Find Windows Shutdown Crash Events using PowerShell

Some times its a real pain to find Windows Shutdown Crash Events when your clients ask about the reason of down time . All you can do is to go through different system events logged in the event viewer. I have seen that some Admins, apparently lazy freaks, have the tendency NOT TO check the exact reason for the down time.  I’ve got a chance to work in Microsoft Hyper-V environment and I usually get cases where customers complains about downtime with their VMs. This can be due to many reasons. It could be a power failure, hardware related, or some overly inquisitive eggheads doing crazy stuff.

When the machine is back online, some curious customers ask for the reason regarding the downtime. It is very common that we expect such question from them. Yes, most of the hosting providers guarantees 99% uptime.  If we cannot promise this, then thats a big concern.

Well, I’m not here to solve such a big concern but to give you a better way to track the System Shutdown-Crash Events with the help of PowerShell script. Let me tell you that it’s not a big deal but I hope it would be of help at least for some lazy-smart techs who hate to touch the event viewer 😉

So first, lets recall some basic things about event viewer. This is a inbuilt tool that ships with Windows OS, used to log the different events.

Each events will have the parameters like Event ID and Event Source

Event ID – The identification number that was assigned to the event.
Source – The software that logged the event, which can be either a program name or component of a system.

With the help of filter option, we can extract particular event. For instance, system shutdown related events. In Linux, we can use the awesome “grep”  command to extract the log message entries. That is simple and of course it takes less effort due to its simplicity. While in Windows, Admins should go through different filter options to extract the logged events. That’s the way Windows logs the events and I don’t know if there is a command similar to grep in Windows unless if you use wingrep as such  and search for the entry stored in corresponding back end file of event viewer. Anyways, thats a custom way and I believe its not possible by default. Please bear with me if I’m wrong.

I personally feel that gathering the relevant entries from event viewer is a tedious task when compared with “grepping in Linux”. So we people obviously would think and wish for an easy way to perform this. I came across such situation where I had to repeatedly go through the event viewer to find the reason for shutdown events. This lit a lamp in my mind and consequently triggered a challenge to find an easy way to perform this task. I knew that filtering some event ID will always give me the result. So I thought of a program which could extract the events and display the result for me. I have gone through different online forums,links and at last found “Microsoft Scripting Guy blog”. The blog is full of great articles and helped me realize that my requirement can be achieved using “PowerShell”.  Of course there are other ways but I came to understand that it would be a chance to learn some thing about PowerShell scripting and exploring in my own way. I got many reference from “Scripting Guy blog” to extract the event ID using PowerShell command-let. Finally I created my own PowerShell script to gather the  system shutdown events which has always saved a  lot of time for me.

The logic is simple, it uses Event ID and Event Log parameters to gather the shutdown information and display the end result in simple way. I used Event IDs 411074 and 1076 to gather shutdown events from Event Log Name “System

As per Microsoft, The kernel power event ID 41 error occurs when the computer is shut down, or it restarts unexpectedly. The  event ID 1074  provides an important clue as to who or what initiated the shutdown or the restart. Finally the event ID 1076 event is written when the first user with shutdown privileges logs on to the computer after an unexpected restart or shutdown; supplying a reason for the occurrence.

I used these events to get the required information and that was enough for me. Following is the script.

You may want to Change the Windows PowerShell Script Execution Policy to “Unrestricted” at first so all Windows PowerShell scripts can be run. Otherwise you may receive the following message in PowerShell Console

File xxxxxxxxxx.ps1 cannot be loaded because the execution of scripts is disabled on this system.
Please see “get-help about_signing” for more details.

Leave a Reply

Your email address will not be published. Required fields are marked *