Windows Event ID 6000 – EventLog: Event Log Service Started

Open Event Viewer to examine the specific details of Event ID 6000 and confirm normal service startup.

1. Press Windows + R, type eventvwr.msc, and press Enter
2. Navigate to Windows Logs → System
3. Filter the log by clicking Filter Current Log in the Actions pane
4. Enter 6000 in the Event IDs field and click OK
5. Double-click the most recent Event ID 6000 entry
6. Review the General tab for timestamp and basic information
7. Check the Details tab for additional service startup parameters
8. Note the exact time of service startup for correlation with other boot events

Use PowerShell to retrieve and analyze Event ID 6000 occurrences for pattern analysis and troubleshooting.

1. Open PowerShell as Administrator
2. Run the following command to get recent Event ID 6000 entries:

Get-WinEvent -FilterHashtable @{LogName='System'; Id=6000} -MaxEvents 10 | Format-Table TimeCreated, Id, LevelDisplayName, Message -AutoSize

3. For more detailed analysis, use this command:

Get-WinEvent -FilterHashtable @{LogName='System'; Id=6000} -MaxEvents 5 | ForEach-Object {
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        MachineName = $_.MachineName
        ProcessId = $_.ProcessId
        ThreadId = $_.ThreadId
        Message = $_.Message
    }
}

4. To export the results to CSV for further analysis:

Get-WinEvent -FilterHashtable @{LogName='System'; Id=6000} -MaxEvents 50 | Export-Csv -Path "C:\Temp\EventID6000_History.csv" -NoTypeInformation

Verify the current status and configuration of the Windows Event Log service to ensure proper operation.

1. Check service status via PowerShell:

Get-Service -Name EventLog | Format-List Name, Status, StartType, ServiceType

2. View detailed service information:

Get-WmiObject -Class Win32_Service -Filter "Name='EventLog'" | Select-Object Name, State, StartMode, ProcessId, PathName

3. Open Services console by pressing Windows + R, typing services.msc
4. Locate Windows Event Log service in the list
5. Right-click and select Properties
6. Verify the Startup type is set to Automatic
7. Check the Dependencies tab to see required services
8. Review the Recovery tab for failure handling configuration

Examine the relationship between Event ID 6000 and overall system boot performance to identify potential issues.

1. Use PowerShell to analyze boot time correlation:

# Get the last boot time
$LastBoot = (Get-CimInstance -ClassName Win32_OperatingSystem).LastBootUpTime
Write-Host "Last Boot Time: $LastBoot"

# Get Event ID 6000 after last boot
$EventLogStart = Get-WinEvent -FilterHashtable @{LogName='System'; Id=6000; StartTime=$LastBoot} -MaxEvents 1
if ($EventLogStart) {
    $BootToEventLog = ($EventLogStart.TimeCreated - $LastBoot).TotalSeconds
    Write-Host "Time from boot to Event Log service start: $BootToEventLog seconds"
}

2. Check service dependencies that must start before EventLog:

$EventLogService = Get-WmiObject -Class Win32_Service -Filter "Name='EventLog'"
$Dependencies = $EventLogService.ServicesDependedOn
foreach ($Dep in $Dependencies) {
    Get-Service -Name $Dep | Format-Table Name, Status, StartType
}

3. Generate a comprehensive boot analysis report:

# Create boot analysis report
$Report = @()
$LastBoot = (Get-CimInstance -ClassName Win32_OperatingSystem).LastBootUpTime

# Get key boot events
$Events = @(6005, 6006, 6000, 6009)
foreach ($EventId in $Events) {
    $Event = Get-WinEvent -FilterHashtable @{LogName='System'; Id=$EventId; StartTime=$LastBoot.AddMinutes(-5)} -MaxEvents 1 -ErrorAction SilentlyContinue
    if ($Event) {
        $Report += [PSCustomObject]@{
            EventId = $EventId
            TimeCreated = $Event.TimeCreated
            Message = $Event.Message.Split("`n")[0]
        }
    }
}
$Report | Sort-Object TimeCreated | Format-Table -AutoSize

Perform deep analysis of Event Log service configuration and log file integrity for advanced troubleshooting.

1. Examine Event Log service registry configuration:

# Check EventLog service registry settings
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\EventLog" | Format-List

# Check individual log configurations
Get-ChildItem -Path "HKLM:\SYSTEM\CurrentControlSet\Services\EventLog" | ForEach-Object {
    Write-Host "Log: $($_.PSChildName)"
    Get-ItemProperty -Path $_.PSPath | Select-Object File, MaxSize, Retention | Format-List
}

2. Verify event log file locations and integrity:

# Get event log file paths and sizes
Get-WinEvent -ListLog * | Where-Object {$_.RecordCount -gt 0} | Select-Object LogName, LogFilePath, FileSize, RecordCount | Sort-Object LogName

3. Check for event log corruption or issues:

# Test event log accessibility
$Logs = @('System', 'Application', 'Security')
foreach ($Log in $Logs) {
    try {
        $TestEvent = Get-WinEvent -LogName $Log -MaxEvents 1 -ErrorAction Stop
        Write-Host "$Log log: OK" -ForegroundColor Green
    } catch {
        Write-Host "$Log log: ERROR - $($_.Exception.Message)" -ForegroundColor Red
    }
}

4. Navigate to registry path HKLM\SYSTEM\CurrentControlSet\Services\EventLog using Registry Editor
5. Verify the Start value is set to 2 (Automatic startup)
6. Check the Type value is 20 (Win32ShareProcess)
7. Examine individual log registry keys under the EventLog key for proper configuration