EventPeeker
Scan your Security and Sysmon logs·Detection guides
Event ID 6006InformationSystem

Windows Event ID 6006Event Log Service Stopped

Logged when the Windows Event Log service stops — marks a clean, controlled shutdown.

Why It Matters

A 6006 without a subsequent 6005 in the expected window, or 6006 followed by 6005 at an unexpected time, can mark attacker-initiated reboots.

Investigation Tips

  1. 1.Planned maintenance shutdowns should have a 6006 followed by 6005 within the expected maintenance window.
  2. 2.Unplanned 6006 + 6005 pairs outside maintenance hours warrant investigation.

Related Event IDs

6005Event Log service started — system startup

See Event ID 6006 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects event log service stopped patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →
← All detection guides·Analyze EVTX Logs Free →