Worklet: Windows Reboot History

  • 8 October 2020
  • 0 replies
  • 47 views

Userlevel 5

This worklet will return the recent reboot history for the machine(s) it’s run against.


As written it returns the 5 most recent reboots, but you can change that number to your liking.


It is also written with what I felt were the most important fields to see, but you can change the last Select-Object statement to include additional fields listed in the first Select-Object statement.


This worklet is designed to be run manually. If you schedule it, change the evaluation to “Exit 1”.


Evaluation:


Exit 0

Remediation:


Get-WinEvent -FilterHashtable @{logname='System'; id=1074}  |

ForEach-Object {

$rv = New-Object PSObject | Select-Object Date, User, Action, Process, Reason, ReasonCode, Comment
$rv.Date = $_.TimeCreated
$rv.User = $_.Properties[6].Value
$rv.Process = $_.Properties[0].Value
$rv.Action = $_.Properties[4].Value
$rv.Reason = $_.Properties[2].Value
$rv.ReasonCode = $_.Properties[3].Value
$rv.Comment = $_.Properties[5].Value
$rv

} | Select-Object Date, Reason, User -First 5
# Edit above line to see additional fields from the first Select-Object statement or change the number of results returned

0 replies

Be the first to reply!

Reply