If I use any of these powershell commands to return the LastBootUpTime…
(Get-CimInstance -ClassName Win32_OperatingSystem).LastBootUpTime
or
Get-CimInstance -ClassName win32_operatingsystem | select csname, lastbootuptime
or
Get-WmiObject win32_operatingsystem -ComputerName myserver | Select-Object @{LABEL='LastBootUpTime';EXPRESSION={$_.ConverttoDateTime($_.lastbootuptime)}}
I get the 11th Dec 2024 at 03:31:07.
I’m assuming this timestamp refers to a particular Event ID in the windows event Log? if so, which one?
Most posts on about re-start events suggest looking for these in the event viewer…
- 1074 – System has been shutdown by a process/user
- 6005 – The Event log service was started
- 6006 – The Event log service was stopped
- 6008 – The previous system shutdown at time on date was unexpected
When I check my event viewer for this period and set the filter for the above events I see the following…
- event 1074 at 03:29:04
- event 6006 at 03:30:05
- event 6005 at 03:30:50
NONE of these correspond to the powershell LastBootUpTime, so which event is powershell actually flagging as the moment of boot?
