel-General source fires whenever Windows initiates a system shutdown sequence. This event appears in the System log and serves as a critical audit point for tracking when and why systems are being shut down. Unlike Event ID 1074 which logs user-initiated shutdowns, Event ID 6 captures the kernel-level shutdown initiation regardless of the trigger source.

This event is particularly valuable for system administrators monitoring server uptime, investigating unexpected shutdowns, and maintaining compliance audit trails. The event fires early in the shutdown process, before most services are terminated, making it one of the most reliable indicators of intentional shutdown activity.

In Windows Server environments, this event helps distinguish between planned maintenance shutdowns and unexpected system terminations. The event provides timestamp information crucial for correlating shutdown events with maintenance windows, user activity, or system failures. Modern Windows versions in 2026 have enhanced this event with additional context data for better troubleshooting capabilities.

Frequently Asked Questions

What is the difference between Event ID 6 and Event ID 1074?+
Event ID 6 from Kernel-General logs when the Windows kernel initiates the shutdown process, while Event ID 1074 from User32 specifically logs user-initiated shutdowns with reason codes. Event ID 6 occurs for all shutdowns regardless of the trigger, making it more comprehensive but less specific about the shutdown cause. Event ID 1074 provides detailed information about who initiated the shutdown and why, but only fires for user-initiated shutdowns. Both events are valuable for different aspects of shutdown monitoring and should be analyzed together for complete visibility.
Why do I see Event ID 6 without a corresponding Event ID 1074?+
Event ID 6 appears without Event ID 1074 when the shutdown is initiated by system processes, applications, or automated mechanisms rather than direct user action. This includes Windows Update automatic restarts, scheduled shutdowns, Group Policy enforced shutdowns, critical system errors, or third-party applications triggering shutdowns. Power management shutdowns due to low battery or thermal protection also generate Event ID 6 without 1074. To identify the actual trigger, examine events occurring before Event ID 6, check Task Scheduler for automated tasks, and review application logs for shutdown requests.
How can I prevent unauthorized shutdowns based on Event ID 6 analysis?+
To prevent unauthorized shutdowns, first analyze Event ID 6 patterns to identify suspicious timing or frequency. Enable Shutdown Event Tracker through Group Policy to require shutdown reasons, making unauthorized shutdowns more difficult and traceable. Configure user rights assignment to restrict 'Shut down the system' privilege to authorized users only. Implement PowerShell script monitoring that alerts on Event ID 6 occurrences outside maintenance windows. Use Windows Event Forwarding to centrally monitor shutdown events across your environment. Consider implementing just-in-time admin access to reduce the number of users with shutdown privileges, and audit shutdown events regularly to detect patterns indicating potential security issues.
Can Event ID 6 help troubleshoot unexpected system shutdowns?+
Yes, Event ID 6 is crucial for troubleshooting unexpected shutdowns because it provides the exact timestamp when the shutdown process began. Compare this timestamp with application logs, system performance counters, and hardware monitoring data to identify what triggered the shutdown. Look for events immediately preceding Event ID 6, such as critical errors, application crashes, or hardware failures. The absence of Event ID 6 in cases where the system went down indicates an ungraceful shutdown like a power failure or blue screen. Use PowerShell to correlate Event ID 6 with other system events and create timeline analysis to identify patterns in unexpected shutdowns.
How do I configure alerts for Event ID 6 in Windows Server 2025?+
Configure Event ID 6 alerts using Windows Event Viewer's Attach Task feature or PowerShell-based monitoring. In Event Viewer, right-click Event ID 6 and select 'Attach Task to This Event' to create a basic alert. For advanced monitoring, use PowerShell with Register-WmiEvent to create real-time alerts: Register-WmiEvent -Query "SELECT * FROM Win32_NTLogEvent WHERE LogFile='System' AND EventCode=6" -Action { Send-MailMessage -To 'admin@company.com' -Subject 'Server Shutdown Alert' -Body 'Event ID 6 detected' }. Alternatively, use System Center Operations Manager or third-party monitoring tools to create sophisticated alerting rules. Configure Windows Event Forwarding to centralize Event ID 6 monitoring and set up alerts on the collector server for organization-wide shutdown monitoring.
Documentation

References (2)

1
Microsoft Learn - Windows Event LogsOfficial documentation covering Windows event logging architecture and event sources including Kernel-General events.https://learn.microsoft.com/en-us/windows/win32/eventlog/event-logging
2
Windows Server Event ReferenceMicrosoft documentation for Windows Server administration including shutdown command reference and event logging.https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-6#windows-events#system-shutdown

Related Windows Events

Windows Event Viewer showing system time change events on a monitoring dashboard
Event 11708
Microsoft-Windows-Kernel-General
Windows EventInformation

Windows Event ID 11708 – Microsoft-Windows-Kernel-General: System Time Change Detected

Event ID 11708 indicates the system time was changed, either manually by a user or automatically by time synchronization services. Critical for security auditing and troubleshooting time-related issues.

March 189 min
Windows Performance Monitor dashboard showing system performance counters and real-time metrics in a data center environment
Event 6144
Kernel-General
Windows EventInformation

Windows Event ID 6144 – Kernel-General: System Performance Counter Collection Started

Event ID 6144 indicates that Windows has started collecting system performance counters. This informational event fires during system startup or when performance monitoring services initialize.

March 189 min
Windows Event Viewer displaying system time change events on a professional monitoring dashboard
Event 5889
Microsoft-Windows-Kernel-General
Windows EventInformation

Windows Event ID 5889 – Microsoft-Windows-Kernel-General: System Time Change Detected

Event ID 5889 indicates the system time was changed, either manually by a user or automatically by time synchronization services. This event helps track time modifications for security and audit purposes.

March 1812 min
Windows Event Viewer showing system time change events on a monitoring dashboard
Event 5121
Microsoft-Windows-Kernel-General
Windows EventInformation

Windows Event ID 5121 – Microsoft-Windows-Kernel-General: System Time Change Detected

Event ID 5121 fires when Windows detects a system time change, either manual adjustment or automatic synchronization. Critical for security auditing and troubleshooting time-related issues.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...