Powershell Powershell - Show all restarts, shutdowns, sleep, etc Updated December 06 2025
Copy to Clipboard # Log Event ID's: 1074, 6006, 6008, 6005, 1001, 27, 1076, 98, 24711, 42, 107 # 6005 = system startup # 6006 = system shutdown # 1001 = BSOD details # 1074 = reason for restart/shutdown # 6008 = previous shutdown unexpected # 27 = boot type 0x0=normal, 0x1=fastStartup # 1076 = dirty shutdown / failed startup # 98 = NTFS Status # 24711 = TPM used to start computer # 42 = Sleep Start # 107 = Sleep End $HideMonitorEvents = $true try { $Computer = $env:COMPUTERNAME.ToUpper() $EventList = Get-WinEvent -ComputerName $Computer -FilterHashtable @{ Logname = 'system' Id = '27', '42', '107', '566', '1001', '1074', '1076', '6005', '6006', '6008', '24711' } -Oldest -ErrorAction Stop # used for debugging! if ( $false ){ $EventList = Get-WinEvent -ComputerName $Computer -FilterHashtable @{ Logname = 'system' Id = '6008' } -ErrorAction Stop } $ShowSeparator = $false $SkipNextShowSeparator = $false $Number27Found = $false foreach ($Event in $EventList) { $Item = @{} $Item.Show = $true $Item.ID = $Event.Id $Item.Message = $Event.Message $Item.TimeCreated = $Event.TimeCreated $Item.ProviderName = $Event.ProviderName $Item.ID = $Event.Id $Item.Type = "Other" if ($Event.Id -eq 24711 -or $Event.Id -eq 6005 -or $Event.Id -eq 6006 ){ $Item.Show = $false } if ($Event.Id -eq 1074 ){ #Shutdown or restart $Item.Type = $Event.Properties.value[4] if ( $Item.Message -match '0x80020010' -or $item.Message -match '0x80020003' ){ $Item.Message = "Windows update initiated a restart" } if ( $Item.Message -match 'StartMenuExperienceHost.exe' ){ if ( $Item.Message -match 'Shutdown Type: power off' ){ $Item.Message = "User clicked shut down on the start menu" }elseif ( $Item.Message -match 'Shutdown Type: restart' ){ $Item.Message = "User clicked restart on the start menu" } } $ShowSeparator = $true $SplitString = 'has initiated the restart of computer' if ( $Item.Message -match $SplitString ){ $Item.Message = $Item.Message.Substring(0,$Item.Message.IndexOf($SplitString) + $SplitString.Length ) } $SplitString = 'has initiated the power off of computer' if ( $Item.Message -match $SplitString ){ $Item.Message = $Item.Message.Substring(0,$Item.Message.IndexOf($SplitString) + $SplitString.Length ) } $Item.Message = $Item.Message.Replace('The process ', '') } if ($Event.Id -eq 1001 ){ #BSOD $Item.ProviderName = "BugCheck" $Item.Message = $Item.Message -replace 'The computer has rebooted from a bugcheck. The bugcheck was:' , 'BSOD' if ( $Item.Message.IndexOf('A dump was saved') -gt 0 ){ $Item.Message = $Item.Message.Substring(0,$Item.Message.IndexOf('A dump was saved') ) } } if ($Event.Id -eq 6008 ){ $Item.Type = "!!! Unexpected Shutdown" } if ($Event.Id -eq 27 ){ if ( $Number27Found ){ $ShowSeparator = $true } $Number27Found = $true $Item.ProviderName = "Boot" if ( $Item.Message -match '0x1' ){ $Item.Type = "Fast Boot" $Item.Message = "Windows started using Fast Startup" }elseif ( $Item.Message -match '0x2' ){ $Item.Type = "Hibernation" $Item.Message = "Windows resumed from Hibernation" $ShowSeparator = $true }elseif ( $Item.Message -match '0x0' ){ $Item.Type = "Normal Boot" $Item.Message = "Windows started using a Normal boot" } } if ($Event.Id -eq 42 ){ $Item.Type = "Sleep - Entering" $Item.ProviderName = "Sleep" $Item.Message = "Going to sleep" $ShowSeparator = $true } if ($Event.Id -eq 107 ){ $Item.Type = "Sleep - Exiting" $Item.ProviderName = "Sleep" $Item.Message = "Waking up from sleep" } if ($Event.Id -eq 566 ){ $Item.Type = "Power" $Item.ProviderName = "Power" #$Item.Message = "Waking up from sleep" if ( $Item.Message -match 'SessionUnlock' ){ $Item.Message = "Turning monitor Off" if ( $HideMonitorEvents ) { $Item.Show = $false } }elseif ( $Item.Message -match 'InputHid' ){ $Item.Message = "Turning monitor On" if ( $HideMonitorEvents ) { $Item.Show = $false } }elseif ( $Item.Message -match 'SxTransition' ){ $Item.Message = "Resumed from Hibernation" }elseif ( $Item.Message -match 'transitioned from 4 to 5' ){ $Item.Message = "Hibernating" $ShowSeparator = $true }else{ if ( $HideMonitorEvents ) { $Item.Show = $false } } } if ( $Item.Show ){ #If prior item was the last event in that series, show a separator now if ( $ShowSeparator ) { Write-Host "------------------------------------" $ShowSeparator = $false $Number27Found = $false } Write-Host "$($Item.TimeCreated) - $($Item.Type) [#$($Item.ID):$($Item.ProviderName)] $($Item.Message)" #$Item #Write-Host "" #Write-Host "" } } } catch { Write-Error $_.Exception.Message }
Search Keywords: startup, boot, restart, reboot, shutdown, hibernate, sleep, standby



©2024 - Some portions of this website are Copyrighted.
Your IP: 216.73.216.108     Referring URL:
Browser: Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com)
Terms and Conditions, Privacy Policy, and Security Policy