52 lines
1.9 KiB
PowerShell
52 lines
1.9 KiB
PowerShell
function Get-RestartHistory {
|
|
<#
|
|
.SYNOPSIS
|
|
Returns an OrderedDictionary that Represents the Restart History.
|
|
#>
|
|
|
|
[CmdletBinding()]
|
|
Param()
|
|
|
|
$logLead = (Get-LogLeadName);
|
|
$providerStopWatch = [System.Diagnostics.StopWatch]::StartNew()
|
|
|
|
$historyDictionary = New-Object System.Collections.Specialized.OrderedDictionary
|
|
$rebootHistoryDetails = New-Object System.Collections.Specialized.OrderedDictionary
|
|
|
|
try {
|
|
|
|
Write-Verbose "$logLead : [$($providerStopWatch.Elapsed)] : Getting Event Log Entries for Event ID 1074"
|
|
$dateLimit = (Get-Date) - (New-TimeSpan -Day 90)
|
|
$restartEvents = Get-WinEvent -FilterHashtable @{
|
|
LogName = 'System'
|
|
Id = 1074
|
|
StartTime = $dateLimit
|
|
}
|
|
|
|
foreach ($event in $restartEvents) {
|
|
|
|
$eventId = [string]$event.RecordId
|
|
Write-Verbose "$logLead : [$($providerStopWatch.Elapsed)] : Processing RecordId $eventId"
|
|
|
|
$rebootHistoryDetails[$eventId] = New-Object System.Collections.Specialized.OrderedDictionary
|
|
$rebootHistoryDetails[$eventId]["Date"] = $event.TimeCreated;
|
|
$rebootHistoryDetails[$eventId]["Process"] = $event.Properties[0].Value;
|
|
$rebootHistoryDetails[$eventId]["Reason"] = $event.Properties[2].Value;
|
|
$rebootHistoryDetails[$eventId]["Action"] = $event.Properties[4].Value;
|
|
$rebootHistoryDetails[$eventId]["Comment"] = $event.Properties[5].Value;
|
|
$rebootHistoryDetails[$eventId]["User"] = $event.Properties[6].Value;
|
|
$rebootHistoryDetails[$eventId]["Message"] = $event.Message;
|
|
}
|
|
}
|
|
catch {
|
|
|
|
$rebootHistoryDetails["Error"] = $_.Exception.ToString()
|
|
}
|
|
|
|
$historyDictionary.Add("RestartHistory", $rebootHistoryDetails)
|
|
|
|
Write-Verbose "$logLead : [$($providerStopWatch.Elapsed)] : Provider Complete"
|
|
$providerStopWatch.Stop()
|
|
|
|
return $historyDictionary
|
|
} |