Ever found yourself wanting to quickly figure out why a windows box rebooted? Just drop this beauty into Powershell:
Get-WinEvent -LogName System -FilterXPath "*[System[(EventID=1074 or EventID=1076 or EventID=6008)]]" -MaxEvents 1 -ComputerName localhost | fl
If you want to check against a remote computer, just change out “localhost” for the computer of your choice.
tl;dr: Reading the output will make it clear what happened to the machine.
Picking apart the command
The Get-WinEvent cmdlet gets events from the Windows logs.
The parameter -LogName System tells the cmdlet to be looking in the system log.
The -FilterXPath "*[System[(EventID=1074 or EventID=1076 or EventID=6008)]]" parameter tells it to look specifically for events with the EventIDs 1074, 1076 and 6008. (These events will be described in more detail further down.)
The -MaxEvents 1 parameter tells Get-WinEvent to only get the most recent event of either of these three types. This works because Get-WinEvent will retreive events starting with the most recent event (unless the -Oldest parameter is used).
The -ComputerName localhost parameter is used to target the command at the local machine. This parameter is actually redundant when you’re working against the local machine, but I put it in to illustrate how one might run this against a different machine, for easy copy-pasting.
At the end, | fl makes sure the message is fully readable in all its detail. By default, a table formatting is used which will abbreviate the message parameter. This is actually short for | Format-List. I used the abbreviation, so that when copy-pasting the one-liner, the -ComputerName parameter is as close as possible to the end of the line, for easy editing. 🙂
How does it work?
As described in above, the oneliner will look for events 1074, 1076 and 6008 in the System log of Windows Event Log, and show us the most recent event it could find.
Event 1074 from User32 is logged whenever a clean shutdown of a computer is initiated.
Event 1076 from User32 is logged whenever a reason for the last dirty shutdown of a computer was provided by the administrator using the Shutdown Event Tracker. This is usually only enabled by default on Windows Server.
Event 6008 from User32 is logged whenever Windows detects that it has booted after a dirty shutdown.
Therefore, after a clean boot, the most recent event will be a 1074 event, detailing the most recent shutdown, including who or what initiated it.
After a dirty boot but before a shutdown reason has been provided through the Shutdown Event Tracker (if enabled), the most recent event will be a 6008 event, including an approximate time for the dirty shutdown.
After a dirty boot after a shutdown reason has been provided, the most recent event will be a 1076 event, showing the details provided by the administrator about the cause of the dirty shutdown. Of course, this information is only as good as the information provided to Shutdown Event Tracker, so if you fill it out with profanities, that’s what you’ll get back. 🙂
The TimeCreated field will show when the event was logged. Please note that you’ll need to interpret this field differently depending on what kind of event was logged. For 1074, it’ll be the shutdown time, for 6008 it will be the startup time, for 1076 it’ll be whenever a shutdown reason was provided.
So what the hell is Operating System: Recovery (Planned)?
You might get output in like this:
TimeCreated : 10/13/2016 2:21:16 AM
ProviderName : User32
Id : 1074
Message : The process C:\Windows\system32\svchost.exe (DC01) has initiated the restart of computer DC01 on behalf of user NT AUTHORITY\SYSTEM for the
following reason: Operating System: Recovery (Planned)
Reason Code: 0x80020002
Shutdown Type: restart
Comment:
This likely indicates that Windows Update initiated an reboot of your server during the automatic update process. Unfortunately, Microsoft dropped the ball here. They could have used the comment field to be a little less cryptic than just using the pre-defined “Operating System: Recovery (planned)” reason which does not quite describe the process…