When multiple users share a Windows 11 device, a reboot for an update can interrupt someone else’s work. The system logs the event, but finding out which specific account triggered the restart is not obvious from the standard notification. This article explains how to locate the user who initiated a reboot for a Windows Update using built-in auditing tools. You will learn to enable the correct audit policy, review the Security log, and identify the account that started the restart.
Key Takeaways: Audit Reboot Initiator for Windows Update
- Local Group Policy Editor > Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy > System Audit Policies > Other Logon/Logoff Events > Audit User / Device Claims: Enables logging of the user who issued a shutdown or restart command.
- Event Viewer > Windows Logs > Security > Event ID 4647: Records the user account that initiated a manual reboot, including for update purposes.
- Event Viewer > Windows Logs > System > Event ID 1074: Shows the process that requested the shutdown and the user context under which it ran.
Why Windows 11 Logs Reboot Initiations for Updates
Windows 11 records system shutdown and restart events in the Security and System logs. When Windows Update completes downloading and staging updates, it schedules a reboot. The system triggers a shutdown request through the Windows Update service or through a user-initiated restart from the Start menu or Settings. The Security log captures the user account that performed the action, while the System log records the process that issued the shutdown command.
By default, Windows 11 does not audit all logoff events. The audit policy for Other Logon/Logoff Events must be enabled to capture Event ID 4647. This event contains the security ID and account name of the user who initiated the reboot. Without this policy, the Security log will not show the user who triggered the restart, leaving you to rely on the System log which may only show the service account.
Steps to Enable Auditing for Reboot Events in Windows 11
You need administrative privileges on the Windows 11 device to change audit policies. These steps apply to Windows 11 Pro, Enterprise, and Education editions. Windows 11 Home edition does not include the Local Group Policy Editor. For Home edition, use the command-line method with auditpol described in the next section.
Method 1: Using Local Group Policy Editor
- Open Local Group Policy Editor
Press Win + R, type gpedit.msc, and press Enter. If prompted by User Account Control, click Yes. - Navigate to Advanced Audit Policy
Go to Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies. - Select Other Logon/Logoff Events
Double-click Other Logon/Logoff Events in the right pane. - Enable Audit User / Device Claims
Check the box for Configure the following audit events. Under Audit User / Device Claims, check Success. Click OK. - Apply the Policy
Close the Local Group Policy Editor. Open a Command Prompt as administrator and run gpupdate /force to apply the policy immediately.
Method 2: Using Command Line with auditpol
This method works on all editions of Windows 11, including Home. It uses the auditpol command to set the same audit policy.
- Open Command Prompt as Administrator
Press Win + X and select Terminal (Admin) or Command Prompt (Admin). Click Yes at the UAC prompt. - Enable the Audit Policy
Type the following command and press Enter:auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable - Verify the Setting
Runauditpol /get /subcategory:"Other Logon/Logoff Events"to confirm the policy is enabled. The output should show Success as Enabled.
How to Identify the User Who Initiated the Reboot in Event Viewer
After enabling the audit policy, future reboots will log the initiating user. Use Event Viewer to inspect the logs.
- Open Event Viewer
Press Win + R, type eventvwr.msc, and press Enter. - Navigate to Security Log
In the left pane, expand Windows Logs and select Security. - Filter for Event ID 4647
Click Filter Current Log in the Actions pane. Under Event IDs, type 4647 and click OK. - Review the Event Details
Double-click an event with ID 4647. The Account Name field in the General tab shows the user who initiated the reboot. The Logon ID can be cross-referenced with other events to confirm the session. - Cross-Check with System Log for Event ID 1074
Select System under Windows Logs. Filter for Event ID 1074. This event shows the process name that requested the shutdown, such as svchost.exe for Windows Update, and the user name under User in the details.
For a reboot triggered by Windows Update, the System log Event ID 1074 will show the process as svchost.exe with the parameter NT AUTHORITY\SYSTEM if the update service initiated the restart. If a user manually clicked Restart from the Start menu, the Security log Event ID 4647 will show that user’s account name.
Common Issues When Auditing Reboot Initiations
Event ID 4647 Does Not Appear After Enabling the Policy
The audit policy applies only to events that occur after the policy is enabled. Reboots that happened before enabling the policy are not retroactively logged. Also, some shutdown methods, such as pressing the physical power button or a forced shutdown via the command shutdown /f, may not generate a 4647 event. For those cases, check Event ID 1074 in the System log, which always records the process and user context.
User Is Shown as NT AUTHORITY\SYSTEM Instead of a Specific Account
When Windows Update schedules a reboot, the system service account NT AUTHORITY\SYSTEM issues the shutdown command. This is normal. To identify the user who was logged in at the time, look for Event ID 4647 in the Security log that occurred within a few seconds before the 1074 event. That 4647 event shows the user who was active when the reboot was triggered.
No Logs Found After a Reboot
If the system crashed or experienced a power loss, the shutdown may not be logged as an orderly event. In such cases, Event ID 6008 in the System log indicates an unexpected shutdown. No user information is available for unclean shutdowns. Ensure the system is configured to write events to the log before shutdown by checking the Event Log service is set to Automatic start.
| Item | Security Log Event ID 4647 | System Log Event ID 1074 |
|---|---|---|
| Purpose | Records user-initiated logoff or shutdown | Records the process that requested a shutdown or restart |
| User field | Account name of the user who initiated the action | User context under which the shutdown process ran |
| Triggered by manual restart | Yes | Yes |
| Triggered by Windows Update | No, unless a user clicked Restart | Yes, shows svchost.exe under NT AUTHORITY\SYSTEM |
| Requires audit policy | Yes, Other Logon/Logoff Events | No, logged by default |
| Best for identifying user | Yes, when enabled | No, shows service account for automatic updates |
To determine which user initiated a reboot for an update, enable the Other Logon/Logoff Events audit policy using Local Group Policy Editor or auditpol. After a reboot, inspect Event ID 4647 in the Security log for the user account and Event ID 1074 in the System log for the process. This combination gives you a complete picture of who triggered the restart and whether it was manual or automatic. For a proactive approach, consider configuring Active Hours in Settings > Windows Update to prevent updates from restarting during work time.