The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

    Mastodon

  • Twitter Updates

  • My Flickr Stream

    20140508-Delphi-2007--Project-Options--Cannot-Edit-Application-Title-HelpFile-Icon-Theming20140430-Fiddler-Filter-Actions-Button-Run-Filterset-now20140424-VMware-Fusion-6.0.3.-no-reclaimable
    More Photos

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 4,262 other subscribers
«
»

PowerShell – query reboot/shutdown events

Posted by jpluimers on 2018/06/19

Thanks [WayBackgbabu for the below PowerShell ide

As PowerShell command:

Get-EventLog System | Where-Object {$_.EventID -eq "1074" -or $_.EventID -eq "6008" -or $_.EventID -eq "1076"} | ft Machinename, TimeWritten, UserName, EventID, Message -AutoSize -Wrap

Based on it and my own experience, thse Event IDs can be interesting:

  • 41 – The system has rebooted without cleanly shutting down first
  • 109 – The kernel power manager has initiated a shutdown transition.
  • 1073 – The attempt by user [domain]\[username] to restart/shutdown computer [computername] failed.
  • 1074 – The process [filename].[extension] has initiated the restart of computer [computername] on behalf of user [domain]\[username\ for the
  • 1076 – ???
  • 6008 – The previous system shutdown at [time-in-local-format] on [date-in-local-format] was unexpected.

You can also run this as a batch file, but not you need to escape the pipe | into ^| like this:

PowerShell Get-EventLog System ^| Where-Object {$_.EventID -eq "1074" -or $_.EventID -eq "6008" -or $_.EventID -eq "1076"} ^| ft Machinename, TimeWritten, UserName, EventID, Message -AutoSize -Wrap

If you have PowerShell 3.0 or greater, then you can use the [Archive.is-In operator:

PowerShell Get-EventLog System ^| Where-Object {$_.EventID -in "41", "109", "1074", "6008", "1076"} ^| ft Machinename, TimeWritten, UserName, EventID, Message -AutoSize -Wrap

–jeroen

This entry was posted on 2018/06/19 at 06:00 and is filed under Batch-Files, CommandLine, Development, Power User, PowerShell, PowerShell, Scripting, Software Development, Windows. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

«
»