This worklet will return the recent reboot history for the machine(s) it’s run against.
As written it returns the 5 most recent reboots, but you can change that number to your liking.
It is also written with what I felt were the most important fields to see, but you can change the last Select-Object statement to include additional fields listed in the first Select-Object statement.
This worklet is designed to be run manually. If you schedule it, change the evaluation to “Exit 1”.
Evaluation:
Exit 0
Remediation:
Get-WinEvent -FilterHashtable @{logname='System'; id=1074} |
ForEach-Object {
$rv = New-Object PSObject | Select-Object Date, User, Action, Process, Reason, ReasonCode, Comment
$rv.Date = $_.TimeCreated
$rv.User = $_.Properties[6].Value
$rv.Process = $_.Properties[0].Value
$rv.Action = $_.Properties[4].Value
$rv.Reason = $_.Properties[2].Value
$rv.ReasonCode = $_.Properties[3].Value
$rv.Comment = $_.Properties[5].Value
$rv
} | Select-Object Date, Reason, User -First 5
# Edit above line to see additional fields from the first Select-Object statement or change the number of results returned