Monday, December 22, 2014

Powershell: How to Find Server Restarts And Who Initiated Them


An application owner recently asked when and who restarted a server.   For Windows 2008 R2 servers:

Event ID 12 - Shows the OS start time

Event ID 13 - Shows the OS Shutting down

Event ID 1074 - Shows who initiated the Shutdown.
I wanted to provide him with a list of the event times, so I dumped the results into a csv file with the following command for the relevant IDs.


get-eventlog -logname system -instanceid 13 | export-csv -path c:\temp\eventid13.csv -notypeinformation