> For the complete documentation index, see [llms.txt](https://notes.qazeer.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://notes.qazeer.io/dfir/windows/ttps_analysis/system_uptime.md).

# System uptime

**Windows DFIR notes are no longer maintained on InfoSec-Notes. Updated versions can be found on:** [**artefacts.help**](https://artefacts.help/)**.**

### EVTX

| File          | Event source                             | Description                                                                                                                                                               |
| ------------- | ---------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `System.evtx` | `User32`                                 | Event `1074: The process <PROCESS_EXE> has initiated the xxx of computer <HOSTNAME> on behalf of user <USERNAME> for the following reason: <SHUTDOWN_REASON_TEXT>`        |
| `System.evtx` | `EventLog`                               | Event `6005: The Event log service was started`                                                                                                                           |
| `System.evtx` | `EventLog`                               | Event `6006: The Event log service was stopped`                                                                                                                           |
| `System.evtx` | `Microsoft-Windows-Kernel-General`       | Event `12: The operating system started at system time <TIME>`                                                                                                            |
| `System.evtx` | `Microsoft-Windows-Kernel-General`       | Event `13: The operating system is shutting down at system time <TIME>`                                                                                                   |
| `System.evtx` | `Microsoft-Windows-Kernel-Power`         | Event `109: The kernel power manager has initiated a shutdown transition. Shutdown Reason: <SHUTDOWN_REASON_INT>`                                                         |
| `System.evtx` | `Microsoft-Windows-Kernel-Power`         | Event `41: The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly` |
| `System.evtx` | `Microsoft-Windows-Kernel-Power`         | Event `42: The system is entering sleep`                                                                                                                                  |
| `System.evtx` | `Microsoft-Windows-Power-Troubleshooter` | Event `1: The system has resumed from sleep`                                                                                                                              |
| `System.evtx` | `EventLog`                               | Event: `6013: The system uptime is <INT> seconds.`                                                                                                                        |

The [`TurnedOnTimesView`](https://www.nirsoft.net/utils/computer_turned_on_times.html) utility can be used to parse `System.evtx` files and determine the time ranges that a system was turned on (by looking as a set of the aforementioned events).

***

### References

<https://www.nirsoft.net/utils/computer\\_turned\\_on\\_times.html>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://notes.qazeer.io/dfir/windows/ttps_analysis/system_uptime.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.