5

If I use any of these powershell commands to return the LastBootUpTime...

(Get-CimInstance -ClassName Win32_OperatingSystem).LastBootUpTime

or

Get-CimInstance -ClassName win32_operatingsystem | select csname, lastbootuptime

or

Get-WmiObject win32_operatingsystem -ComputerName myserver | Select-Object @{LABEL='LastBootUpTime';EXPRESSION={$_.ConverttoDateTime($_.lastbootuptime)}}

I get the 11th Dec 2024 at 03:31:07.

I'm assuming this timestamp refers to a particular Event ID in the windows event Log? if so, which one? Most posts on about re-start events suggest looking for these in the event viewer...

  • 1074 - System has been shutdown by a process/user
  • 6005 - The Event log service was started
  • 6006 - The Event log service was stopped
  • 6008 - The previous system shutdown at time on date was unexpected

When I check my event viewer for this period and set the filter for the above events I see the following...

  • event 1074 at 03:29:04
  • event 6006 at 03:30:05
  • event 6005 at 03:30:50

NONE of these correspond to the powershell LastBootUpTime, so which event is powershell actually flagging as the moment of boot?

Update - after further checking, I do have several Event ID 16s, the first of which occurs at 03:31:07 (corresponding to boot-time). There is an event 12 (source is kernel-General) timed at 03:30:28 over 30 seconds earlier.

ConanTheGerbil
  • 527

1 Answers1

4

I'm assuming this timestamp refers to a particular Event ID in the windows event Log?

No, not directly.

The LastBootUpTime timestamp is recorded by the system itself when the kernel is started.

The best corresponding event log item is kernel event ID 12 The operating system started at system time ‎yyyy-‎mm-‎ddThh:mm:ss.000000000Z which is one or more seconds later (possibly due to the event system needing to start first).

Both facilities are recording system startup independently from each other.

Zac67
  • 5,130
  • 1
  • 13
  • 22