EventPeeker
Scan your Security and Sysmon logs·Detection guides
Event ID 6008ErrorSystem

Windows Event ID 6008Unexpected System Shutdown

Logged at startup to record that the previous shutdown was unexpected — power loss, crash, or forced reset.

Why It Matters

Indicates system instability. Repeated 6008 events on production systems — especially servers or domain controllers — require investigation into hardware health and recent driver or update changes.

Key Fields

Shutdown TimeThe time of the unexpected shutdown

Investigation Tips

  1. 1.Correlate the shutdown time with Event ID 41 (kernel crash) to see if it was a BSOD.
  2. 2.On VMs, check the hypervisor logs for the shutdown reason.
  3. 3.Frequent 6008 events on domain controllers can indicate hardware issues or attack-induced instability.

Related Event IDs

41Kernel crash that may have caused the shutdown
6005System startup after the unexpected shutdown

See Event ID 6008 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects unexpected system shutdown patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →
← All detection guides·Analyze EVTX Logs Free →