Windows Server restart / shutdown history

The clearest most succinct answer I could find is:

• How To See PC Startup And Shutdown History In Windows

which lists these event ids to monitor (quoted but edited and reformatted from article):

• Event ID 6005 (alternate): “The event log service was started.” This is synonymous to system startup.
• Event ID 6006 (alternate): “The event log service was stopped.” This is synonymous to system shutdown.
• Event ID 6008 (alternate): "The previous system shutdown was unexpected." Records that the system started after it was not shut down properly.
• Event ID 6009 (alternate): Indicates the Windows product name, version, build number, service pack number, and operating system type detected at boot time.
• Event ID 6013: Displays the uptime of the computer. There is no TechNet page for this id.

Add to that a couple more from the Server Fault answers listed in my OP:

• Event ID 1074 (alternate): "The process X has initiated the restart / shutdown of computer on behalf of user Y for the following reason: Z." Indicates that an application or a user initiated a restart or shutdown.
• Event ID 1076 (alternate): "The reason supplied by user X for the last unexpected shutdown of this computer is: Y." Records when the first user with shutdown privileges logs on to the computer after an unexpected restart or shutdown and supplies a reason for the occurrence.

Did I miss any?

Turning @user10082 comment into an answer. The proposed solution is a one-liner, as Powershell script:

Get-EventLog -LogName System |? {$_.EventID -in (6005,6006,6008,6009,1074,1076)} | ft TimeGenerated,EventId,Message -AutoSize –wrap

Here is the output:

TimeGenerated         EventID Message
-------------         ------- -------
5/30/2021 11:23:16 AM    6005 The Event log service was started.
5/30/2021 11:23:16 AM    6009 Microsoft (R) Windows (R) 10.00. 19042  Multiprocessor Free.
5/30/2021 11:23:16 AM    6008 The previous system shutdown at 18:35:45 on ‎24/‎05/‎2021 was unexpected.
5/24/2021 11:55:45 AM    6005 The Event log service was started.
5/24/2021 11:55:45 AM    6009 Microsoft (R) Windows (R) 10.00. 19042  Multiprocessor Free.
5/24/2021 11:55:31 AM    6006 The Event log service was stopped.
5/24/2021 11:55:27 AM    1074 The process C:\Windows\system32\SystemSettingsAdminFlows.exe (DESKTOP) has
                              initiated the restart of computer DESKTOP on behalf of user DESKTOP\User
                              for the following reason: Other (Unplanned)
                               Reason Code: 0x0
                               Shutdown Type: restart
                               Comment:

I would simply leave this as a comment since JohnC has basically covered everything, but I am not allowed to do so yet.

The events he described have been used for quite a while, so they will work for any of the OS you mentioned, as well as their desktop brethren. The event ID pages He linked to, such as the one for 6006 on TechNet, mention Windows Server 2003.

If there was an elegant shutdown, user initiated or otherwise, you should also see some Event ID 7036 telling you that various services "entered the stopped state." As the machine starts up again, you will see more 7036s announcing that services are entering the running state.

I prefer to accomplish activities from command line. Here's the beginning of a snippet you can leverage. This shows the most recent 30,000 system records and returns the reboots within those records.

Get-EventLog -LogName System -Newest 30000 | Where-Object {$_.EventID -eq 6005}

Building on @JohnC s answer and extending it

You could use an XML filter like:

<QueryList>
<Query Id="0" Path="System">
<Select Path="Security">*[System[Provider[@Name='eventlog' or @Name='Microsoft-Windows-Eventlog'] and (EventID=1074 or EventID=1076 or EventID=6005 or EventID=6006 or EventID=6008) and TimeCreated[timediff(@SystemTime) &lt;= 172800000]]]</Select>
<Select Path="Setup">*[System[Provider[@Name='eventlog' or @Name='Microsoft-Windows-Eventlog'] and (EventID=1074 or EventID=1076 or EventID=6005 or EventID=6006 or EventID=6008) and TimeCreated[timediff(@SystemTime) &lt;= 172800000]]]</Select>
<Select Path="System">*[System[Provider[@Name='eventlog' or @Name='Microsoft-Windows-Eventlog'] and (EventID=1074 or EventID=1076 or EventID=6005 or EventID=6006 or EventID=6008) and TimeCreated[timediff(@SystemTime) &lt;= 172800000]]]</Select>
<Select Path="Microsoft-Windows-Kernel-Power/Diagnostic">*[System[Provider[@Name='Microsoft-Windows-Kernel-Power'] and (Level=1 ) and TimeCreated[timediff(@SystemTime) &lt;= 172800000]]]</Select>
<Select Path="Microsoft-Windows-Kernel-Power/Thermal-Diagnostic">*[System[Provider[@Name='Microsoft-Windows-Kernel-Power'] and (Level=1 ) and TimeCreated[timediff(@SystemTime) &lt;= 172800000]]]</Select>
<Select Path="System">*[System[Provider[@Name='Microsoft-Windows-Kernel-Power'] and (Level=1 ) and TimeCreated[timediff(@SystemTime) &lt;= 172800000]]]</Select>
<Select Path="System">*[System[Provider[@Name='User32'] and TimeCreated[timediff(@SystemTime) &lt;= 172800000]]]</Select>
<Select Path="System">*[System[Provider[@Name='Microsoft-Windows-WER-SystemErrorReporting'] and TimeCreated[timediff(@SystemTime) &lt;= 172800000]]]</Select>
</Query>
</QueryList>

You can replace 172800000 with the below values for the time range:

86400000 - Last 24 hours

172800000 - Last 2 Days

604800000 - Last 7 Days

This will show much more detail from the time when the server/pc went offline It includes Kernel-Power, User32 and EventLog events.

Short and concise one liner to get reboot and startup time of last 8 hours from a remote machine using SysInternals psloglist and the event id's from above:

psloglist \\computername -h 8 -i 41,1074,1076,6005,6006,6008,6013

The only thing missing (for me) is the event id for "logon dialog ready for user" equivalent. That seems to hard to find (What can I query to see if Windows is booted and done with updates?)