Worklet: Windows Reboot History

This worklet will return the recent reboot history for the machine(s) it’s run against.

As written it returns the 5 most recent reboots, but you can change that number to your liking.

It is also written with what I felt were the most important fields to see, but you can change the last Select-Object statement to include additional fields listed in the first Select-Object statement.

This worklet is designed to be run manually. If you schedule it, change the evaluation to “Exit 1”.

Evaluation:

Exit 0

Remediation:

Get-WinEvent -FilterHashtable @{logname='System'; id=1074}  |





ForEach-Object {





    $rv = New-Object PSObject | Select-Object Date, User, Action, Process, Reason, ReasonCode, Comment


    $rv.Date = $_.TimeCreated


    $rv.User = $_.Propertiese6].Value


    $rv.Process = $_.Propertiese0].Value


    $rv.Action = $_.Propertiese4].Value


    $rv.Reason = $_.Propertiese2].Value


    $rv.ReasonCode = $_.Propertiese3].Value


    $rv.Comment = $_.Propertiese5].Value


    $rv





 } | Select-Object Date, Reason, User -First 5


 #   Edit above line to see additional fields from the first Select-Object statement or change the number of results returned

Be the first to reply!

Reply

Sign up

Login to the community

Scanning file for viruses.

This file cannot be downloaded