How to find reboot information from Event Logs via Powershell

Posted in Sems by Sems on 12 April 2023

This little sniplet is very useful to get eyes on reboot data

Get-EventLog System -Newest 10000 | `
Where EventId -in 41,1074,1076,6005,6006,6008,6009,6013 | `
Format-Table TimeGenerated,EventId,UserName,Message -AutoSize -wrap

It generates a nicely formatted table and provides the information. Here is a section of the output:

TimeGenerated EventID UserName Message 
------------- ------- -------- ------- 
4/11/2023 12:00:00 PM 6013 The system uptime is 280813 seconds. 
4/11/2023 11:59:58 AM 6013 The system uptime is 280811 seconds. 
4/10/2023 12:00:00 PM 6013 The system uptime is 194412 seconds. 
4/10/2023 11:59:58 AM 6013 The system uptime is 194410 seconds. 
4/9/2023 12:00:00 PM 6013 The system uptime is 108012 seconds. 
4/9/2023 11:59:59 AM 6013 The system uptime is 108011 seconds. 
4/8/2023 12:00:00 PM 6013 The system uptime is 21613 seconds. 
4/8/2023 11:59:58 AM 6013 The system uptime is 21611 seconds. 
4/8/2023 5:59:59 AM 6013 The system uptime is 11 seconds. 
4/8/2023 5:59:59 AM 6005 The Event log service was started. 
4/8/2023 5:59:59 AM 6009 Microsoft (R) Windows (R) 10.00. 14393 Multiprocessor Free. 
4/8/2023 5:59:23 AM 6006 The Event log service was stopped. 
4/8/2023 5:59:07 AM 1074 NT AUTHORITY\SYSTEM The process C:\windows\SysWoW64\shutdown.exe (PCNAME) has initiated the restart of computer PCNAME on behalf of user NT AUTHORITY\SYSTEM for the following reason: No 
title for this reason could be found 
Reason Code: 0x81000000 
Shutdown Type: restart 
Comment: Restarted by Windows Agent

Leave a Reply Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.