none
PowerShell script to get the reboot details of windows server

    Question

  • Hello Experts,

       I am in a situation where I need to get the list of AD User name , who are rebooting the windows servers. The windows servers are getting rebooted frequently.

    I Know , I can use the Get-Eventlog Commandlet to search the System Event and get the information , But it seems to take lot of time for a single server.

    I am wondering do we have some other aleternatvie to accomplish this task? The script should list Time , the AD user account information who initiated the reboot.

    Is it possible using WMI Query?

    Thanks,

    _Prashant_

    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Tuesday, January 22, 2013 1:20 PM

Answers

  • gwmi win32_ntlogevent -filter "LogFile='System' and EventCode='1074' and Message like '%restart%'" | 
    	select User,@{n="Time";e={$_.ConvertToDateTime($_.TimeGenerated)}}

    Tuesday, January 22, 2013 1:52 PM

All replies

  • gwmi win32_ntlogevent -filter "LogFile='System' and EventCode='1074' and Message like '%restart%'" | 
    	select User,@{n="Time";e={$_.ConvertToDateTime($_.TimeGenerated)}}

    Tuesday, January 22, 2013 1:52 PM
  • Nice solution. But on my servers, the only username that is displayed is "NT AUTHORITY\SYSTEM"


    Al Dunbar -- remember to 'mark or propose as answer' or 'vote as helpful' as appropriate.

    Tuesday, January 22, 2013 4:52 PM
  • Assuming the User32 events contain something like this:

    "The process xxxxxxx (xxxx) has initiated the restart of computer xxxxxxxxx on behalf of user DOMAIN\USERNAME for the following reason: No title for this reason could be found

    "

    You can do something like this, which is quick if you use the -filterhashtable (works only on Windows 2008 and Win7:

    PS C:\> $after = (get-date).adddays(-55)
    PS C:\> Get-WinEvent -ea SilentlyContinue -ComputerName HOSTNAME -FilterHashtable @{LogName = "System"; StartTime = $after; id=1074} | %{[regex]::match($_.message, "user (\w| )+\\\w+").value}

    It gets the User32 events in the last 55 days and matches a regex pattern to the message, taking out the string "user DOMAIN\USERNAME" from the event message.



    ---
    tompa
    http://tompaps.blogspot.com

    • Proposed as answer by DTE-ITGuy Monday, April 29, 2013 3:56 PM
    Tuesday, January 22, 2013 5:16 PM
  • If you have Windows 2008 server you can right click on the event you want to track and select "Attach Task To This Event..." 

    In this case you would want to track Event ID 1074, Source USER32 which will contain the Domain\Username of the person who initiated the restart.

    You can either have the task directly email you, or call a powershell script and pass off

    values from the event and do something with it as seen here: http://blogs.technet.com/b/otto/archive/2007/11/09/find-the-event-that-triggered-your-task.aspx

    --StrayMuse

    • Proposed as answer by DTE-ITGuy Monday, April 29, 2013 3:54 PM
    • Unproposed as answer by DTE-ITGuy Monday, April 29, 2013 3:54 PM
    Tuesday, January 22, 2013 10:03 PM
  • gwmi win32_ntlogevent -filter "LogFile='System' and EventCode='1074' and Message like '%restart%'" | 
    	select User,@{n="Time";e={$_.ConvertToDateTime($_.TimeGenerated)}}

    This seems to work . Thanks Kazun , Let me do some testing and close this question.

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Wednesday, January 23, 2013 7:17 AM
  • Hi,

    Any update about the issue, if it was answered, please mark the helpful answers.

    Regards,

    Yan Li


    Cataleya Li
    TechNet Community Support

    Friday, January 25, 2013 5:48 AM
    Moderator