ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows Event Viewer displaying Event ID 1013 system uptime logs on a professional monitoring dashboard
Event ID 1013InformationKernel-GeneralWindows

Windows Event ID 1013 – Kernel-General: System Uptime Information

Event ID 1013 records system uptime information when Windows starts or resumes from hibernation, providing administrators with boot time tracking and system availability metrics.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 20269 min read 0
Event ID 1013Kernel-General 5 methods 9 min
Event Reference

What This Event Means

Windows Event ID 1013 is generated by the Kernel-General provider as part of the standard boot logging process. This event occurs during the final stages of system initialization when the kernel has successfully loaded core components and is ready to begin normal operations. The event data includes precise timestamps, uptime calculations from the previous session, and contextual information about why the system was restarted.

The event structure contains several key data points: the current boot time, the duration the system was running before the last shutdown, the shutdown reason (if available), and various system identifiers. This information proves invaluable for administrators managing enterprise environments where system availability directly impacts business operations.

In Windows Server environments, Event ID 1013 becomes particularly important for tracking planned versus unplanned restarts. The event helps distinguish between maintenance windows, automatic updates, and unexpected system failures. Modern Windows versions in 2026 have enhanced this event with additional telemetry data, including boot performance metrics and hardware initialization times.

The event fires consistently across all Windows versions but may contain slightly different data fields depending on the specific build and hardware configuration. Virtual machines, physical servers, and workstations all generate this event, making it a universal reference point for system lifecycle tracking.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Normal system startup after a planned shutdown or restart
  • System recovery from hibernation or sleep mode
  • Automatic restart following Windows Update installation
  • Manual restart initiated by administrators or users
  • System restart after power failure recovery
  • Restart triggered by application installations requiring reboot
  • Recovery from system crash or blue screen events
  • Scheduled restart from maintenance scripts or Group Policy
Resolution Methods

Troubleshooting Steps

01

View Event Details in Event Viewer

Access the basic event information through the Windows Event Viewer interface:

  1. Press Windows + R, type eventvwr.msc, and press Enter
  2. Navigate to Windows LogsSystem
  3. Filter the log by clicking Filter Current Log in the Actions pane
  4. Enter 1013 in the Event IDs field and click OK
  5. Double-click any Event ID 1013 entry to view detailed information
  6. Review the General tab for basic uptime data and timestamps
  7. Check the Details tab for raw XML data containing additional metrics
Pro tip: The event description shows the system uptime in a human-readable format, while the XML data contains precise millisecond values for scripting purposes.
02

Query Events with PowerShell

Use PowerShell to retrieve and analyze Event ID 1013 data programmatically:

# Get the most recent 10 Event ID 1013 entries
Get-WinEvent -FilterHashtable @{LogName='System'; Id=1013} -MaxEvents 10

# Extract detailed information with custom formatting
Get-WinEvent -FilterHashtable @{LogName='System'; Id=1013} -MaxEvents 5 | 
  Select-Object TimeCreated, Id, LevelDisplayName, Message | 
  Format-Table -AutoSize

# Get events from the last 30 days
$StartDate = (Get-Date).AddDays(-30)
Get-WinEvent -FilterHashtable @{LogName='System'; Id=1013; StartTime=$StartDate}

# Export uptime data to CSV for analysis
Get-WinEvent -FilterHashtable @{LogName='System'; Id=1013} -MaxEvents 50 | 
  Select-Object TimeCreated, Message | 
  Export-Csv -Path "C:\temp\uptime_events.csv" -NoTypeInformation

For advanced analysis, parse the XML data to extract specific uptime values:

# Parse XML data for precise uptime information
$Events = Get-WinEvent -FilterHashtable @{LogName='System'; Id=1013} -MaxEvents 10
foreach ($Event in $Events) {
    $XML = [xml]$Event.ToXml()
    $UptimeData = $XML.Event.EventData.Data
    Write-Host "Boot Time: $($Event.TimeCreated)"
    Write-Host "Uptime Data: $($Event.Message)"
    Write-Host "---"
}
03

Create Automated Uptime Monitoring

Implement automated monitoring to track system uptime patterns and generate reports:

# Create a comprehensive uptime monitoring script
function Get-SystemUptimeReport {
    param(
        [int]$Days = 30
    )
    
    $StartDate = (Get-Date).AddDays(-$Days)
    $UptimeEvents = Get-WinEvent -FilterHashtable @{
        LogName='System'
        Id=1013
        StartTime=$StartDate
    } -ErrorAction SilentlyContinue
    
    if ($UptimeEvents) {
        $Report = @()
        foreach ($Event in $UptimeEvents) {
            $Report += [PSCustomObject]@{
                BootTime = $Event.TimeCreated
                Message = $Event.Message
                DayOfWeek = $Event.TimeCreated.DayOfWeek
            }
        }
        return $Report | Sort-Object BootTime -Descending
    }
}

# Generate and display the report
$UptimeReport = Get-SystemUptimeReport -Days 60
$UptimeReport | Format-Table -AutoSize

# Calculate average uptime between restarts
if ($UptimeReport.Count -gt 1) {
    $TimeDifferences = @()
    for ($i = 0; $i -lt ($UptimeReport.Count - 1); $i++) {
        $Diff = $UptimeReport[$i].BootTime - $UptimeReport[$i+1].BootTime
        $TimeDifferences += $Diff.TotalHours
    }
    $AverageUptime = ($TimeDifferences | Measure-Object -Average).Average
    Write-Host "Average uptime between restarts: $([math]::Round($AverageUptime, 2)) hours"
}
Pro tip: Schedule this script as a daily task to automatically generate uptime reports and identify systems with frequent restart patterns.
04

Correlate with Shutdown Events

Combine Event ID 1013 data with shutdown events (1074, 6006, 6008) for complete system lifecycle tracking:

# Comprehensive system restart analysis
function Get-SystemRestartAnalysis {
    param([int]$Days = 14)
    
    $StartDate = (Get-Date).AddDays(-$Days)
    
    # Get startup events (1013)
    $StartupEvents = Get-WinEvent -FilterHashtable @{
        LogName='System'
        Id=1013
        StartTime=$StartDate
    } -ErrorAction SilentlyContinue
    
    # Get shutdown events (1074, 6006, 6008)
    $ShutdownEvents = Get-WinEvent -FilterHashtable @{
        LogName='System'
        Id=1074,6006,6008
        StartTime=$StartDate
    } -ErrorAction SilentlyContinue
    
    # Combine and sort all events
    $AllEvents = @()
    
    foreach ($Event in $StartupEvents) {
        $AllEvents += [PSCustomObject]@{
            Time = $Event.TimeCreated
            Type = "Startup"
            EventId = $Event.Id
            Message = $Event.Message
        }
    }
    
    foreach ($Event in $ShutdownEvents) {
        $AllEvents += [PSCustomObject]@{
            Time = $Event.TimeCreated
            Type = "Shutdown"
            EventId = $Event.Id
            Message = $Event.Message
        }
    }
    
    return $AllEvents | Sort-Object Time -Descending
}

# Run the analysis
$RestartAnalysis = Get-SystemRestartAnalysis -Days 30
$RestartAnalysis | Format-Table Time, Type, EventId, @{Name="Message";Expression={$_.Message.Substring(0,[Math]::Min(80,$_.Message.Length))}} -AutoSize

Create a scheduled task to run this analysis weekly:

# Register a scheduled task for weekly restart analysis
$Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File C:\Scripts\RestartAnalysis.ps1"
$Trigger = New-ScheduledTaskTrigger -Weekly -DaysOfWeek Monday -At 9:00AM
$Settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries
Register-ScheduledTask -TaskName "Weekly Restart Analysis" -Action $Action -Trigger $Trigger -Settings $Settings -Description "Analyze system restart patterns using Event ID 1013"
05

Advanced Event Log Analysis and Alerting

Implement enterprise-level monitoring with custom alerting for abnormal restart patterns:

# Advanced monitoring script with alerting capabilities
function Monitor-SystemUptimePatterns {
    param(
        [int]$AlertThresholdHours = 2,
        [string]$SMTPServer = "mail.company.com",
        [string]$AlertEmail = "admin@company.com"
    )
    
    # Get recent startup events
    $RecentStartups = Get-WinEvent -FilterHashtable @{
        LogName='System'
        Id=1013
        StartTime=(Get-Date).AddHours(-24)
    } -ErrorAction SilentlyContinue
    
    if ($RecentStartups.Count -gt 3) {
        # Multiple restarts detected
        $AlertMessage = @"
Multiple system restarts detected on $($env:COMPUTERNAME):

Restart Times:
$($RecentStartups | ForEach-Object { "- $($_.TimeCreated)" } | Out-String)

This may indicate system instability or maintenance activity.
"@
        
        # Send alert email (configure SMTP settings as needed)
        try {
            Send-MailMessage -To $AlertEmail -From "monitoring@company.com" -Subject "Multiple Restarts Detected - $($env:COMPUTERNAME)" -Body $AlertMessage -SmtpServer $SMTPServer
            Write-Host "Alert sent for multiple restarts" -ForegroundColor Yellow
        } catch {
            Write-Warning "Failed to send alert email: $($_.Exception.Message)"
        }
    }
    
    # Check for unexpected restarts (Event ID 6008 - unexpected shutdown)
    $UnexpectedShutdowns = Get-WinEvent -FilterHashtable @{
        LogName='System'
        Id=6008
        StartTime=(Get-Date).AddHours(-24)
    } -ErrorAction SilentlyContinue
    
    if ($UnexpectedShutdowns) {
        Write-Warning "Unexpected shutdowns detected in the last 24 hours: $($UnexpectedShutdowns.Count)"
        $UnexpectedShutdowns | ForEach-Object {
            Write-Host "Unexpected shutdown at: $($_.TimeCreated)" -ForegroundColor Red
        }
    }
}

# Create Windows Event Log custom view for Event ID 1013
$CustomViewXML = @'

  
    
  

'@

# Save custom view to file
$CustomViewXML | Out-File -FilePath "$env:TEMP\Event1013_CustomView.xml" -Encoding UTF8
Write-Host "Custom view XML saved to: $env:TEMP\Event1013_CustomView.xml"
Write-Host "Import this file in Event Viewer under Custom Views for easy Event ID 1013 filtering"

# Run the monitoring function
Monitor-SystemUptimePatterns
Warning: Configure SMTP settings and email addresses before implementing automated alerting in production environments.

Set up Windows Performance Toolkit (WPT) correlation:

# Correlate Event ID 1013 with boot performance data
# Requires Windows Performance Toolkit installation
function Get-BootPerformanceCorrelation {
    $BootEvents = Get-WinEvent -FilterHashtable @{LogName='System'; Id=1013} -MaxEvents 5
    
    foreach ($Event in $BootEvents) {
        $BootTime = $Event.TimeCreated
        Write-Host "Analyzing boot at: $BootTime" -ForegroundColor Green
        
        # Check for related performance events around boot time
        $StartWindow = $BootTime.AddMinutes(-2)
        $EndWindow = $BootTime.AddMinutes(10)
        
        $PerfEvents = Get-WinEvent -FilterHashtable @{
            LogName='Microsoft-Windows-Diagnostics-Performance/Operational'
            StartTime=$StartWindow
            EndTime=$EndWindow
        } -ErrorAction SilentlyContinue
        
        if ($PerfEvents) {
            Write-Host "  Found $($PerfEvents.Count) performance events during boot window"
        }
    }
}

Get-BootPerformanceCorrelation

Overview

Event ID 1013 from the Kernel-General source fires during system startup and provides critical uptime information for Windows systems. This informational event appears in the System log whenever Windows completes its boot sequence or resumes from hibernation. The event contains valuable data about system boot time, previous uptime duration, and shutdown reason codes that help administrators track system availability and identify patterns in restart behavior.

Unlike many kernel events that indicate problems, Event ID 1013 represents normal system operation. It serves as a timestamp marker for when the system became operational and includes metrics about the previous session's runtime. This makes it particularly valuable for capacity planning, SLA monitoring, and troubleshooting intermittent issues that correlate with system restarts.

The event typically appears within the first few minutes of system startup, after core kernel components have initialized but before all services are fully operational. System administrators rely on this event for automated monitoring scripts, uptime reporting, and forensic analysis of system restart patterns.

Frequently Asked Questions

What does Event ID 1013 mean and why does it appear in my System log?+
Event ID 1013 is a normal informational event generated by the Kernel-General provider during system startup. It records uptime information and boot completion status, appearing every time Windows successfully starts or resumes from hibernation. This event is not an error - it's part of standard Windows logging that helps administrators track system availability and boot patterns. The event contains valuable data about the previous session's uptime duration and provides a timestamp for when the system became operational.
How can I use Event ID 1013 to monitor system uptime and availability?+
Event ID 1013 serves as an excellent marker for system restart tracking and uptime monitoring. You can query these events using PowerShell to calculate average uptime between restarts, identify patterns in system reboots, and generate availability reports. By analyzing the frequency and timing of Event ID 1013 occurrences, you can determine if a system is restarting more frequently than expected, track maintenance windows, and correlate restart patterns with other system events. This data is particularly valuable for SLA reporting and capacity planning in enterprise environments.
Can Event ID 1013 help me troubleshoot system stability issues?+
Yes, Event ID 1013 is valuable for troubleshooting system stability when used in conjunction with other events. While the event itself indicates successful startup, analyzing its frequency can reveal stability problems. If you see Event ID 1013 occurring multiple times per day unexpectedly, it suggests the system is restarting frequently due to crashes, power issues, or other problems. Correlate these events with shutdown events (1074, 6006, 6008) and error events to build a complete picture of system behavior. The uptime data in Event ID 1013 can also help identify if restarts are planned or unexpected.
What information is contained in the Event ID 1013 message and XML data?+
Event ID 1013 contains several key pieces of information: the current boot timestamp, the duration the system was running before the last shutdown, and contextual data about the restart. The human-readable message shows uptime in a friendly format, while the XML data contains precise values suitable for scripting and automation. In Windows Server 2025 and Windows 11 2026 updates, additional telemetry data includes boot performance metrics, hardware initialization times, and enhanced shutdown reason codes. This rich data set makes Event ID 1013 valuable for both manual analysis and automated monitoring systems.
How do I set up automated monitoring and alerting based on Event ID 1013 patterns?+
To implement automated monitoring for Event ID 1013, create PowerShell scripts that query the System log for these events and analyze their frequency and timing. Set up scheduled tasks to run these scripts daily or weekly, checking for abnormal restart patterns such as multiple boots within short timeframes. Configure email alerts when the script detects more than a threshold number of restarts (e.g., more than 3 in 24 hours). You can also integrate with monitoring systems like SCOM or third-party tools by exporting Event ID 1013 data to CSV files or databases. For enterprise environments, consider creating custom Event Viewer filters and forwarding these events to centralized logging systems for organization-wide uptime tracking.
Documentation

References (2)

1
Microsoft Learn - Windows Event LoggingOfficial documentation covering Windows Event Logging architecture, including kernel events and system startup logging.https://learn.microsoft.com/en-us/windows/win32/eventlog/event-logging
2
Windows Server Event Log ReferenceComprehensive guide to Windows event log management tools and command-line utilities for event analysis.https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-1013#system-uptime#boot-monitoring

Related Windows Events

Windows Event Viewer displaying system time change events on a professional monitoring dashboard
Event 16388
Microsoft-Windows-Kernel-General
Windows EventInformation

Windows Event ID 16388 – Microsoft-Windows-Kernel-General: System Time Change Notification

Event ID 16388 fires when Windows detects a system time change, either manual adjustment or automatic synchronization. Critical for security auditing and troubleshooting time-related issues.

March 189 min
Windows Event Viewer showing system event logs on a monitoring dashboard
Event 16384
Microsoft-Windows-Kernel-General
Windows EventInformation

Windows Event ID 16384 – Microsoft-Windows-Kernel-General: System Time Change Detected

Event ID 16384 fires when Windows detects a system time change, either manual or automatic. Critical for security auditing and troubleshooting time synchronization issues in domain environments.

March 189 min
Windows Event Viewer displaying system time change events on a monitoring dashboard
Event 11728
Microsoft-Windows-Kernel-General
Windows EventInformation

Windows Event ID 11728 – Microsoft-Windows-Kernel-General: System Time Change Detected

Event ID 11728 fires when Windows detects a system time change, typically from time synchronization services, manual adjustments, or hardware clock drift corrections.

March 1812 min
Windows Event Viewer displaying system time change events on a professional monitoring dashboard
Event 11724
Microsoft-Windows-Kernel-General
Windows EventInformation

Windows Event ID 11724 – Microsoft-Windows-Kernel-General: System Time Change Detected

Event ID 11724 indicates the Windows kernel detected a system time change, typically triggered by time synchronization services, manual adjustments, or hardware clock drift corrections.

March 189 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...