< Back
Get-SystemRestartEvent
Post
NAME Get-SystemRestartEvent
SYNOPSIS
This function returns the details for system startup and shutdown events.
SYNTAX
Get-SystemRestartEvent [[-ComputerName] <String[]>] [[-Credential] <PSCredential>] [[-StartTime] <DateTime>]
[[-EndTime] <DateTime>] [[-MaxEvents] <Int64>] [-Oldest] [-Raw] [<CommonParameters>]
DESCRIPTION
This function returns the details for system startup and shutdown events including identifying the user and
application that initiated the shutdown (if available).
PARAMETERS
-ComputerName <String[]>
Gets events from the event logs on the specified computer(s). Type the NetBIOS name, an Internet Protocol (IP)
address, or the fully qualified domain name of the computer. The default value is the local computer.
Required? false
Position? 0
Default value None
Accept pipeline input? True (ByPropertyName, ByValue)
Accept wildcard characters? false
-Credential <PSCredential>
Specifies a user account that has permission to perform this action. The default value is the current user.
Type a user name, such as User01 or Domain01\\User01. Or, enter a PSCredential object, such as one generated by
the Get-Credential cmdlet. If you type a user name, you will be prompted for a password. If you type only the
parameter name, you will be prompted for both a user name and a password.
Required? false
Position? 1
Default value None
Accept pipeline input? False
Accept wildcard characters? false
-EndTime <DateTime>
Specifies the end of the time period for the event log query.
Required? false
Position? 3
Default value None
Accept pipeline input? False
Accept wildcard characters? false
-MaxEvents <Int64>
Specifies the maximum number of events this function returns. Enter an integer. The default is to return all
the events in the logs.
Required? false
Position? 4
Default value None
Accept pipeline input? False
Accept wildcard characters? false
-Oldest [<SwitchParameter>]
Returns the events in oldest-first order. By default, events are returned in newest-first order.
Required? false
Position? named
Default value False
Accept pipeline input? False
Accept wildcard characters? false
-StartTime <DateTime>
Specifies the beginning of the time period for the event log query.
Required? false
Position? 2
Default value None
Accept pipeline input? False
Accept wildcard characters? false
-Raw [<SwitchParameter>]
Use this switch to provide the raw event log record for the function.
Required? false
Position? named
Default value False
Accept pipeline input? False
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
System.String[]
OUTPUTS
System.Object
NOTES
-------------------------- Example 1 --------------------------
PS C:\\> Get-SystemRestartEvent -MaxEvents 10 | Format-Table
ComputerName TimeCreated Id ProviderName Level Status UserName Reason
Details
------------ ----------- -- ------------ ----- ------ -------- ------
-------
WKSTN07.contoso.com 5/9/2018 1:27:51 PM 6005 EventLog Information Startup
WKSTN07.contoso.com 5/9/2018 1:27:51 PM 6009 EventLog Information System Info
WKSTN07.contoso.com 5/9/2018 1:27:51 PM 6008 EventLog Error Unexpected Shutdown
WKSTN07.contoso.com 5/7/2018 3:23:12 PM 6005 EventLog Information Startup
WKSTN07.contoso.com 5/7/2018 3:23:12 PM 6009 EventLog Information System Info
WKSTN07.contoso.com 5/7/2018 3:22:29 PM 6006 EventLog Information Shutdown
WKSTN07.contoso.com 5/7/2018 3:22:12 PM 1074 User32 Information Shutdown Initiated CONTOSO\\carrolld Other
(Unplanned) RuntimeBroker.exe
WKSTN07.contoso.com 5/3/2018 11:09:31 PM 6005 EventLog Information Startup
WKSTN07.contoso.com 5/3/2018 11:09:31 PM 6009 EventLog Information System Info
WKSTN07.contoso.com 5/3/2018 11:08:41 PM 6006 EventLog Information Shutdown
RELATED LINKS
Online Version: https://powershell.anovelidea.org/modul ... Event.html
SYNOPSIS
This function returns the details for system startup and shutdown events.
SYNTAX
Get-SystemRestartEvent [[-ComputerName] <String[]>] [[-Credential] <PSCredential>] [[-StartTime] <DateTime>]
[[-EndTime] <DateTime>] [[-MaxEvents] <Int64>] [-Oldest] [-Raw] [<CommonParameters>]
DESCRIPTION
This function returns the details for system startup and shutdown events including identifying the user and
application that initiated the shutdown (if available).
PARAMETERS
-ComputerName <String[]>
Gets events from the event logs on the specified computer(s). Type the NetBIOS name, an Internet Protocol (IP)
address, or the fully qualified domain name of the computer. The default value is the local computer.
Required? false
Position? 0
Default value None
Accept pipeline input? True (ByPropertyName, ByValue)
Accept wildcard characters? false
-Credential <PSCredential>
Specifies a user account that has permission to perform this action. The default value is the current user.
Type a user name, such as User01 or Domain01\\User01. Or, enter a PSCredential object, such as one generated by
the Get-Credential cmdlet. If you type a user name, you will be prompted for a password. If you type only the
parameter name, you will be prompted for both a user name and a password.
Required? false
Position? 1
Default value None
Accept pipeline input? False
Accept wildcard characters? false
-EndTime <DateTime>
Specifies the end of the time period for the event log query.
Required? false
Position? 3
Default value None
Accept pipeline input? False
Accept wildcard characters? false
-MaxEvents <Int64>
Specifies the maximum number of events this function returns. Enter an integer. The default is to return all
the events in the logs.
Required? false
Position? 4
Default value None
Accept pipeline input? False
Accept wildcard characters? false
-Oldest [<SwitchParameter>]
Returns the events in oldest-first order. By default, events are returned in newest-first order.
Required? false
Position? named
Default value False
Accept pipeline input? False
Accept wildcard characters? false
-StartTime <DateTime>
Specifies the beginning of the time period for the event log query.
Required? false
Position? 2
Default value None
Accept pipeline input? False
Accept wildcard characters? false
-Raw [<SwitchParameter>]
Use this switch to provide the raw event log record for the function.
Required? false
Position? named
Default value False
Accept pipeline input? False
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
System.String[]
OUTPUTS
System.Object
NOTES
-------------------------- Example 1 --------------------------
PS C:\\> Get-SystemRestartEvent -MaxEvents 10 | Format-Table
ComputerName TimeCreated Id ProviderName Level Status UserName Reason
Details
------------ ----------- -- ------------ ----- ------ -------- ------
-------
WKSTN07.contoso.com 5/9/2018 1:27:51 PM 6005 EventLog Information Startup
WKSTN07.contoso.com 5/9/2018 1:27:51 PM 6009 EventLog Information System Info
WKSTN07.contoso.com 5/9/2018 1:27:51 PM 6008 EventLog Error Unexpected Shutdown
WKSTN07.contoso.com 5/7/2018 3:23:12 PM 6005 EventLog Information Startup
WKSTN07.contoso.com 5/7/2018 3:23:12 PM 6009 EventLog Information System Info
WKSTN07.contoso.com 5/7/2018 3:22:29 PM 6006 EventLog Information Shutdown
WKSTN07.contoso.com 5/7/2018 3:22:12 PM 1074 User32 Information Shutdown Initiated CONTOSO\\carrolld Other
(Unplanned) RuntimeBroker.exe
WKSTN07.contoso.com 5/3/2018 11:09:31 PM 6005 EventLog Information Startup
WKSTN07.contoso.com 5/3/2018 11:09:31 PM 6009 EventLog Information System Info
WKSTN07.contoso.com 5/3/2018 11:08:41 PM 6006 EventLog Information Shutdown
RELATED LINKS
Online Version: https://powershell.anovelidea.org/modul ... Event.html