jdhitsolutions/Get-Restart.ps1

## Get-Restart.ps1
Function Get-Restart {
    [cmdletbinding()]
    [outputtype("RestartEvent")]
    Param(
        [Parameter(Position = 0, ValueFromPipeline)]
        [ValidateNotNullOrEmpty()]
        [Alias("CN")]
        [string]$Computername = $env:COMPUTERNAME,
        [Parameter(HelpMessage = "Find restart events since this date and time.")]
        [ValidateNotNullOrEmpty()]
        [Alias("Since")]
        [datetime]$After,
        [int64]$MaxEvents,
        [PSCredential]$Credential
    )
    Begin {
        Write-Verbose "[$((Get-Date).TimeofDay) BEGIN  ] Starting $($myinvocation.mycommand)"
        $filter = @{
            Logname = "System"
            ID      = 1074
        }
        if ($After) {
            Write-Verbose "[$((Get-Date).TimeofDay) BEGIN  ] Getting restart events after $After"
            $filter.Add("StartTime", $After)
        }

        $splat = @{
            ErrorAction = "Stop"
            FilterHash  = $Filter
        }
        if ($MaxEvents -gt 0) {
            Write-Verbose "[$((Get-Date).TimeofDay) BEGIN  ] Limiting search to $MaxEvents event(s)"
            $splat.Add("MaxEvents", $MaxEvents)
        }
        if ($Credential.UserName) {
            Write-Verbose "[$((Get-Date).TimeofDay) BEGIN  ] Adding a credential for $($Credential.UserName)"
            $splat.Add("Credential", $Credential)
        }
    } #begin

    Process {
        Write-Verbose "[$((Get-Date).TimeofDay) PROCESS] Getting restart events on $($Computername.ToUpper())"
        $splat.Computername = $Computername
        Try {
            $entries = Get-WinEvent @splat
        }
        Catch {
            Throw $_
        }

        if ($entries) {
            #process entries into custom objects
            foreach ($entry in $entries) {
                #resolve the user SID
                Try {
                    Write-Verbose "[$((Get-Date).TimeofDay) PROCESS] Translating $($entry.UserId)"
                    $user = $entry.UserId.translate([System.Security.Principal.NTAccount]).value
                }
                Catch {
                    $user = $entry.properties[-1].value
                    #$entry.userid
                }

                [pscustomobject]@{
                    PSTypeName   = "RestartEvent"
                    Computername = $entry.machinename.ToUpper()
                    Datetime     = $entry.TimeCreated
                    Username     = $user
                    Category     = $entry.properties[4].value
                    Process      = $entry.properties[0].value.split()[0].trim()
                }
            } #foreach item
        }
    } #process

    End {
        Write-Verbose "[$((Get-Date).TimeofDay) END    ] Ending $($myinvocation.mycommand)"
    } #end

} #close Get-Restart

#add custom formatting
Update-FormatData $PSScriptRoot\restartevent.format.ps1xml

## restartevent.format.ps1xml
<?xml version="1.0" encoding="UTF-8"?>
<!--
Format type data generated 05/06/2021 17:33:49 by PROSPERO\Jeff

This file was created using the New-PSFormatXML command that is part
of the PSScriptTools module.
https://github.com/jdhitsolutions/PSScriptTools
-->
<Configuration>
  <ViewDefinitions>
    <View>
      <!--Created 05/06/2021 17:33:49 by PROSPERO\Jeff-->
      <Name>default</Name>
      <ViewSelectedBy>
        <TypeName>RestartEvent</TypeName>
      </ViewSelectedBy>
      <GroupBy>
        <PropertyName>Computername</PropertyName>
        <Label>Computername</Label>
      </GroupBy>
      <TableControl>
        <!--Delete the AutoSize node if you want to use the defined widths.
        <AutoSize />-->
        <TableHeaders>
          <TableColumnHeader>
            <Label>When</Label>
            <Width>24</Width>
            <Alignment>left</Alignment>
          </TableColumnHeader>
          <TableColumnHeader>
            <Label>Username</Label>
            <Width>30</Width>
            <Alignment>left</Alignment>
          </TableColumnHeader>
          <TableColumnHeader>
          <!-- The width must be wide enough to accomodate the ANSI escape sequences-->
            <Label>Category</Label>
            <Width>15</Width>
            <Alignment>left</Alignment>
          </TableColumnHeader>
          <TableColumnHeader>
            <Label>Process</Label>
            <Alignment>left</Alignment>
          </TableColumnHeader>
        </TableHeaders>
        <TableRowEntries>
          <TableRowEntry>
            <TableColumnItems>
              <TableColumnItem>
                <PropertyName>Datetime</PropertyName>
              </TableColumnItem>
              <TableColumnItem>
                <ScriptBlock>
                if ($host.name -match 'Console|Code' -AND $_.Username -match " ") {
                   "$([char]27)[38;5;207m$($_.Username)$([char]27)[0m"
                }
                else {
                  $_.Username
                }
                </ScriptBlock>
              </TableColumnItem>
              <TableColumnItem>
                <ScriptBlock>
                <!-- colorize the category using ANSI-->
                if ($host.name -match 'Console|Code') {
                  Switch ($_.Category) {
                    "power off" { $ansi = "[38;5;200m"}
                    "restart" { $ansi = "[92m"}
                    "shutdown" { $ansi = "[38;5;214m" }
                    default { $ansi = "[37m"}
                  }
                   "$([char]27)$Ansi$($_.category)$([char]27)[0m"
                }
                else {
                  $_.Category
                }
                </ScriptBlock>
              </TableColumnItem>
              <TableColumnItem>
                <PropertyName>Process</PropertyName>
              </TableColumnItem>
            </TableColumnItems>
          </TableRowEntry>
        </TableRowEntries>
      </TableControl>
    </View>
  </ViewDefinitions>
</Configuration>
	Function Get-Restart {
	[cmdletbinding()]
	[outputtype("RestartEvent")]
	Param(
	[Parameter(Position = 0, ValueFromPipeline)]
	[ValidateNotNullOrEmpty()]
	[Alias("CN")]
	[string]$Computername = $env:COMPUTERNAME,
	[Parameter(HelpMessage = "Find restart events since this date and time.")]
	[ValidateNotNullOrEmpty()]
	[Alias("Since")]
	[datetime]$After,
	[int64]$MaxEvents,
	[PSCredential]$Credential
	)
	Begin {
	Write-Verbose "[$((Get-Date).TimeofDay) BEGIN ] Starting $($myinvocation.mycommand)"
	$filter = @{
	Logname = "System"
	ID = 1074
	}
	if ($After) {
	Write-Verbose "[$((Get-Date).TimeofDay) BEGIN ] Getting restart events after $After"
	$filter.Add("StartTime", $After)
	}

	$splat = @{
	ErrorAction = "Stop"
	FilterHash = $Filter
	}
	if ($MaxEvents -gt 0) {
	Write-Verbose "[$((Get-Date).TimeofDay) BEGIN ] Limiting search to $MaxEvents event(s)"
	$splat.Add("MaxEvents", $MaxEvents)
	}
	if ($Credential.UserName) {
	Write-Verbose "[$((Get-Date).TimeofDay) BEGIN ] Adding a credential for $($Credential.UserName)"
	$splat.Add("Credential", $Credential)
	}
	} #begin

	Process {
	Write-Verbose "[$((Get-Date).TimeofDay) PROCESS] Getting restart events on $($Computername.ToUpper())"
	$splat.Computername = $Computername
	Try {
	$entries = Get-WinEvent @splat
	}
	Catch {
	Throw $_
	}

	if ($entries) {
	#process entries into custom objects
	foreach ($entry in $entries) {
	#resolve the user SID
	Try {
	Write-Verbose "[$((Get-Date).TimeofDay) PROCESS] Translating $($entry.UserId)"
	$user = $entry.UserId.translate([System.Security.Principal.NTAccount]).value
	}
	Catch {
	$user = $entry.properties[-1].value
	#$entry.userid
	}

	[pscustomobject]@{
	PSTypeName = "RestartEvent"
	Computername = $entry.machinename.ToUpper()
	Datetime = $entry.TimeCreated
	Username = $user
	Category = $entry.properties[4].value
	Process = $entry.properties[0].value.split()[0].trim()
	}
	} #foreach item
	}
	} #process

	End {
	Write-Verbose "[$((Get-Date).TimeofDay) END ] Ending $($myinvocation.mycommand)"
	} #end

	} #close Get-Restart

	#add custom formatting
	Update-FormatData $PSScriptRoot\restartevent.format.ps1xml
	<?xml version="1.0" encoding="UTF-8"?>
	<!--
	Format type data generated 05/06/2021 17:33:49 by PROSPERO\Jeff

	This file was created using the New-PSFormatXML command that is part
	of the PSScriptTools module.
	https://github.com/jdhitsolutions/PSScriptTools
	-->
	<Configuration>
	<ViewDefinitions>
	<View>
	<!--Created 05/06/2021 17:33:49 by PROSPERO\Jeff-->
	<Name>default</Name>
	<ViewSelectedBy>
	<TypeName>RestartEvent</TypeName>
	</ViewSelectedBy>
	<GroupBy>
	<PropertyName>Computername</PropertyName>
	<Label>Computername</Label>
	</GroupBy>
	<TableControl>
	<!--Delete the AutoSize node if you want to use the defined widths.
	<AutoSize />-->
	<TableHeaders>
	<TableColumnHeader>
	<Label>When</Label>
	<Width>24</Width>
	<Alignment>left</Alignment>
	</TableColumnHeader>
	<TableColumnHeader>
	<Label>Username</Label>
	<Width>30</Width>
	<Alignment>left</Alignment>
	</TableColumnHeader>
	<TableColumnHeader>
	<!-- The width must be wide enough to accomodate the ANSI escape sequences-->
	<Label>Category</Label>
	<Width>15</Width>
	<Alignment>left</Alignment>
	</TableColumnHeader>
	<TableColumnHeader>
	<Label>Process</Label>
	<Alignment>left</Alignment>
	</TableColumnHeader>
	</TableHeaders>
	<TableRowEntries>
	<TableRowEntry>
	<TableColumnItems>
	<TableColumnItem>
	<PropertyName>Datetime</PropertyName>
	</TableColumnItem>
	<TableColumnItem>
	<ScriptBlock>
	if ($host.name -match 'Console\|Code' -AND $_.Username -match " ") {
	"$([char]27)[38;5;207m$($_.Username)$([char]27)[0m"
	}
	else {
	$_.Username
	}
	</ScriptBlock>
	</TableColumnItem>
	<TableColumnItem>
	<ScriptBlock>
	<!-- colorize the category using ANSI-->
	if ($host.name -match 'Console\|Code') {
	Switch ($_.Category) {
	"power off" { $ansi = "[38;5;200m"}
	"restart" { $ansi = "[92m"}
	"shutdown" { $ansi = "[38;5;214m" }
	default { $ansi = "[37m"}
	}
	"$([char]27)$Ansi$($_.category)$([char]27)[0m"
	}
	else {
	$_.Category
	}
	</ScriptBlock>
	</TableColumnItem>
	<TableColumnItem>
	<PropertyName>Process</PropertyName>
	</TableColumnItem>
	</TableColumnItems>
	</TableRowEntry>
	</TableRowEntries>
	</TableControl>
	</View>
	</ViewDefinitions>
	</Configuration>