3

Get Reboot History Using Powershell

Last Updated by Paul Contreras

A while back I posted a script on how to Get System Uptime and Last Reboot Status Using Powershell so I thought a great edition to that script would be to Get Reboot History using Powershell.

The uptime script showed you when was the last time a machine was booted, aka how long the system has been running, but what if you wanted to pull a little more information? What if you wanted to see the shutdown or reboot history, and probably more importantly, who was the actor that imposed that event.

A minor incident happened the other day where person A was running a job while logged into a server, and it just so happens that person B needed to complete a series of patches on that same server. Obviously the communication could have been handled much better but long story short, person B applied the patches and manually reboot the server, cutting off person A’s job mid tracks.

If you’re looking to use to a Powershell script to get reboot history for multiple servers, I’m sure your scenario may be different from the one above. Whatever the reason is, I got you covered in this post.

Event Viewer Logs and Event ID 1074

Shortly after, I used my Google-fu and eventually came across some articles that would point me in the right direction. I was sure there would be some logs in the event viewer and sure enough, I found Event ID 1074 under the System Logs.

EventLog EventID 1074 Reboot

I have worked with scripting Event Viewer logs in the past, such as this Get Account Lock Out Source Using Powershell, so I was already familiar with how the process goes. And if you’re ok with checking the event viewer manually from the time to time it may not be worth looking up how to do it in Powershell. However for me, I love automating things and using Powershell everywhere I can, not to mention this would be great for the community to use as well.

Now let’s get on to the script!

Get Reboot History Using Powershell Script


Function Get-RebootHistory {
<#
.SYNOPSIS
    This will output who initiated a reboot or shutdown event.

.NOTES
    Name: Get-RebootHistory
    Author: theSysadminChannel
    Version: 1.0
    DateCreated: 2020-Aug-5

.LINK
    https://thesysadminchannel.com/get-reboot-history-using-powershell -

.EXAMPLE
    Get-RebootHistory -ComputerName Server01, Server02

.EXAMPLE
    Get-RebootHistory -DaysFromToday 30 -MaxEvents 1

.PARAMETER ComputerName
    Specify a computer name you would like to check.  The default is the local computer

.PARAMETER DaysFromToday
    Specify the amount of days in the past you would like to search for

.PARAMETER MaxEvents
    Specify the number of events you would like to search for (from newest to oldest)
#>


    [CmdletBinding()]
    param(
        [Parameter(
            Mandatory = $false,
            ValueFromPipeline = $true,
            ValueFromPipelineByPropertyName = $true
        )]
        [string[]]  $ComputerName = $env:COMPUTERNAME,

        [int]       $DaysFromToday = 7,

        [int]       $MaxEvents = 9999
    )

    BEGIN {}

    PROCESS {
        foreach ($Computer in $ComputerName) {
            try {
                $Computer = $Computer.ToUpper()
                $EventList = Get-WinEvent -ComputerName $Computer -FilterHashtable @{
                    Logname = 'system'
                    Id = '1074', '6008'
                    StartTime = (Get-Date).AddDays(-$DaysFromToday)
                } -MaxEvents $MaxEvents -ErrorAction Stop


                foreach ($Event in $EventList) {
                    if ($Event.Id -eq 1074) {
                        [PSCustomObject]@{
                            TimeStamp    = $Event.TimeCreated
                            ComputerName = $Computer
                            UserName     = $Event.Properties.value[6]
                            ShutdownType = $Event.Properties.value[4]
                        }
                    }

                    if ($Event.Id -eq 6008) {
                        [PSCustomObject]@{
                            TimeStamp    = $Event.TimeCreated
                            ComputerName = $Computer
                            UserName     = $null
                            ShutdownType = 'unexpected shutdown'
                        }
                    }

                }

            } catch {
                Write-Error $_.Exception.Message

            }
        }
    }

    END {}
}

Get Reboot History Using Powershell Examples

 

So now that you have the script in hand, just copy and paste to a local file so you can start sending nice notes to people for rebooting machines.

Anyway I hope you enjoyed this script and can put it to use. If you liked it and want to see more, be sure to check out our own Powershell repository full of useful, real world scripts that I’m certain you can use in your environment. While you’re at it, don’t forget to check out our Youtube Page for awesome sysadmin video content.

5/5 - (12 votes)

Paul Contreras

Hi, my name is Paul and I am a Sysadmin who enjoys working on various technologies from Microsoft, VMWare, Cisco and many others. Join me as I document my trials and tribulations of the daily grind of System Administration.

3 Comments

  1. Hi Paul,
    Can you help me understand on how to use the script properly?
    I copied it and saved to a folder as a PS1 file (Get-RebootHistory.ps1).
    Then I tried running it with this command
    ..\Get-RebootHistory.ps1 -ComputerName test-client-01 -DaysFromToday 30
    It just returned back to prompt with no value

  2. Hi Paul,

    Thank you for the article, the powershell solution is excellent, it’s been really useful.
    Would you mind pointing me in the right direction to adapt this powershell to return results for all devices called say, Laptop-****, whilst ignoring those that return ‘RPC Server Unavailable?
    Any help would be gratefully received.
    Chris

Leave a Reply

Your email address will not be published. Required fields are marked *