Getting Shutdown Information

by Aug 20, 2014

All PowerShell Versions

Windows logs all shutdown events in its System event log. From there, you can extract and analyze the information.

Here is a function that looks for the appropriate event log entries, reads the relevant information from the ReplacementStrings array, and returns the shutdown information as objects.

function Get-ShutdownInfo
  Get-EventLog -LogName system -InstanceId 2147484722 -Source user32 |
  ForEach-Object {
    $result = 'dummy' | Select-Object -Property ComputerName, TimeWritten, User, Reason, Action, Executable
    $result.TimeWritten = $_.TimeWritten
    $result.User = $_.ReplacementStrings[6]
    $result.Reason = $_.ReplacementStrings[2]
    $result.Action = $_.ReplacementStrings[4]
    $result.Executable = Split-Path -Path $_.ReplacementStrings[0] -Leaf
    $result.ComputerName = $_.MachineName

Now it is easy to check for shutdown problems:

PS> Get-ShutdownInfo |  Out-GridView

Twitter This Tip! ReTweet this Tip!