Hey all,
I need to know the startup and shut down time of a computer.
Can someone point me to the registry key or log file that have these information?
I want to prove that the user on/off the system at certain time over a 3 months period.
Thanks in advance. Cheers!
Hello blueDragon,
If you only want to know the startup and shutdown time you can use uptime.exe from Microsoft. You can find more information at http//
UPTIME is a utility that processes the machine's event log to determine
system availability and current uptime. The target system can either be the local system or a remote system. No special privileges are required for basic operation although it is most accurate to run the tool under an administrative account.
Below is an example of the output.Uptime Report for \\PLATO
Current OS Microsoft Windows XP, Service Pack 2, Uniprocessor Free.
Time Zone West-Europa (standaardtijd)
System Events as of 6-1-2008 161530
Date Time Event Comment
———- ———– ——————- ———————————–
2-12-2007 231153 Shutdown
3-12-2007 104759 Boot Prior downtime0d 11h36m6s
3-12-2007 155440 Shutdown Prior uptime0d 5h6m41s
3-12-2007 221545 Boot Prior downtime0d 6h21m5s
3-12-2007 230639 Shutdown Prior uptime0d 0h50m54s
4-12-2007 75638 Boot Prior downtime0d 8h49m59s
4-12-2007 81813 Shutdown Prior uptime0d 0h21m35s
4-12-2007 214314 Boot Prior downtime0d 13h25m1s
4-12-2007 231612 Shutdown Prior uptime0d 1h32m58s
5-12-2007 162549 Boot Prior downtime0d 17h9m37s
5-12-2007 164925 Shutdown Prior uptime0d 0h23m36s
6-12-2007 192901 Boot Prior downtime1d 2h39m36s
6-12-2007 231332 Shutdown Prior uptime0d 3h44m31s
7-12-2007 220954 Boot Prior downtime0d 22h56m22s
7-12-2007 230851 Shutdown Prior uptime0d 0h58m57s
7-12-2007 230941 Boot Prior downtime0d 0h0m50s
8-12-2007 10116 Shutdown Prior uptime0d 1h51m35s
8-12-2007 10220 Boot Prior
——————————————————————————–
Since 2-12-2007
Total Reboots 63
Mean Time Between Reboots 0.55 days
Total Bluescreens 0
——————————————————————————–
Since 22-12-2007
System Availability 40.5567%
Total Uptime 6d 3h42m27s
Total Downtime 9d 0h29m33s
Total Reboots 33
Mean Time Between Reboots 0.46 days
Total Bluescreens 0
Notes
22-12-2007 is the earliest date in the event log where
sufficient information is recorded to calculate availability.
downtime0d 0h1m4s
Goodluck!
The Registry provides the last shut down time. Parsing the Event Log as Thomas suggested will be the most expedient way to examine long term activity.
Hi Thomas and bithead, thanks for your advice.
If I examine an Image, will I still be able to get these information through uptime.exe?
Thomas
You should be able to make a copy of the image and load it in liveview.
http//liveview.sourceforge.net/
of course it will have the live view boot listed as the last startup ->..
I need to know the startup and shut down time of a computer.
Can someone point me to the registry key or log file that have these information?
I want to prove that the user on/off the system at certain time over a 3 months period.
I have no idea what you're asking for with regards to, "I want to prove that the user on/off the system…"…it appears that something is missing.
However, the Event Log idea is a good one, and will be very useful corroborating information, depending up on the configuration of the system, auditing, and how the system is used. I say this, as I've seen cases where some of the Event Logs don't cover much more than a couple of days.
The Registry does maintain a value for the last shutdown time of the system, as well as last login times for users (within the SAM file and easily parsed from an image).
The quickest way I know of to get a really good bit of timeline info on a user is to parse the UserAssist keys the way I mention in my book, "Windows Forensic Analysis".
H
The quickest way I know of to get a really good bit of timeline info on a user is to parse the UserAssist keys the way I mention in my book, "Windows Forensic Analysis".
H
D
If you want to try to work out system boot/shutdown times using the event log from an image, I have found that opening the SysEvent.evt file in event viewer and looking for the following combinations can provide a good starting point*
System start - look for event ID 6009 and a 6005 in close proximity (usually next to each other)
System shutdown - event ID 6006 can indicate a shutdown, as this is the event log service stopping**
(*) In testing this seems to work most of the time, but I'd check other data sources if possible. The log file could be corrupted or their might be other weirdness going on - I've seen short bursts of these boot/shutdown pairs happening in the log files that I couldn't explain (but luckily I didn't have to in this case, I was testing something else). I guess the caveat to this advice is that you should experiment yourself on a non-critical case to try to confirm or deny this.
(**) I guess this could occur for other reasons, such as the event logging service being stopped manually.
(*) In testing this seems to work most of the time, but I'd check other data sources if possible.
Corroborating data is a good thing. 8)
The log file could be corrupted…
They usually aren't…this message is generated most often when attempting to import the EVT file into the Event Viewer on another machine. The Event Log and record formats are pretty well documented, and tools like Perl can be used to parse through the files without relying on the MS API at all. I've developed some tools that do this quite effectively…so much so that I use them on just about every investigation.
H
They usually aren't…this message is generated most often when attempting to import the EVT file into the Event Viewer on another machine.
I should have expanded on this. Aside from what you mentioned (which can be fixed by resetting the event logs state to clean, usually quicker than parsing it yourself), I've had a few cases where for some reason the data in the logs were corrupted/truncated to the extent that I couldn't fix or parse them. I thought i'd throw it in as an extra caveat -)
Oh, and for the OP - following on from my first post, you can find the corroborating information at http//