EventPeeker
Scan your Security and Sysmon logs·Detection guides
Event ID 6006InformationSystem

Windows Event ID 6006Event Log Service Stopped

Logged when the Windows Event Log service stops — marks a clean, controlled shutdown.

Why It Matters

A 6006 without a subsequent 6005 in the expected window, or 6006 followed by 6005 at an unexpected time, can mark attacker-initiated reboots.

Investigation Tips

  1. 1.Planned maintenance shutdowns should have a 6006 followed by 6005 within the expected maintenance window.
  2. 2.Unplanned 6006 + 6005 pairs outside maintenance hours warrant investigation.

Seeing Event ID 6006 in your own logs? Upload an .evtx file — EventPeeker flags event log service stopped automatically, maps it to MITRE ATT&CK, and writes the triage report. No account, files auto-deleted.

Analyze my logs →

Related Event IDs

6005Event Log service started — system startup
1074Clean shutdown/restart — names the process and user behind the shutdown
6008Unexpected shutdown — the opposite case, when no clean shutdown occurred
41Kernel-Power — present when the shutdown was a crash, not planned

Go deeper: the full Windows Defender Disabled or Tampered guide

Builds on this page with the attack chain, step-by-step investigation, immediate containment actions, KQL/Sigma detection queries, and an annotated example log.

Read the Windows Defender Disabled or Tampered guide

See Event ID 6006 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects event log service stopped patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →
← All detection guides·Analyze EVTX Logs Free →