Logs and Event Viewer

Event Log Details

Events Related to Reboot or Shutdown: Event ID 41: The system has rebooted without cleanly shutting down first. Event ID 1074: System has been shutdown by a process/user. Event ID 1076: The reason supplied by user X for the last unexpected shutdown of this computer. Event ID 6005: The event log service was started (system startup). Event ID 6006: The Event log service was stopped (system shutdown). Event ID 6008: The previous system shutdown at time on date was unexpected. Event ID 6009: Indicates the Windows product name, version, build number, service pack number, and operating system type detected at boot time. Event ID 6013: The system uptime is number seconds.

PowerShell Commands

Retrieve Event Log Entries: Get-EventLog -ComputerName "computer" -EntryType Warning,Error -LogName System -After (Get-Date).AddDays(-1) Get-WinEvent -FilterHashtable @{ LogName='System'; Id=1074 } | Format-Table -Wrap Get-WinEvent -FilterHashtable @{ LogName='System'; Id=1074, 6005, 6006, 6008 } -MaxEvents 6 | Format-Table -Wrap Get-WinEvent -FilterHashtable @{ LogName='Application'; StartTime=(Get-Date).AddDays(-10); Id=6008 } Get-WinEvent -LogName Application -MaxEvents 100 Get-EventLog -LogName System -Newest 10000 | Where EventId -in 41,1074,1076,6005,6006,6008,6009,6013 | Format-Table TimeGenerated, EventId, UserName, Message -AutoSize -Wrap

Shutdown History

Get-WinEvent -FilterHashtable @{ LogName='System'; Id=1074 } | Format-Table -Wrap Get-EventLog -LogName System | Where-Object {$_.EventID -in (6005,6006,6008,6009,1074,1076)} | Format-Table TimeGenerated, EventId, Message -AutoSize -Wrap

Event Log from Multiple PCs

$computers = "Server1", "Server2" $computers | ForEach-Object { Get-WinEvent -ComputerName $_ -FilterHashtable @{ LogName='System'; Id=1074 } -MaxEvents 2 | Format-Table -Wrap }

Other Commands

Check Disk Format: format /fs:FAT32 F:

System Stability Metrics: Get-CimInstance Win32_ReliabilityStabilityMetrics | Select StartMeasurementDate, SystemStabilityIndex | Out-GridView

Login and Logoff Time

Get-EventLog system -After (Get-Date).AddDays(-1) | Where-Object {$_.InstanceId -eq 7001} $today = Get-Date -Hour 0 -Minute 0 Get-EventLog system -After $today | Sort-Object -Descending | Select-Object -First 1

Search Windows Event Log

Get-WinEvent -LogName 'Application' -MaxEvents 10

Export and Import Event Logs

EventLog : -> Invoke-Command -ScriptBlock {Get-EventLog system -Newest 50} Wevtutil epl System "C:\TMP\EvtSystem.evtx" can be opened with Get-WinEvent -Path "C:\TMP\EvtSystem.evtx"