In the previous tip we illustrated how you can ask WMI for the last reboot time of a machine. A more robust way is to query the Windows event logs. Here is how:
# get the latest reboot event from the System event log $e = Get-EventLog System -Source Microsoft-Windows-Kernel-General -InstanceId 12 -Newest 1 # read time information from collection of event info $e.ReplacementStrings[-1] # turn info in DateTime $reboot = [DateTime]$e.ReplacementStrings[-1] $reboot "System was last rebooted: $reboot" $timespan = New-TimeSpan -Start $reboot $days = $timespan.Days "System is running for more than $days days."
Each event has a very helpful property called ReplacementStrings. This array is full of event information. You would need to determine the meaning of the array elements yourself, but once you figure that out, it is always the same for an instance ID. In the example, the last element in ReplacementStrings (index -1) is always the reboot time.
The reboot time is stored in a cryptic management format. Simply cast it to DateTime though to make it readable.
