PowerShell Script – Windows Last Shutdown

In my previous post, I showed you how to enumerate shutdown reasons on a Windows Server computer using PowerShell. But that script enumerated only the reasons entered via the Shutdown Event Tracker. This will not tell you when the system went off, but only approximately when a user manually entered the reason for the last shutdown.

Frequently, we are required to find out when a system went down. Thankfully, since the days of Windows Server 2000, the OS has written different kind of timestamps to the EventLog and Registry databases to help us. Until Windows Server 2008, we had a handy Registry key called “LastAliveStamp” that used to hold the timestamp value. Now it not only contains a deeply binary (REG_BINARY) value, but is also recreated at every reboot, making it completely useless to query. The EventLog method however is quite reliable as the system writes an event there PRIOR to resetting the Registry value, and also puts the date/time value in a human readable and machine query-able way. The log entry looks like this:

The primary things to note are highlighted in yellow: It is written to the System log, with an event Id of 6008 and is written as an “Error”. This makes it easy for us to query for it from PowerShell thus:

PS> Get-EventLog -LogName System -Source "EventLog" -EntryType Error | Where {$_.EventID -eq 6008}

When you run that, you will get an output with the entries that log the last time the system was shutdown.

The time stamp of the log entry itself will be from the time the system was booting up after shutdown, so ignore that. For example, in the above screenshot, the event’s timestamp is “6/4/2015 10:21:39 AM”, but the time the system was shut off was “‎6/‎4/‎2015 6:54:02 AM” (approx 3 and a half hours before the timestamp of the event) as evidenced from the screenshot of the result of the query I ran. I know in my case this is correct as the environment of the system experienced an approximately 4 hour external power outage.