How to find out if Windows was running at a given time?
You can use the Windows Event Viewer to do this.
To start Event Viewer in Windows 7:
- Click the Start button
- Click Control Panel
- Click System and Maintenance
- Click Administrative Tools
- Double-click Event Viewer
In Windows 8 and 10 you can run the Event Viewer with the Windows Key+X+V shortcut. You may also open it via the Run menu. Namely, press Windows Key+R to open the Run dialog, then type eventvwr and click OK.
Once you have Event Viewer open, follow these steps:
- In the left pane go to Windows Logs > System
- In the right pane you will see a list of events that occurred while Windows was running
- Click on the Event ID label to sort data by the Event ID column
- It's possible that your event log will be extremely long, so you will need to create a filter.
- From the Actions pane on the right-hand side, click on “Filter current log”
- Type 6005, 6006 in the unlabelled field (see screenshot below):
- Click OK
Please note that it may take a few moments for the Event Viewer to show the filtered logs.
In summary:
Event ID 6005 means “The event log service was started” (i.e. startup time).
Event ID 6006 means “The event log service was stopped” (i.e. shutdown time).
If you want, you could also add Event ID 6013 to your filter — this displays the system's uptime after booting.
Finally, if this is something you want to check regularly, you can create a custom view to show this filtered log. Custom views are located at the top left of the left pane of the Windows Event Viewer. By adding it there you can choose to select it whenever you want to view the log.
Note that services do not come to a stop when the computer goes to sleep, but the Kernel-Power
event source mentions all power state transitions. To query the event log from the command line, you can use PowerShell!
Get-WinEvent -LogName System | ? {$_.ProviderName -eq 'Microsoft-Windows-Kernel-Power'}
On my laptop, that produces a listing like this:
TimeCreated Id LevelDisplayName Message
----------- -- ---------------- -------
10/21/2016 1:20:43 PM 130 Information Firmware S3 times. SuspendStart: 31954205, SuspendEnd: 31954215
10/21/2016 1:20:43 PM 131 Information Firmware S3 times. ResumeCount: 11, FullResume: 498, AverageResu...
10/21/2016 1:16:54 PM 107 Information The system has resumed from sleep.
10/21/2016 1:16:53 PM 42 Information The system is entering sleep....
10/21/2016 1:06:05 PM 130 Information Firmware S3 times. SuspendStart: 31305142, SuspendEnd: 31305152
10/21/2016 1:06:05 PM 131 Information Firmware S3 times. ResumeCount: 10, FullResume: 498, AverageResu...
10/21/2016 12:29:30 PM 107 Information The system has resumed from sleep.
10/21/2016 12:29:29 PM 42 Information The system is entering sleep....
Bizarrely enough, sometimes the time on event 107 is incorrect (this laptop briefly loses track of time when resuming), but the next "firmware S3 times" events get it right.
Of course, if the computer shut down unexpectedly, you won't get an event at the exact time of shutdown - the next Kernel-Power
will be when the system realizes power was lost. Therefore, a different approach would be to find the most recent event of any kind logged before the time in question.
Get-WinEvent -LogName Application | ? {$_.TimeCreated -le '10/19/2016 12:45 PM'} | select -First 1
You would replace 10/19/2016 12:45 PM
with the time you were interested in. I chose the Application log for this query because it's usually very active. If the TimeCreated
of the produced event is more than an hour or so before the time you provided, it's likely that the computer was not fully running.