December PowerShell One-Liner

This month’s PowerShell one-liner uses WMI to query event logs on remote computers. Specifically it is searching for logs that record when the Event Log service has started. This is another way you can, determine when a computer has started. It’s not foolproof of course but the one-liner should serve as an example of querying WMI on multiple machines.

   1: Get-WmiObject win32_ntlogevent -filter `
   2: "logfile='system' AND EventCode=6005 AND TimeWritten > `
   3: '$((get-date).AddDays(-30).toShortDateString())'" `
   4: -computername (get-content computers.txt) | 
   5: Select @{name="Computername";Expression={$_.__Server}},`
   6: @{name="StartUp";Expression={$_.ConvertToDateTime($_.timewritten)}}

This expression queries a list of computers and finds the specific event records written in the last 30 days.

Download a text file with this expression here.