Windows Event ID 1074 — System Shutdown / Restart Initiated by Process or User

Why It Matters

1074 is the clean-shutdown counterpart to 6008, and it is far more useful in an investigation because it names the responsible process and account. A reboot triggered by explorer.exe under a logged-on user is routine; one triggered by shutdown.exe from a service account, or a remote shutdown issued against a server out of hours, is the kind of activity that precedes persistence activation or accompanies disruptive/impact actions. The absence of a 1074 before a reboot is what causes Windows to log a 6008 instead.

Key Fields

Normal vs Suspicious

Investigation Tips

1. 1.explorer.exe as the process means a logged-on user clicked shutdown/restart; shutdown.exe means command line, a scheduled task, or remote (shutdown /m \\host).
2. 2.A 1074 whose User does not match anyone who should be at that console — especially a service or admin account at an odd hour — warrants checking the surrounding logon events.
3. 3.Remote reboots (shutdown.exe, empty Comment, generic reason code) against servers can be a lateral-movement or impact action; correlate with 4624 Type 3 logons from the source host.
4. 4.A 1074 'restart' immediately after a new service install (7045), scheduled task (4698), or registry Run-key change can mean the attacker is rebooting to activate persistence.
5. 5.If you expected a controlled reboot but see 6008 with NO preceding 1074, the shutdown was uncontrolled — investigate it as a crash or forced power action instead.

Related Event IDs

Frequently Asked Questions

What does Event ID 1074 tell me that 6008 doesn't?

Event ID 1074 records a clean, initiated shutdown or restart and names the process, the user account, the shutdown type, and a reason code — so it answers who rebooted the machine and why. Event ID 6008 only records, after the fact, that the previous shutdown was unexpected, with no cause or initiator. If a reboot was intentional you get a 1074; if it was uncontrolled you get a 6008 on the way back up. For an investigation, 1074 is the far richer record.

How can I tell if a 1074 reboot was remote or local?

Look at the Process Name and the surrounding logon events. explorer.exe almost always means a user clicked Restart at the console. shutdown.exe means the command line was used — which could be local, a scheduled task, or remote (shutdown /m \\hostname). For a suspected remote reboot, correlate the 1074 timestamp with Event ID 4624 Type 3 (network) logons from another host, and check whether the initiating account should have remote-shutdown rights on that machine.

Why would an attacker trigger Event ID 1074?

Attackers reboot machines to activate persistence that only runs at startup (services, Run keys, scheduled tasks set to fire at boot), to flush defensive tooling or credentials out of memory, or as a disruptive impact action. A scripted remote reboot via shutdown.exe typically leaves a 1074 with a generic reason code and an empty comment, initiated by whatever account the attacker is operating as — which is why an out-of-window 1074 from an unexpected process or account is worth correlating with recent persistence and lateral-movement events.

Is Event ID 1074 logged for every reboot?

It is logged for clean, software-initiated shutdowns and restarts — user-driven, scripted, or via management tools. It is NOT logged when the system goes down uncontrolled (power loss, BSOD, hard reset); those produce Event ID 6008 at the next boot instead. So a healthy maintenance reboot shows 1074 then 6006 then 6005, while a crash shows 41 then 6008 then 6005 with no 1074.