#powershell Get-EventLog <-> Get-WinEvent

Inspecting the Event Log (eventvwr.exe) can provide clues to the startup (Event ID 6005*) and shutdown (Event ID 6006) date/time of a Windows machine. To do this, one common approach is with Get-EventLog:

#requires -version 3.0
Get-EventLog -LogName system -ComputerName FS01 | ? EventId -eq 6006

Instead, a more efficient way without the #powershell pipeline can be achieved using Get-WinEvent:

Get-WinEvent -ComputerName FS01 -FilterHashtable @{ LogName=’system’; Id=6006 }

Look out for Event ID 6008 which records the date/time of unexpected system shutdown.

* Event ID: 12 Provider (Source): Kernel-General contains actual operating system start time.

Leave a Reply