EVENT ID 42 & 1

The event source of these is? this is of importance.

If the event source for event id 42 is a " Kernel-Power" and for event ID 1 in System log is from source "Power-Troubleshooter", then

* event ID 42 in the System log from source Kernel-Power is the sleeping event.
* event ID 1 in the System log is for waking ( respectively, the last and first logs entries upon sleeping/waking up).

May be this will be of more help to you ?

http//www.eventid.net/search.asp
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx

Will be helpful, if you search records from source "Power-Troubleshooter", ID 1, Wake source device.

Are you able to provide the full log?

**
event ID 42
Reason "4" is "Sleep Reason Application API" (Hibernation), 0 is "magic package", 2 is USB device.

For the event id 1, we need more data

<System>??
<Provider Name=??
<EventID>1</EventID>
<Version>??
<Level>??
<Task>??
<Opcode>??
<Keywords> ??</Keywords>
<TimeCreated SystemTime=?? />
<EventRecordID>??</EventRecordID>
<Correlation ActivityID="?? />
<Execution ProcessID="1 />

Probably, the awake is from Reason 2- USB device.

Pls, note -Windows Kernel Event Id 42 indicates that the last sleep transition was unsuccessful. This error could be caused if the system stopped responding or during the sleep transition, failed, or lost power .

Thanks for the links Mick, here are the full logs

ID 1

<System>
<Provider Name="Microsoft-Windows-Kernel-General" Guid="a68ca8b7-004f-d7b6-a698-07e2de0f1f5d" />
<EventID>1</EventID>
<Version>1</Version>
<Level>4</Level>
<Task>5</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000010</Keywords>
<TimeCreated SystemTime="2018-01-21T132645.5000225Z" />
<EventRecordID>3133</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="11704" />
<Channel>System</Channel>
<Computer>LAPTOP-Q8V3FM5F</Computer>
<Security />
</System>
<EventData>
<Data Name="NewTime">2018-01-21T132645.5000000Z</Data>
<Data Name="OldTime">2018-01-19T232518.0975552Z</Data>
<Data Name="Reason"&gt;2</Data>
</EventData>
</Event>

ID 42

<Event xmlns="http//schemas.microsoft.com/win/2004/08/events/event"&gt;
<System>
<Provider Name="Microsoft-Windows-Kernel-Power" Guid="331c3b3a-2005-44c2-ac5e-77220c37d6b4" />
<EventID>42</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>64</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000404</Keywords>
<TimeCreated SystemTime="2018-01-21T133811.4429947Z" />
<EventRecordID>3158</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="4832" />
<Channel>System</Channel>
<Computer>LAPTOP-Q8V3FM5F</Computer>
<Security />
</System>
<EventData>
<Data Name="TargetState">6</Data>
<Data Name="EffectiveState">5</Data>
<Data Name="Reason"&gt;4</Data>
<Data Name="Flags">0</Data>
<Data Name="TransitionsToOn">44</Data>
</EventData>
</Event>

I see now, it is a different story…

Your source of Event ID1 is the "Source Microsoft-Windows-Kernel-General".
Means- the system time is changed.

Look here
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc733210(v=ws.10)

Installed NTP sever there? any data?
Do the system use "ReadyBoost" future ? Do you know?

Event ID1 from the "Source Microsoft-Windows-Kernel-General". means, that this event can occur, if besides the Windows Time service (w32time), another process is setting the time on the server. Pls. check if the W32Time service log is enabled -look here

https://support.microsoft.com/el-gr/help/816043/how-to-turn-on-debug-logging-in-the-windows-time-service

DO SOME virtual environment there exist? in use?

Do the "Audit Privilege Use" there is enable? log?
There is a software installed, that is to lock the PC clock to an Adrienne card (a Timecode reader)??

Sometime, it is a problem from setting in the vmware tools that is checked to sync with host. If this is unchecked, the problem went away.

Sometimes, it means that Windows is allowed to wake the PC up to do maintenance tasks.

Another reason - bad CMOS battery - look here- bad CMOS battery is a "Reason 1"

https://answers.microsoft.com/en-us/windows/forum/windows_10-other_settings-winpc/date-and-time-keeps-changing/a9e7da22-3d77-43f3-aee2-42abf5e651c7

BUT, Your reason here is "2" -i.e. "magic packet".

Your source of Event ID42 is the "Microsoft-Windows-Kernel-Power".

It's means- The system is entering sleep because of low battery. Reason "4" is a low battery.

NB- about these "reasons" - we asks many time in the past various sources ( including official ones) what this means- Microsoft once answered - " nothing", "The event ID and his source is THE most important thing". BUT, this is not the whole true- we identifies some of these codes, but their meaningfulness in various events is not the same, or at least they do not have THE same explanation in different event ID. More- these "reasons" are different according to the real systems- laptop, server, personal PC.

Actually, I See that the event ID 1 is NOT FROM the source "Power-Troubleshooter" -it is from "Microsoft-Windows-Kernel-General". Thus, this event id 1 IS NOT awake, like I Wrote in my first answer, because the source is different.

The event Id 42 source is the same " Kernel-Power (Microsoft-Windows-Kernel-Power)" i.e., my first explanation is correct.

Thanks for your help