Copy and Paste this to See Result(s):
$computername=$env:computername
$limitEventsCount=40000
$daysSearchLimit=30
function getWindowsShutdownReason{
param(
$computername=$env:computername,
$limitEventsCount=10000,
$daysSearchLimit=7
)
try{
$events = Get-WinEvent -ComputerName $computername -FilterHashtable @{
Logname = 'system'
Id = '1074', '6008'
StartTime = (Get-Date).AddDays(-$daysSearchLimit)
} -MaxEvents $limitEventsCount -ErrorAction Stop
# There are 2 types of shutdown codes (1074 = user initiated; 6008 = abrupt shutdowns)
foreach ($event in $events) {
if ($event.Id -eq 1074) {
[PSCustomObject]@{
TimeStamp = $event.TimeCreated
ComputerName = $computername
UserName = $event.Properties.value[6]
ShutdownType = $event.Properties.value[4]
}
}
if ($event.Id -eq 6008) {
[PSCustomObject]@{
TimeStamp = $event.TimeCreated
ComputerName = $computername
UserName = $null
ShutdownType = 'unexpected shutdown'
}
}
}
}catch{
write-warning $_
}
}
getWindowsShutdownReason $computername $limitEventsCount $daysSearchLimit
Categories: