Who Rebooted the Server
Full-Access Members Only
Sorry, this lesson is only available to Server Academy Full-Access members. Become a Full-Access member now and get instant access to this and many more premium courses. Click the button below and get instant access now.
Instructions
Q&A (0)
Notes (0)
Resources (0)
Saving Progress...
Resources
There are no resources for this lesson.
Notes can be saved and accessed anywhere in the course. They also double as bookmarks so you can quickly review important lesson material.
Who rebooted the Server let’s checkout ID 1074
In this lecture we will use Powershell to access Windows logfiles on a remote computer or server.
- From VSC1, open PowerShell ISE in Admin mode,
From VSC1, you can take a look at the Application, Security, Setup, System logs. - Type get-eventlog, then type the Log name – In this case I’ll type System, press return. As you can see there are a lot of Event ID’s.
But there is a much better method for accomplishing this task.
Event ID 1074 is a specific type of event that appears in the Windows Event Log. It is logged when a computer is shut down or restarted, and it provides information about the shutdown or restart process. Event ID 1074 is particularly useful for system administrators and IT personnel for tracking system events and understanding why a computer was shut down or restarted.
From the Host machine open PowerShell ISE in Admin mode
From the student guide Go ahead copy and Paste this code into PowerShell
# Use the provided credentials to access the remote computer's System Event log
$credential = Get-Credential
# Prompt for credentials or provide them manually
Get-WinEvent -ComputerName 'VSC1' -Credential $credential -FilterHashtable @{logname = 'System'; id = 1074} | Format-Table -Wrap
Here is the explanation:
$credential = Get-Credential: This line prompts the user to enter their credentials (username and password) and stores them in the $credential variable. These credentials are typically used for authenticating against remote systems or network resources. Get-Credential: This is a PowerShell cmdlet used to interactively prompt the user for a username and password. When you run this command, it opens a dialog box (or a console prompt in text-based environments) where you can enter the required credentials. The credential object includes the entered username and securely stores the encrypted password.
Get-WinEvent -ComputerName 'VSC1' - This command retrieves Windows Event Log entries from a remote computer named 'VSC1' while using the credentials stored in the $credential variable for authentication. Here's a breakdown of this part of the code:
-Credential $credential: This parameter provides the credential object stored in the $credential variable. It contains the username and securely stored encrypted password required for authentication when connecting to the remote computer. This is necessary when accessing event logs on remote computers that require authentication.
-FilterHashtable @{logname = 'System'; id = 1074}: This parameter is used to filter the events you want to retrieve from the 'System' event log on the remote computer 'VSC1'. It filters for events with an Event ID of 1074, which typically corresponds to a system shutdown or restart event.
|: The pipe symbol (|) is used to take the output of the command on its left side (the output of Get-WinEvent) and pass it as input to the command on its right side (Format-Table).
Format-Table: This cmdlet formats the event log data into a table for better readability in the console.
-Wrap: The -Wrap parameter ensures that long lines of text within a table cell are wrapped to the next line instead of getting cut off at the edge of the console window. This ensures that you can see the full content of each cell without horizontal scrolling.
Now lets go ahead and run the command and take a look at the results
First we type our username and password, then press return
So, if you take a look at the system log. ID 1074 reported that several users initiated computer restarts. It shows the date the time, the ID number the User name. And we see on the very first entry that a user named Jesse restarted the machine . So, I will be talking to Jesse about that restart.
Server Academy Members Only
Sorry, this lesson is only available to Server Academy Full Access members. Become a Full-Access Member now and you’ll get instant access to all of our courses.