1100 The event logging service has shut down
Written when the Windows event logging service stops. It also fires on a normal shutdown, but it can be the opening move when an attacker stops log collection to hide their tracks.
Overview
The subcategory is Other Events, and the source is the Microsoft-Windows-Eventlog provider (the component that runs the event log feature itself). It is recorded each time the service stops, including as part of a normal system shutdown. It is not recorded during an emergency reset such as a forced power-off.
How it is triggered
- During a normal OS shutdown or restart.
- When the event logging service (EventLog) stops due to administration or a fault.
- When an attacker deliberately stops log collection.
Because it does not appear on an emergency reset, a gap in the log with no stop event is itself another clue.
Security review points
- Useful for tracking system stops and restarts. On a restart, the startup event 4608 should follow shortly after, so check them as a pair.
- A 1100 outside business hours or at an unplanned time suggests interference with log collection (defense evasion: actions that block detection or logging to hide activity). A stop immediately followed by a log clear 1102 is especially dangerous and is commonly seen in ransomware cases.
- The meaning differs between a single host stopping and many hosts stopping at once.
Notes for log review
- It always appears on a normal shutdown, so the count itself is not unusual. Match the stop time against operational plans (patching, scheduled reboots) and keep only what cannot be explained.
- If logs are forwarded to a SIEM (a platform that aggregates and analyzes logs from many machines), the blank period after the service stops, when nothing was recorded on the host, can be detected as a forwarding outage.
Key fields
| Field | Meaning |
|---|---|
Computer | The host where the stop occurred |
TimeCreated | The stop time; used to match against startup events and operational plans |
This event carries no specific data fields; internally it holds only a ServiceShutdown marker.