Who Rebooted my Server

Ever wanted to know who initiated a server reboot?

The power shell one liner below will tell you. Simply change the <SERVER> portion to the name of the server you want to query and voila.

gwmi win32_ntlogevent -computername <SERVER> -filter "LogFile='System' and EventCode='1074' and Message like '%restart%'" | select User,@{n="Time";e={$_.ConvertToDateTime($_.TimeGenerated)}}

Leave a Reply