EventPeeker
Scan your Security and Sysmon logs·Detection guides
Event ID 6005InformationSystem

Windows Event ID 6005Event Log Service Started

Logged when the Windows Event Log service starts — effectively marks system startup.

Why It Matters

Acts as a startup marker. Unexpected 6005 events (especially mid-day without a preceding shutdown event) can indicate the system was rebooted by an attacker to apply changes or clear log state.

Investigation Tips

  1. 1.Look for 6005 without a preceding clean 6006 (controlled shutdown) — indicates an unexpected restart.
  2. 2.Correlate the startup time with user activity — a 3am restart on a server is worth investigating.

Related Event IDs

6006Event Log service stopped — marks planned shutdown
6008Unexpected shutdown event
41Kernel crash — may have caused the restart

See Event ID 6005 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects event log service started patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →
← All detection guides·Analyze EVTX Logs Free →