How to Document System events with Powershell

How to Document system events with Powershell

Windows PowerShell is a tool that allows you to perform various tasks on your computer using commands. One helpful task is documenting system events, which can help you quickly check and verify events later.

In this article, we’ll focus on an example of how you can determine the last time your computer was restarted using a PowerShell script. However, you can also adapt the script to capture other Windows events.


Determine the last time your computer was restarted using a PowerShell script

1. Open Windows PowerShell: You can open PowerShell by typing “PowerShell” in the search bar or by pressing the Windows key + X and selecting “Windows PowerShell” from the menu.

2. Run the script: Copy and paste the following script into PowerShell and press Enter to execute it:

  How to Delete Empty Folders Using Powershell

Get-WinEvent -LogName System | Where-Object {$_.Id -eq 6005 -or $_.Id -eq 6006 -or $_.Id -eq 6008} | Select-Object -Last 1 | Format-List

This script will search for specific event IDs related to system startup and shutdown. The “Select-Object -Last 1” part ensures that it only displays the most recent event, which will be the last time your computer was restarted.


3. View the result: After running the script, you should see information about the last computer restart, including the date and time.

Remember, PowerShell is a powerful tool, so be careful when running scripts and ensure you understand the commands before executing them. This script is just one example, and you can explore more possibilities to document various system events using PowerShell.

Another Method to Document system events with PowerShell

If a computer is shut down, this is entered in the Windows event log:


“The operating system shut down at system time xyz” / Event ID 13

  How to Configure Windows Services with PowerShell

We can use the event log with Windows PowerShell to search for specific event IDs. For this, we use the CMDLet “Get EventLog.” This command gives direct access to the various logs.

Now if I want to find out the last ten times my computer was shut down, all I have to do is issue the following command:

Get-EventLog -Newest 10 -LogName "System" -InstanceID "13"

The result is displayed in a clear table, and conclusions can be drawn immediately based on the information obtained.

When was the computer last started?

Of course, the whole thing can also be used for the system start. According to the event log, the associated ID 12 says, “The operating system was started at system time xyz.” In PowerShell, only the ID has to be exchanged, and we get an overview of the last system starts.

Get-EventLog -Newest 10 -LogName "System" -InstanceID "12"

The event log can be searched for any event with this command. The command can be built into automated scripts or monitoring, for example.

Rohit is a certified Microsoft Windows expert with a passion for simplifying technology. With years of hands-on experience and a knack for problem-solving, He is dedicated to helping individuals and businesses make the most of their Windows systems. Whether it's troubleshooting, optimization, or sharing expert insights,