Analyzing System Restarts (Alternative)

by Jan 26, 2012

In a previous tip we showed how to use Get-EventLog to extract all events related to system reboots. In PowerShell v2, a new cmdlet called Get-WinEvent was added. With it, you can not only access and read the “classic” event logs but also the application event logs introduced in Windows Vista.

To illustrate this, here’s sample code that uses Get-WinEvent to extract reboot events:

Get-WinEvent -FilterHashtable @{logname='System' id=1074}  |
  ForEach-Object {
    $rv = New-Object PSObject | Select-Object Date, User, Action, process, Reason, ReasonCode, Comment
    $rv.Date = $_.TimeCreated
    $rv.User = $_.Properties[6].Value
    $rv.Process = $_.Properties[0].Value
    $rv.Action = $_.Properties[4].Value
    $rv.Reason = $_.Properties[2].Value
    $rv.ReasonCode = $_.Properties[3].Value
    $rv.Comment = $_.Properties[5].Value
  } | Select-Object Date, Action, Reason, User

Note that Get-WinEvent will not work with Windows XP.

Twitter This Tip!
ReTweet this Tip!