Hi,

to determine who shuts down Windows the system log can be filtered for the Event Id 1074 (Source User32).

These entries contains the Username, the process that triggers the shutdown and the given reason.

PS D:\> Get-WinEvent -Logname System | ?{$_.Id -eq 1074} | Format-List TimeCreated,Message
TimeCreated : 22.11.2021 16:44:31
Message     : The process C:\Windows\system32\svchost.exe (myComputer) has initiated the restart of computer
              myComputer on behalf of user NT AUTHORITY\SYSTEM for the following reason: Operating System: Service
              pack (Planned)
               Reason Code: 0x80020010
               Shutdown Type: restart
               Comment:

Michael