See who rebooted a server

Let’s say one of the production servers got rebooted unexpectedly and you would like to find out who rebooted it and when the server got rebooted. In PowerShell, you can take a look at the event log using the PowerShell one-liner command shown below. You don’t need to write a bunch of lines in a script and then run the script. Here is how you do it.

Get-EventLog –Log System –Newest 100 | Where-Object {$_.EventID –eq '1074'} | FT MachineName, UserName, TimeGenerated -AutoSize

The above command checks the System event log and searches for Event ID 1074 and then prints the machine name, username, and time the event got generated. If you would like to save the output to a CSV file, simply use Export-CSV cmdlet as shown in the command below:

Get-EventLog –Log System –Newest 100 | Where-Object {$_.EventID –eq '1074'} | FT MachineName, UserName, TimeGenerated –AutoSize | Export-CSV C:\Temp\AllEvents.CSV -NoTypeInfo

About this post

Posted: 2021-06-09
By: dwirch
Viewed: 395 times

Comments

No comments have been added for this post.

You must be logged in to make a comment.