Skip to content

Instantly share code, notes, and snippets.

@jdhitsolutions

jdhitsolutions/Get-Restart.ps1

Created May 7, 2021 18:54
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save jdhitsolutions/30e7f34355dcfecb139693884d288362 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save jdhitsolutions/30e7f34355dcfecb139693884d288362 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. jdhitsolutions created this gist May 7, 2021.
    83 changes: 83 additions & 0 deletions Get-Restart.ps1
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,83 @@
    Function Get-Restart {
    [cmdletbinding()]
    [outputtype("RestartEvent")]
    Param(
    [Parameter(Position = 0, ValueFromPipeline)]
    [ValidateNotNullOrEmpty()]
    [Alias("CN")]
    [string]$Computername = $env:COMPUTERNAME,
    [Parameter(HelpMessage = "Find restart events since this date and time.")]
    [ValidateNotNullOrEmpty()]
    [Alias("Since")]
    [datetime]$After,
    [int64]$MaxEvents,
    [PSCredential]$Credential
    )
    Begin {
    Write-Verbose "[$((Get-Date).TimeofDay) BEGIN ] Starting $($myinvocation.mycommand)"
    $filter = @{
    Logname = "System"
    ID = 1074
    }
    if ($After) {
    Write-Verbose "[$((Get-Date).TimeofDay) BEGIN ] Getting restart events after $After"
    $filter.Add("StartTime", $After)
    }

    $splat = @{
    ErrorAction = "Stop"
    FilterHash = $Filter
    }
    if ($MaxEvents -gt 0) {
    Write-Verbose "[$((Get-Date).TimeofDay) BEGIN ] Limiting search to $MaxEvents event(s)"
    $splat.Add("MaxEvents", $MaxEvents)
    }
    if ($Credential.UserName) {
    Write-Verbose "[$((Get-Date).TimeofDay) BEGIN ] Adding a credential for $($Credential.UserName)"
    $splat.Add("Credential", $Credential)
    }
    } #begin

    Process {
    Write-Verbose "[$((Get-Date).TimeofDay) PROCESS] Getting restart events on $($Computername.ToUpper())"
    $splat.Computername = $Computername
    Try {
    $entries = Get-WinEvent @splat
    }
    Catch {
    Throw $_
    }

    if ($entries) {
    #process entries into custom objects
    foreach ($entry in $entries) {
    #resolve the user SID
    Try {
    Write-Verbose "[$((Get-Date).TimeofDay) PROCESS] Translating $($entry.UserId)"
    $user = $entry.UserId.translate([System.Security.Principal.NTAccount]).value
    }
    Catch {
    $user = $entry.properties[-1].value
    #$entry.userid
    }

    [pscustomobject]@{
    PSTypeName = "RestartEvent"
    Computername = $entry.machinename.ToUpper()
    Datetime = $entry.TimeCreated
    Username = $user
    Category = $entry.properties[4].value
    Process = $entry.properties[0].value.split()[0].trim()
    }
    } #foreach item
    }
    } #process

    End {
    Write-Verbose "[$((Get-Date).TimeofDay) END ] Ending $($myinvocation.mycommand)"
    } #end

    } #close Get-Restart

    #add custom formatting
    Update-FormatData $PSScriptRoot\restartevent.format.ps1xml
    88 changes: 88 additions & 0 deletions restartevent.format.ps1xml
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,88 @@
    <?xml version="1.0" encoding="UTF-8"?>
    <!--
    Format type data generated 05/06/2021 17:33:49 by PROSPERO\Jeff
    This file was created using the New-PSFormatXML command that is part
    of the PSScriptTools module.
    https://github.com/jdhitsolutions/PSScriptTools
    -->
    <Configuration>
    <ViewDefinitions>
    <View>
    <!--Created 05/06/2021 17:33:49 by PROSPERO\Jeff-->
    <Name>default</Name>
    <ViewSelectedBy>
    <TypeName>RestartEvent</TypeName>
    </ViewSelectedBy>
    <GroupBy>
    <PropertyName>Computername</PropertyName>
    <Label>Computername</Label>
    </GroupBy>
    <TableControl>
    <!--Delete the AutoSize node if you want to use the defined widths.
    <AutoSize />-->
    <TableHeaders>
    <TableColumnHeader>
    <Label>When</Label>
    <Width>24</Width>
    <Alignment>left</Alignment>
    </TableColumnHeader>
    <TableColumnHeader>
    <Label>Username</Label>
    <Width>30</Width>
    <Alignment>left</Alignment>
    </TableColumnHeader>
    <TableColumnHeader>
    <!-- The width must be wide enough to accomodate the ANSI escape sequences-->
    <Label>Category</Label>
    <Width>15</Width>
    <Alignment>left</Alignment>
    </TableColumnHeader>
    <TableColumnHeader>
    <Label>Process</Label>
    <Alignment>left</Alignment>
    </TableColumnHeader>
    </TableHeaders>
    <TableRowEntries>
    <TableRowEntry>
    <TableColumnItems>
    <TableColumnItem>
    <PropertyName>Datetime</PropertyName>
    </TableColumnItem>
    <TableColumnItem>
    <ScriptBlock>
    if ($host.name -match 'Console|Code' -AND $_.Username -match " ") {
    "$([char]27)[38;5;207m$($_.Username)$([char]27)[0m"
    }
    else {
    $_.Username
    }
    </ScriptBlock>
    </TableColumnItem>
    <TableColumnItem>
    <ScriptBlock>
    <!-- colorize the category using ANSI-->
    if ($host.name -match 'Console|Code') {
    Switch ($_.Category) {
    "power off" { $ansi = "[38;5;200m"}
    "restart" { $ansi = "[92m"}
    "shutdown" { $ansi = "[38;5;214m" }
    default { $ansi = "[37m"}
    }
    "$([char]27)$Ansi$($_.category)$([char]27)[0m"
    }
    else {
    $_.Category
    }
    </ScriptBlock>
    </TableColumnItem>
    <TableColumnItem>
    <PropertyName>Process</PropertyName>
    </TableColumnItem>
    </TableColumnItems>
    </TableRowEntry>
    </TableRowEntries>
    </TableControl>
    </View>
    </ViewDefinitions>
    </Configuration>