Functions/Get-OsStartupsAndShutdowns.ps1
|
function Get-OsStartupsAndShutdowns { [CmdletBinding()] param ( ) $filter = @{ logname = 'System' starttime = (Get-Date).AddDays(-10).date } $events = Get-WinEvent -FilterHashtable $filter | Where-Object { $_.Id -eq 12 -or $_.Id -eq 13 -and $_.Message -notmatch "Credential" } # $filter = @{ # logname = 'System' # starttime = (Get-Date).date # id = 12 # } # $events = Get-WinEvent -FilterHashtable $filter # $filter = @{ # logname = 'System' # id = 12 # starttime = (Get-Date).date # } # $events += Get-WinEvent -FilterHashtable $filter # Get-WinEvent -FilterHashtable @{logname = 'security'; id = 4624; starttime = (Get-Date).date } | Where-Object { $_.properties[8].value -eq 2 } $returnEvents = @() $events | ForEach-Object { if ($_.Id -eq 12) { $eventType = "Startup" } elseif ($_.Id -eq 13) { $eventType = "Shutdown" } $eventDate = ($_.TimeCreated).Date -replace " 00:00:00" if($eventDate -ne $previousEventDate) { $obj = [PSCustomObject]@{ Event = "------------" Date = "------------" Time = "------------" } $returnEvents += $obj } $obj = [PSCustomObject]@{ Event = $eventType Date = $eventDate # Time = "$(($_.TimeCreated).TimeOfDay.Hours):$(($_.TimeCreated).TimeOfDay.Minutes):$(($_.TimeCreated).TimeOfDay.Seconds)" Time = $(($_.TimeCreated).TimeOfDay -split "\.")[0] } $returnEvents += $obj $previousEventDate = $eventDate } return $returnEvents } |