Who Rebooted the Server
Who rebooted the Server let’s checkout ID 1074
In this lecture we will use Powershell to access Windows logfiles on a remote computer or server.
- From VSC1 , open PowerShell ISE in Admin mode,
From VSC1, you can take a look at the Application, Security, Setup, System logs. - Type get-eventlog, then type the Log name – In this case I’ll type System , press return. As you can see there are a lot of Event ID’s.
But there is a much better method for accomplishing this task.
Event ID 1074 is a specific type of event that appears in the Windows Event Log. It is logged when a computer is shut down or restarted, and it provides information about the shutdown or restart process. Event ID 1074 is particularly useful for system administrators and IT personnel for tracking system events and understanding why a computer was shut down or restarted.
From the Host machine open PowerShell ISE in Admin mode
From the student guide Go ahead copy and Paste this code into PowerShell
# Use the provided credentials to access the remote computer's System Event log
**$credential =**Get-Credential
# Prompt for credentials or provide them manually
Get-WinEvent -ComputerName 'VSC1' -Credential $credential -FilterHashtable @{logname = 'System'; id = 1074} | Format-Table -Wrap
Here is the explanation:****
$credential = Get-Credential: This line prompts the user to enter their credentials (username and password) and stores them in the $credential variable. These credentials are typically used for authenticating against remote systems or network resources. Get-Credential: This is a PowerShell cmdlet used to interactively prompt the user for a username and password. When you run this command, it opens a dialog box (or a console prompt in text-based environments) where you can enter the required credentials. The credential object includes the entered username and securely stores the encrypted…
No comments yet. Add the first comment to start the discussion.