Worklet: Windows Reboot History

This worklet will return the recent reboot history for the machine(s) it’s run against.

As written it returns the 5 most recent reboots, but you can change that number to your liking.

It is also written with what I felt were the most important fields to see, but you can change the last Select-Object statement to include additional fields listed in the first Select-Object statement.

This worklet is designed to be run manually. If you schedule it, change the evaluation to “Exit 1”.

Evaluation:

Exit 0

Remediation:

Get-WinEvent -FilterHashtable @{logname='System'; id=1074}  |

ForEach-Object {

    $rv = New-Object PSObject | Select-Object Date, User, Action, Process, Reason, ReasonCode, Comment
    $rv.Date = $_.TimeCreated
    $rv.User = $_.Properties[6].Value
    $rv.Process = $_.Properties[0].Value
    $rv.Action = $_.Properties[4].Value
    $rv.Reason = $_.Properties[2].Value
    $rv.ReasonCode = $_.Properties[3].Value
    $rv.Comment = $_.Properties[5].Value
    $rv

 } | Select-Object Date, Reason, User -First 5
 #   Edit above line to see additional fields from the first Select-Object statement or change the number of results returned