For Windows computers, every shutdown or restart is logged in the Event Viewer so you know what exactly happened, whether it’s a system triggered reboot, or by a user specifically, or a restart because of a system or application crash.
So, if you want to dig into this information, all you need is to open Event Viewer, head into System under Windows logs, and filter out these specific event IDs.
- Event ID 41 – indicating that the computer rebooted without shutting down completely.
- Event ID 1074 – indicating that a reboot was triggered by an application, including when a user restarted or shut down their computer from the Start Menu or by using Ctrl + Alt + Del.
- Event ID 1076 – records the reason why the computer was shut down or restarted. It’s recorded by the first user with shutdown privilege who logs on to the computer after an unexpected restart.
- Event ID 6006 – indicating whether the computer shuts down correctly.
- Event ID 6008 – indicating whether the computer shuts down abnormally or unexpectedly.
But I am not going to lie, it’s quite the work to dig out this information, especially on a remote computer. This is another place where PowerShell really shines in its own way.
Get-EventLog is the cmdlet that pulls event logs not only from your local computer but remote computers on the same network as well.
To pull the system log from a remote computer called Backup,
Get-EventLog -LogName System -ComputerName Backup
The list might be too long. So let’s only pull the logs after Jan 1, 2022.
Get-EventLog -LogName System -ComputerName Backup -After "2022/01/01"
Now here comes the tricky part, how do I find out these specific events based on the above Event IDs? There are no options to filter out directly so we need to pipe the result through.
Get-EventLog -LogName System -ComputerName Backup -After "2022/01/01" | Where-Object {$_.EventID -in (1074,1076,6006,6008)}
One more thing, let’s format the output a bit to show the full event message without being cut off.
Get-EventLog -LogName System -ComputerName Backup -After "2022/01/01" | Where-Object {$_.EventID -in (1074,1076,6006,6008)} | Format-Table TimeGenerated, EventID, Message -Wrap