Category filter
Script to fetch event logs of shutdown events on Windows devices
Event logs for shutdown events can be used to troubleshoot unexpected shutdowns or system crashes which may lead to the loss of unsaved data. These event logs give an insight into various parameters such as the time of shutdown, who initiated the shutdown, the instance ID, etc. Therefore, it can be used to monitor if any unexpected shutdowns have occurred. Hexnode offers you a feature where you can easily fetch the shutdown event logs remotely by executing a custom script.
The sample scripts provided below are adapted from third-party open-source sites.
Batch script
Display all shutdown event logs
This script displays all the shutdown events pertaining to the event ID: 1074. All shutdown or restart events initiated by the user or by an application are logged under the event ID:1074.
|
1 2 3 4 5 6 7 8 9 10 11 |
@echo off setlocal set eventid=1074 echo Fetching shutdown event logs... wevtutil qe System /rd:true /f:text /q:"*[System[(EventID=%eventid%)]]" | findstr /i "event user" echo Done. |
PowerShell script
Using Get-EventLog cmdlet to retrieve shutdown logs
From Windows XP and Windows 2003, Windows has introduced the Shutdown Event Tracker which is a feature that you can use to consistently track the reason for system shutdowns. Using the Get-EventLog cmdlet, you can retrieve the recorded shutdown events and the reason behind them from the event log.
|
1 |
Get-EventLog -LogName system -Source user32 |
The user32 is a .dll file that stores all the shutdown event logs. It is from here all the event logs are fetched when requested.
The output shows you all the event logs of the most recent shutdowns, containing the details such as Index number, Time, Entry type, Source, Instance ID, and Message.
Group all shutdown event logs by their event ID
In Windows Event Log, an event ID is a numerical identifier that uniquely identifies a particular event that occurred in the system or application. Event IDs are used to classify and categorize events in the event log, and they provide information about the type of event, its severity, and its source. There are some standard event IDs defined by Windows for common events such as system startup, shutdown, and authentication failures. Now to group all shutdown event logs according to their event ID, use the following code:
|
1 |
Get-EventLog -LogName system -Source user32 | group EventID |
The output displays all the shutdown event logs grouped according to their event ID.
Display all properties of an instance belonging to a shutdown event ID
|
1 |
Get-EventLog -LogName system -Source user32 -Newest 1 | fl * |
The output displays the different parameters of an instance belonging to a shutdown event ID such as the machine name, the time the event was generated, the username, the message, the instance ID, etc. You can get any number of the latest instances belonging to a particular shutdown event ID by changing the value next to the ‘Newest’ parameter. For example, if you want to display the properties of the three latest instances belonging to a shutdown event ID:
|
1 |
Get-EventLog -LogName system -Source user32 -Newest 3 | fl * |
Sort shutdown event logs
Sort the different properties of a shutdown event log according to your needs. For example, if you only want to display the time generated and the message of the shutdown event logs and want to sort it according to the message, execute this script:
|
1 |
Get-EventLog -LogName system -Source user32 | Select TimeGenerated, Message | sort message |
- It is recommended to manually validate the script execution on a system before executing the action in bulk.
- Hexnode will not be responsible for any damage/loss to the system on the behavior of the script.
