Functions/Get-SdtRebootHistory.ps1

Function Get-SdtRebootHistory { 
    <#
        .SYNOPSIS
            Retrieves historical information about shutdown/restart events from one or more remote computers.
     
        .DESCRIPTION
            The Get-SdtRebootHistory function uses Windows Management Instrumentation (WMI) to retrieve information about all shutdown events from a remote computer.
             
            Using this function, you can analyze shutdown events across a large number of computers to determine how frequently shutdown/restarts are occurring, whether unexpected shutdowns are occurring and quickly identify the source of the last clean shutdown/restart.
             
            Data returned includes date/time information for all available boot history events (e.g. restarts, shutdowns, unexpected shutdowns, etc.), date/time information for unexpected reboots and detailed information about the last clean shutdown including date/time, type, initiating user, initiating process and reason.
             
            Because Get-SdtRebootHistory uses WMI to obtain shutdown event history from the system event log, it is fully supported against both legacy and current versions of Windows including legacy versions that do not support filtering of event logs through standard methods.
         
        .PARAMETER ComputerName
            Accepts a single computer name or an array of computer names separated by commas (e.g. "prod-web01","prod-web02").
 
            This is an optional parameter, the default value is the local computer ($Env:ComputerName).
         
        .PARAMETER Credential
            Accepts a standard credential object.
             
            This is an optional parameter and is only necessary when the running user does not have access to the remote computer(s).
 
        .EXAMPLE
            .\Get-SdtRebootHistory -ComputerName prod-web01,prod-web02 -Credential (Get-Credential)
         
            Get boot history for multiple remote computers with alternate credentials.
         
        .EXAMPLE
            .\Get-SdtRebootHistory -ComputerName prod-web01,prod-web02 -Credential (Get-Credential) | ? { $_.PercentDirty -ge 30 }
         
            Get a list of computers experiencing a high percentage of unexpected shutdown events.
         
        .EXAMPLE
            .\Get-SdtRebootHistory -ComputerName prod-web01,prod-web02 -Credential (Get-Credential) | ? { $_.RecentShutdowns -ge 3 }
         
            Return information about servers that have been experiencing frequent shutdown/reboot events over the last 30 days.
         
        .OUTPUTS
            System.Management.Automation.PSCustomObject
             
            Return object includes the following properties:
             
                Computer
                BootHistory : Array of System.DateTime objects for all recorded instances of the system booting (clean or otherwise).
                RecentShutdowns : The number of shutdown/restart events in the last 30 days.
                UnexpectedShutdowns : Array of System.DateTime objects for all recorded unexpected shutdown events.
                RecentUnexpected : The number of unexpected shutdown events in the last 30 days.
                PercentDirty : The percentage of shutdown events that were unexpected (UnexpectedShutdowns/BootHistory).
                LastShutdown : System.DateTime object of the last clean shutdown event.
                LastShutdownType : Type of the last clean shutdown event (Restart | Shutdown).
                LastShutdownUser : The user who initiated the last clean shutdown event.
                LastShutdownProcess : The process that initiated the last clean shutdown event.
                LastShutdownReason : If available, the reason code and comments for the last clean shutdown event.
                 
        .NOTES
            Author : Eric Westfall
            Email : eawestfall@gmail.com
            Script Version : 1.1
            Revision Date : 11/26/2014
    #>

    
    Param (
        [Parameter(Mandatory = $False, Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
        [Alias("CN","Computer")]
        [Array]$ComputerName = $Env:ComputerName,

        [Parameter(Mandatory = $False, Position = 1, ValueFromPipeline = $False)]
        [Alias("Cred")]
        [ValidateNotNull()]
        [System.Management.Automation.PSCredential]$Credential = [System.Management.Automation.PSCredential]::Empty
    )
    
    Begin {
        $i = 0
        $RecentShutdowns = 0
        $RecentUnexpected = 0
        
        $BootHistory = @()
        $ShutdownDetail = @()
        $UnexpectedShutdowns = @() 
        
        # Store original credential, if we attempt to make a local connection we need to
        # temporarily empty out the credential object.
        $Original_Credential = $Credential
        
        # Select properties defined to ensure proper display order.
        $BootInformation = @(
            "Computer"
            "BootHistory"
            "RecentShutdowns"
            "UnexpectedShutdowns"
            "RecentUnexpected"
            "PercentDirty"
            "LastShutdown"
            "LastShutdownType"
            "LastShutdownUser"
            "LastShutdownProcess"
            "LastShutdownReason"
        )
        
        # Arguments to be passed to our WMI call.
        $Params = @{
            ErrorAction        = 'Stop'
            ComputerName    = $Computer
            Credential        = $Credential
            Class            = 'Win32_NTLogEvent'
            Filter            = "LogFile = 'System' and EventCode = 6009 or EventCode = 6008 or EventCode = 1074"
        }
    }

    Process {
        ForEach ($Computer In $ComputerName) {
            $Params.ComputerName = $Computer
            
            # You can't use credentials when connecting to the local machine so temporarily empty out the credential object.
            If ($Computer -eq $Env:ComputerName) { 
                $Params.Credential = [System.Management.Automation.PSCredential]::Empty
            }
            
            If ($ComputerName.Count -gt 1) { 
                Write-Progress -Id 1 -Activity "Retrieving boot history." -Status ("Percent Complete: {0:N0}" -f $($i / $($ComputerName.Count)*100)) -PercentComplete (($i / $ComputerName.Count)*100); $i++
            } Else { 
                Write-Progress -Id 1 -Activity "Retrieving boot history." -Status "Retrieving boot history."
            }

            Try { 
                $d = 0
                $Events = Get-WmiObject @Params
                
                ForEach ($Event In $Events) { 
                    Write-Progress -Id 2 -ParentId 1 -Activity "Processing reboot history." -PercentComplete (($d / $Events.Count)*100) -Status "Processing reboot history."; $d++
                    
                    # Record the relevant details for the shutdown event.
                    Switch ($Event.EventCode) { 
                        6009 { $BootHistory += (Get-Date(([WMI]'').ConvertToDateTime($Event.TimeGenerated)) -Format g) }
                        6008 { $UnexpectedShutdowns += ('{0} {1}' -f ($Event.InsertionStrings[1], $Event.InsertionStrings[0])) }
                        1074 { $ShutdownDetail += $Event }
                    }
                }
                
                # We explicitly ignore exceptions originating from this process since some versions of Windows may store dates in invalid formats (e.g. ?11/?16/?2014) in the event log after an unexpected shutdown causing this calculation to fail.
                Try { 
                    $RecentUnexpected = ($UnexpectedShutdowns | ? { ((Get-Date)-(Get-Date $_)).TotalDays -le 30 }).Count
                } Catch { 
                    $RecentUnexpected = "Unable to calculate."
                } 
                
                # Grab details about the last clean shutdown and generate our return object.
                $ShutdownDetail | Select -First 1 | ForEach-Object { 
                    New-Object -TypeName PSObject -Property @{
                        Computer = $Computer
                        BootHistory = $BootHistory 
                        RecentUnexpected = $RecentUnexpected
                        LastShutdownUser = $_.InsertionStrings[6]
                        UnexpectedShutdowns = $UnexpectedShutdowns
                        LastShutdownProcess = $_.InsertionStrings[0]
                        PercentDirty = '{0:P0}' -f (($UnexpectedShutdowns.Count/$BootHistory.Count))
                        LastShutdownType = (Get-Culture).TextInfo.ToTitleCase($_.InsertionStrings[4])
                        LastShutdown = (Get-Date(([WMI]'').ConvertToDateTime($_.TimeGenerated)) -Format g)
                        RecentShutdowns = ($BootHistory | ? { ((Get-Date)-(Get-Date $_)).TotalDays -le 30 }).Count
                        LastShutdownReason = 'Reason Code: {0}, Reason: {1}' -f ($_.InsertionStrings[3], $_.InsertionStrings[2])
                    } | Select $BootInformation    
                }            
            } Catch [System.Exception] { 
                # We explicitly ignore exceptions originating from Get-Date since some versions of Windows may store dates in invalid formats in the event log after an unexpected shutdown.
                If ($_.CategoryInfo.Activity -ne 'Get-Date') { 
                    Write-Warning ("Unable to retrieve boot history for {0}. `nError Details: {1}" -f ($Computer, $_))
                }
            }
            
            # Reset credential object since we may have temporarily overwrote it to deal with local connections.
            $Params.Credential = $Original_Credential
        }
    }
}