I'm looking at a computer for a court case (ah the excitement of
computer tech work) :) - and I need to see when the computer was
used. So I saved a log of Event Log starting (6005) and stopping
(6006) but here's the odd part - there are more starts than stops
(which could mean the computer was turned off without shutdown, I
suppose) and there are several cases where it the eventlog service
appears to have stopped before it started for example:
The second Startup entry: Information 10/2/2010 3:46:20 PM eventlog None 6005
The second Shutdown entry: Information 10/2/2010 3:45:18 PM eventlog
None 6006 - almost 1 minute before the startup.
Am I doing this wrong? Is there a utility that will parse this more
easily for me?
T
