A few weeks ago, one of our Windows Server made a reboot in the middle of the day. That was not planned, so we wanted to know what happened. Windows logs events like the reboot in the event log. The challenge is to find the right message in the huge pile of unrelated log messages. As it turns out, we can use a filter and get the right message in no time.
Open Event Viewer, go to the System entries (1) and click on “Filter Current Log…” (2):
We need to filter for the Event ID 1074:
When we apply the filter, we end up with only the messages for the reboot. You can see the user and the reason they entered into the box that Windows shows you whenever you make a restart:
In our case the user was NT AUTHORITY\SYSTEM, what is the Windows Server itself. Even more strange, the reason was that it installed updates and made a restart – something it should not do. This info gave us the possibility to change the settings and prevent future restarts in the middle of the day.
I hope this helps you with your mysterious reboots.