3

#PSTip Get your reboot history

Have you ever wondered how often is your station rebooted? Let’s ask the Windows Event Log and get time of last five reboots. You will use the Get-WinEvent cmdlet to connect to System event log. You are interested in “The Event log service was started.” event which has Id 6005. Let’s build a nice little XML query using here-string:

$xml=@'
<QueryList>
<Query Id="0" Path="System">
<Select Path="System">*[System[(EventID=6005)]]</Select>
</Query>
</QueryList>
'@

PS> Get-WinEvent -FilterXml $xml -MaxEvents 5

   ProviderName: EventLog

TimeCreated                     Id LevelDisplayName Message
-----------                     -- ---------------- -------
10/8/2012 2:12:32 PM          6005 Information      The Event log service was started.
10/8/2012 10:52:34 AM         6005 Information      The Event log service was started.
10/8/2012 9:56:53 AM          6005 Information      The Event log service was started.
10/5/2012 11:53:52 AM         6005 Information      The Event log service was started.
10/4/2012 4:30:08 PM          6005 Information      The Event log service was started.

There is of course a 6006 event if you are more interested in shutdowns.

Another thing to notice is that the cmdlet itself implements a possibility to access event log on remote computers, making it an ideal tool for creating remote statistics.

PS> Get-WinEvent -FilterXml $xml -MaxEvents 5 -ComputerName Server01,Server02
Filed in: Columns, Tips and Tricks Tags: , , ,

3 Responses to "#PSTip Get your reboot history"

  1. Pasquale Lantella says:

    Alternatively you may check for Event ID 1074 which tells us about the shutdown and Reboot reason and User.

    Get-EventLog -LogName System -ComputerName PC1 |
    where {$_.EventId -eq 1074} |
    ForEach-Object {

    $rv = New-Object PSObject | Select-Object Date, User, Action, process, Reason, ReasonCode, Comment, Message
    if ($_.ReplacementStrings[4]) {
    $rv.Date = $_.TimeGenerated
    $rv.User = $_.ReplacementStrings[6]
    $rv.Process = $_.ReplacementStrings[0]
    $rv.Action = $_.ReplacementStrings[4]
    $rv.Reason = $_.ReplacementStrings[2]
    $rv.ReasonCode = $_.ReplacementStrings[3]
    $rv.Comment = $_.ReplacementStrings[5]
    $rv.Message = $_.Message
    $rv
    }
    } | Select-Object Date, Action, Reason, User

    output looks like this:

    Date Action Reason User
    —- —— —— —-
    15.10.2012 05:00:00 Neustart Kein Titel für den Grund NT-AUTORITÄTSYSTEM
    08.10.2012 05:00:00 Neustart Kein Titel für den Grund NT-AUTORITÄTSYSTEM
    25.10.2011 14:52:04 Ausschalten Kein Titel für den Grund PC1username
    22.08.2011 18:24:23 Herunterfahren Herunterfahren von Legacy-API NT-AUTORITÄTSYSTEM

  2. JakubJares says:

    I decided to go with the start event log service event, because it by default occurs on every system start. Since operating sytstem can halt or a power failure may occur, the 1074 may not be present in the system log, making false impression nothing has happened. I have to admin the 6006 mentioned in the tip falls into the same category.

  3. Thom Schumacher says:

    Nice writeup came in very handy.

Leave a Reply

Submit Comment

© 2016 PowerShell Magazine. All rights reserved. XHTML / CSS Valid.
Proudly designed by Theme Junkie.
%d bloggers like this: