This blog post will break down the provided PowerShell code, explaining how it works to retrieve Windows Server reboot history. We'll also discuss how to interpret the results and potential enhancements.
Understanding the Code
What does the code do?
- Retrieves system event log entries related to system restarts (Event ID 1074).
- Filters events based on a specified date range (last 30 days by default).
- Extracts relevant information (time, message, reason, user) from the events.
- Exports the results to a CSV file for easy analysis.
- Breakdown of the code:
Get-WinEvent -FilterHashtable @{
logname='System'
id=1074
StartTime=(Get-Date).AddDays(-30) # Adjust as needed
} -MaxEvents 1000 | # Increase if needed
Select-Object TimeCreated,
@{Name='Message';Expression={$_.Message.Trim()}},
@{Name='Reason';Expression={$_.Properties[2].Value}},
@{Name='User';Expression={$_.Properties[6].Value}} |
Export-Csv -Path C:\Results\windowsrestart.csv -NoTypeInformation
Get-WinEvent: Retrieves events from the system event log.
- -FilterHashtable: Specifies filter criteria.
- logname='System': Looks in the System event log.
- id=1074: Filters for events with ID 1074 (system restarts).
- StartTime=(Get-Date).AddDays(-30): Sets the start time to 30 days ago. Adjust as needed.
- -MaxEvents 1000: Limits results to 1000 events. Increase if needed.
Select-Object: Selects and renames properties for output.
- TimeCreated: Keeps the original time created property.
- Message: Extracts and trims the event message.
- Reason: Extracts the reason for the restart from the event properties.
- User: Extracts the user associated with the restart from the event properties.
- Export-Csv: Exports the results to a CSV file named windowsrestart.csv.
Post a Comment