EVENTLOGRECORD structure: Interpretation of the EventID field

Ben Key:

April 11, 2019

The Windows Event Log contains important diagnostic information such as information about application crashes, errors, security issues, etc. It is accessible via the Event Viewer or the Windows Event Log API. The ReadEventLogW function allows you to read a number of EVENTLOGRECORD structures into memory.

One of the fields in the EVENTLOGRECORD structure is the EventID field. There is very little information available about this field. The online documentation points to a very unhelpful document on Event Identifiers.

I found the following information on Microsoft TechNet.

Event ID Description
1074

“The process X has initiated the restart / shutdown of computer on behalf of user Y for the following reason: Z.”

Indicates that an application or a user initiated a restart or shutdown.

1076

“The reason supplied by user X for the last unexpected shutdown of this computer is: Y.”

Records when the first user with shutdown privileges logs on to the computer after an unexpected restart or shutdown and supplies a reason for the occurrence.

6005

“The event log service was started.”

This is synonymous to system startup.

6006

“The event log service was stopped.”

This is synonymous to system shutdown.

6008

“The previous system shutdown was unexpected.”

Records that the system started after it was not shut down properly.

6009 Indicates the Windows product name, version, build number, service pack number, and operating system type detected at boot time.
6013 Displays the uptime of the computer.

I used this information to obtain the system start time from the Windows Event Log in my GetStartTime project.