Beta 42

Research and Development


PowerShell - Analysing System Restarts

To find out when a system restarted and why, use the below code to extract the relevant information from the System event log.

Get-EventLog -LogName System -ComputerName Server1 |
where {$_.EventId -eq 1074} |
ForEach-Object {

      $rv = New-Object PSObject | Select-Object Date, User, Action, Process, Reason, ReasonCode, Comment, Message
      if ($_.ReplacementStrings[4]) {
            $rv.Date = $_.TimeGenerated
            $rv.User = $_.ReplacementStrings[6]
            $rv.Process = $_.ReplacementStrings[0]
            $rv.Action = $_.ReplacementStrings[4]
            $rv.Reason = $_.ReplacementStrings[2]
            $rv.ReasonCode = $_.ReplacementStrings[3]
            $rv.Comment = $_.ReplacementStrings[5]
            $rv.Message = $_.Message
} | Select-Object Date, Action, Reason, User

Event ID 1074 represents a restart event. Rather than extracting the relevant information from the event message text, this code uses the ReplacementStrings property which is an array and holds the significant information bits. Accessing the event entries' replacement strings is much easier than parsing the message text.

The code returns information only if the particular event entry has content in ReplacementStrings[4] (the 5th element of the array) because only then does the event entry represent a shutdown or reboot event.

Note that Get-EventLog supports the -ComputerName parameter, so if a remote system is set up for remote access and you own the appropriate privileges, you can also analyze remote systems.