Event Logs to Investigate Machine Restarts

The following are Powershell commands that can help do a quick assessment of machine restarts. This will query the event logs and pull event ID 1074 that will provide the nature of the restart including the process and user account used to initiate the restart.

This will provide output to Out-Gridview

get-eventlog -log system | where {$_.eventID -eq 1074} | select-object -property EventID, TimeGenerated, UserName, MachineName, EntryType, Source, Message | Out-GridView

This will provide output to Export-CSV

get-eventlog -log system | where {$_.eventID -eq 1074} | Export-CSV -Path c:\Events1074.csv