Event Id 1074 β This event is logged when the user initiates a windows system restart or shutdown through Ctrl + Alt + Delete and clicks on Shut Down or an application causes the windows server to restart.
Event Id 1074 is logged under the System log and subcategory restart or shutdown.
The process C:\Windows\System32\RuntimeBroker.exe (Corp-EU-S17) has initiated the restart of computer Corp-EU-S17 on behalf of user ShellGeek\admin for the following reason: Other (Unplanned)
Reason Code: 0x0
Shutdown Type: restart
Comment: In this article, we will discuss system shutdown and restart event id and possible reasons to log event id 1074.
Event Id 1074 β system restart
Event id 1074 is written to the System log when either application causes a system restart or a user-initiated a system restart or shutdown through Ctrl+Alt +Delete.
If a user initiates a system restart, it will write this event id 1074 as
The process C:\Windows\System32\RuntimeBroker.exe (Corp-EU-S17) has initiated the restart of computer Corp-EU-S17 on behalf of user ShellGeek\admin for the following reason: Other (Unplanned)
Reason Code: 0x0
Shutdown Type: restart
Comment: 
In the above event log message, it shows the user ShellGeek\admin initiated system restart.
The process RuntimeBroker.exe triggers a restart event and information logs under event shutdown type as restart and source is User32.
Cool Tip: Event Id 4670 β Permissions on an object were changed!
Event Id 1074 Reason Code
An application can cause system restart and log this event id 1074 with reason code and the process name.
The process c:\ShellGeek\admin\downloads\ssms-setup-enu.exe (Corp-EU-S17) has initiated the restart of computer Corp-EU-S17 on behalf of user ShellGeek\admin for the following reason: Application: Installation (Planned)
Reason Code: 0x80040002
Shutdown Type: restart
Comment: In the above windows system event log id 1074, an application ssms-setup-enu.exe ( SQL Server installer) has initiated the restart of the computer and this event reason code is 0x80040002
Cool Tip: Event Id 4625 Status Code 0xc000006a β Fix to find the source of attempt!
Event Id 1074 legacy api shutdown
Legacy API shutdown message means that some process issued programmatically system shut down requests using older windows API hooks.
Letβs understand event 1074 legacy API shutdown using an example.
The process C:\Program Files (x86)\temp\vulscan.exe (Corp-Eu-S17) has initiated the restart of computer Corp-EU-S17 on behalf of user NT AUTHORITY\SYSTEM for the following reason: Legacy API shutdown
Reason Code: 0x80070000
Shutdown Type: restart
Comment: Close applicationsIn the above event log message, the vulscan.exe process programmatically issued a shutdown request for the reason Legacy API shutdown and with reason code 0x80070000
Cool Tip: How to manipulate Active Directory UserAccountControl flags in PowerShell!
Conclusion
I hope the above article on Event Id 1074 is helpful to you.
You can monitor system restart events and their possible reason and reason code using Event Id 1074.
An application or a user can initiate a system shut down or restart request on a workstation, using this event 1074 you can monitor windows server shut down and restart history.
Cool Tip: Event Id 4771 β Kerberos pre-authentication failed!
You can find more topics about PowerShell Active Directory commands and PowerShell basics on the ShellGeek home page.
You can read more on other windows security and system event logs as given:
- Event Id 4625 0xc000006a β Account Failed to Log on
- Event Id 4634 β An Account was logged off
- Error Code 0xc0000234 β Event Id 4776 β Fix
- Event Id 4624 β An account was successfully logged on.