You can use PSTools and use psinfo or psloggedon to determine how long the machine has been up or how long a user has been logged on.
Or, maybe use the powershell?
get-wmiobject Win32_OperatingSystem lastbootuptime
That doesn't exactly do the same thing you were looking for... determine the last shutdown.. but it determines at least the last reboot or boot.Quote:
__GENUS : 2
__CLASS : Win32_OperatingSystem
__SUPERCLASS :
__DYNASTY :
__RELPATH :
__PROPERTY_COUNT : 1
__DERIVATION : {}
__SERVER :
__NAMESPACE :
__PATH :
LastBootUpTime : 20070528123000.375000-240
If you were to use the following:
get-wmiobject Win32_OperatingSystem LocalDateTime
Then you can subtract LastBootUpTime : 20070528123000.375000-240 from LocalDateTime : 20070528215947.031000-240 then you can determine that my computer has been "up" for about 9:29:47 giving you the uptime.Quote:
__GENUS : 2
__CLASS : Win32_OperatingSystem
__SUPERCLASS :
__DYNASTY :
__RELPATH :
__PROPERTY_COUNT : 1
__DERIVATION : {}
__SERVER :
__NAMESPACE :
__PATH :
LocalDateTime : 20070528215947.031000-240
Wait! There's more! :D :drink:
You've already observed that one of the last services to stop before a shutdown/reboot is the eventlog. That happens to be stored in the system log and has an event id of 6006. As far as I know, this service can't be stopped any other way than a shutdown or reboot. (Though, I'm sure it's possible via system privledge elevation or a rootkit of sorts.)
get-eventlog System | where {$_.EventID -eq 6006} | format-list
That coupled with entries in the security log of evenit id 551Quote:
Index : 18667
EntryType : Information
EventID : 6006
Message : The Event log service was stopped.
Category : (0)
CategoryNumber : 0
ReplacementStrings : {}
Source : EventLog
TimeGenerated : 5/27/2007 2:28:39 PM
TimeWritten : 5/27/2007 2:28:39 PM
UserName :
(User initiated logoff)
get-eventlog Security | where {$_.EventID -eq 551} | format-list
So, from the above entries, we can determine that I logged off my computer around 2:28pm on 5-27-07 and turned it on again around 12:30pm on 5-28-07. This is pretty close if I had to guess. I don't recall the exact time I logged off (shutdown) and turned it on again today... but the above looks pretty damn close.Quote:
Index : 422
EntryType : SuccessAudit
EventID : 551
Message : User initiated logoff:
User Name: user
Domain: DOMAIN
Logon ID: (0x0,0xxxxxx)
Category : Logon/Logoff
CategoryNumber : 2
ReplacementStrings : {user, COMPUTER, (0x0,0xxxxxx)}
Source : Security
TimeGenerated : 5/27/2007 2:28:07 PM
TimeWritten : 5/27/2007 2:28:07 PM
UserName : COMPUTER\user
If you really need to get closer, you can probably use more info from that get-wmiobject Win32_OperatingSystem I posted above. To find out all the info you can query from it use
get-wmiobject Win32_OperatingSystem | get-member
That will list all the stuff you can query.
The following may be useful;
CountryCode
CurrentTimeZone
LastBootUpTime
LocalDateTime
Locale
Actually, I'm not sure those others would be useful at all. The CurrentTimeZone is also listed in the lastbootuptime and localdatetime (240 for me during eastern daylight time). countrycode and local will only give you info on country and what kind of language set they're using. :(
