System.evtx

C:\Windows\System32\winevt\Logs\System.evtx

The System log is not about users - it is about the machine itself. Services crashing, drivers failing to load, unexpected reboots and power state transitions all write here. It is the heartbeat of the operating system, and in any investigation it provides critical timeline anchors that user-activity logs simply cannot.

Log Channel System - written by the Windows kernel, system components and service control manager

Trace Type System Health Service Activity Driver Events

Req. Audit Policy No Active by default. Core system events are logged without any additional audit policy configuration.

User Specific No System-wide. Events are generated by OS components regardless of which user account is active.

General

System.evtx is one of the three classic Windows event logs alongside Security and Application. It is populated by the Windows kernel, the Service Control Manager (SCM) and hardware abstraction components. Because it reflects the state of the OS infrastructure itself, it is invaluable for establishing a machine timeline - documenting exactly when the system was powered on, when it shut down and what ran in between. The log defaults to a 20 MB maximum size with older events being overwritten, making it particularly susceptible to evidence loss on busy systems.

Traces

The most forensically significant Event IDs in the System log are:

Event ID	Description
6005	Event Log Service started. Reliably marks system boot - the exact time the OS became operational.
6006	Event Log Service stopped. Marks a clean, intentional shutdown sequence.
6008	Unexpected shutdown. Logged on the next boot - indicates a crash, power loss or forced power-off.
7036	A service entered the running or stopped state. Tracks the operational lifecycle of any service on the system.
7040	Service start type changed. An attacker may switch a disabled service to automatic to ensure persistence survives reboots.
7045	A new service was installed. High-value persistence indicator - malware routinely installs kernel-level or SYSTEM-privilege services here.

Forensic Value

Establish a machine timeline: 6005 and 6006 events provide exact UTC boot and shutdown timestamps, letting you build a definitive on/off history of the device across an investigation window.
Detect crash-based anti-forensics: A 6008 event following a period of attacker activity suggests a forced hard-reboot intended to flush volatile memory and clear running process evidence.
Identify malicious service installation: Event ID 7045 captures the service name, binary path, start type and the account under which it runs - all data points essential for confirming a persistence mechanism.
Correlate service tampering: A 7040 event changing a known-disabled service to automatic start is a reliable signal that an attacker is preparing for system persistence across reboots.