none
WMISearcher Win32_NTLogEvent return last restart RRS feed

  • Question

  • gwmi win32_ntlogevent -filter "LogFile='System' and EventCode='1074' and Message like '%restart%'" -ComputerName $comp | Where {$_.ConvertToDateTime($_.TimeGenerated) -gt $lastBootUpTime}  | select User,@{n="Time";e={$_.ConvertToDateTime($_.TimeGenerated)}} -First 1

    Would like to use the following query but with WMISearcher so I can control the timeout of the query.  Can anyone assist with converting this to a query string.

    Tuesday, December 2, 2014 8:41 PM

Answers

  • $wmisearcher=[wmisearcher]"\\$computer\root\cimv2"
    $wmisearcher.Query="Select * from win32_ntlogevent  Where LogFile='System' and EventCode='1074' and Message like '%restart%'"
    $wmisearcher.Get()


    ¯\_(ツ)_/¯

    Wednesday, December 3, 2014 4:27 PM

All replies

  • Why not just


    $os = get-wmiobject Win32_OperatingSystem -computername "."
    $os.ConvertToDateTime($os.LastBootUpTime)
    


    -- Bill Stewart [Bill_Stewart]

    • Proposed as answer by Mike Laughlin Tuesday, December 2, 2014 9:40 PM
    Tuesday, December 2, 2014 9:32 PM
    Moderator
  • Just to add to Bill's post, if you're worried about offline machines you can do something like this:

    $comp = 'COMPUTERNAME'
    
    If (Test-Connection -ComputerName $comp -Count 1 -Quiet) {
    
        $os = get-wmiobject Win32_OperatingSystem -computername $comp
        $os.ConvertToDateTime($os.LastBootUpTime)
    
    }


    Don't retire TechNet! - (Don't give up yet - 13,085+ strong and growing)

    • Edited by Mike Laughlin Tuesday, December 2, 2014 9:42 PM Fix code
    Tuesday, December 2, 2014 9:40 PM
  • I want to be able to run the query with a timeout so it is not hanging on an error or can't reach the remote server.  Note the machine is not offline, just not reachable, access denied error so forth. An example listed below using Win32_OperatingSystem


    Function OperatingSystem($comp){
    		$NameSpace = "Root\CIMV2"
    		$wmi = [WMISearcher]""
    		$wmi.options.timeout = '0:0:10' #set timeout to 10 seconds
    		$query = 'Select * from Win32_OperatingSystem'
     		$wmi.scope.path = "\\$comp\$NameSpace"
    
    		$wmi.query = $query
    		Try{
    			$wmiresult = $wmi.Get()
    			foreach ($wmioutput in $wmiresult){
    				$OSCaption = $wmioutput.Caption
    				$OSVersion = $wmioutput.Version
    				$OperatingSystem = $OSCaption + "( " + $OSVersion + " )"
    				return $OperatingSystem
                    }
                }
    		Catch [Exception] {
    			$uperr = '<font color="#FF0000"> RPC Issue : </font>'+ $_
    			return $uperr 
    		}
    	}



    Tuesday, December 2, 2014 9:41 PM
  • Here's how you could use WMISearcher to do the same thing:


    $wmiSearcher = [WMISearcher] "SELECT LastBootUpTime FROM Win32_OperatingSystem"
    $wmiSearcher.Options.Timeout = "00:00:10"
    $wmiSearcher.Scope.Path = "\\.\root\CIMV2"
    $results = $wmiSearcher.Get()
    foreach ( $result in $results ) {
      $result.ConvertToDateTime($result.LastBootUpTime)
    }
    $wmiSearcher.Dispose()
    


    -- Bill Stewart [Bill_Stewart]


    • Edited by Bill_StewartModerator Tuesday, December 2, 2014 10:20 PM
    • Proposed as answer by jrv Wednesday, December 3, 2014 1:42 AM
    Tuesday, December 2, 2014 10:16 PM
    Moderator
  • I am trying to get last rebooted by from win32_ntlogevent and not the last bootup time from Win32_OperatingSystem.
    Wednesday, December 3, 2014 3:12 PM
  • I am trying to get last rebooted by from win32_ntlogevent and not the last bootup time from Win32_OperatingSystem.
    Why?


    ¯\_(ツ)_/¯

    Wednesday, December 3, 2014 4:14 PM
  • $wmisearcher=[wmisearcher]"\\$computer\root\cimv2"
    $wmisearcher.Query="Select * from win32_ntlogevent  Where LogFile='System' and EventCode='1074' and Message like '%restart%'"
    $wmisearcher.Get()


    ¯\_(ツ)_/¯

    Wednesday, December 3, 2014 4:27 PM
  • Reason why: Want to know if an individual has rebooted a server outside of the window.

    Thanks for the help jrv, I am good now.

    Wednesday, December 3, 2014 7:56 PM