Too lazy to log on to a device and browse through the Windows Event Log to check the last Reboot or Shutdown event?

This is where mighty PowerShell comes to your help!

You can use the below PowerShell Command to easily query the last Reboot or Shutdown event(s) on a computer.

Get-EventLog -Logname System -Newest 1 -Source “USER32” | Format-List

If you know a thing or two about PowerShell, you will notice that this command can be modified to query any number of Windows Events by changing the common parameters.

-Logname : Refers to the Windows Log (i.e. Application, Security, System).

-Newest : Refers to the number of latest events that the system returns.

-Source : Refers to the Event Source (i.e. User32, Service Control Manager, etc).

You can also search with the Event ID, by using the below after the pipeline.

| where {$_.eventID -eq <event id number>}

 

You can also search for a keyword on the message field. In the below example, PowerShell will return all the Events on the System Event Log, that has the keyword “failed” on the Message section.

Get-EventLog -LogName System -Message “*failed*” | Format-List

Note: This can event be used on the Remote Command Prompt of your RMM System, but make sure you convert the “Command” shell to “PowerShell” by typing in below:

C:\ WINDOWS\system32>PowerShell

Press Enter and you are good to go!

For more information and examples, follow the latest (at the time of writing) Microsoft Documentation on PowerShell below:

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1

 

-Written by: Janaka Dissanayake

  • Was this Helpful ?
  • yes   no
1 Star2 Stars3 Stars4 Stars5 Stars (2 votes, average: 5.00 out of 5)
Loading...