PowerShell script reboot check

Today, I received a mail notification that a given server is not available anymore. The error was sent around 6:10 in the morning. The server is a management server not managed by our team.

To decrease the time required if the reboot was caused by Windows updates (which was the reason in the past), I quickly wrote a little PowerShell script to determine the cause.

PS C:\Users\rur> Get-EventLog -LogName System -after (get-date).addhours(-48) | where {($_.EventId -eq 1074) -or ($_.EventId -eq 22)} | select TimeGenerated,EventId,Message | format-table -wrap -autosize


This gave me the following results:

  • 8/19/2013 6:04:14 AM 22 Restart Required: To complete the installation of the following updates, the computer will be restarted within 15 minutes:
    • Security Update for Windows Server 2008 R2 x64 Edition (KB2859537)
    • Cumulative Security Update for Internet Explorer 8 for Windows Server 2008 R2 x64 Edition (KB2862772)
    • Security Update for Windows Server 2008 R2 x64 Edition (KB2868623)
    • Security Update for Windows Server 2008 R2 x64 Edition (KB2849470)
  • 8/19/2013 6:04:14 AM 1074 The process C:\Windows\system32\svchost.exe (Anonymous) has initiated the restart of computer Anonymous on behalf of user NT AUTHORITY\SYSTEM for the following reason: Operat ing System: Recovery (Planned)
    Reason Code: 0x80020002
    Shutdown Type: restart
    Comment:

 

The eventid 1074 announces a clean restart. For more information click here.

I found out that the eventid 22 is used for Windows Updates. It can also come in a little handy to know which has been installed during the update session.

Leave a Reply