Time and date of last shutdown

[phishphreek]

You can use PSTools and use psinfo or psloggedon to determine how long the machine has been up or how long a user has been logged on.

Or, maybe use the powershell?

get-wmiobject Win32_OperatingSystem lastbootuptime

__GENUS : 2
__CLASS : Win32_OperatingSystem
__SUPERCLASS :
__DYNASTY :
__RELPATH :
__PROPERTY_COUNT : 1
__DERIVATION : {}
__SERVER :
__NAMESPACE :
__PATH :
LastBootUpTime : 20070528123000.375000-240

That doesn't exactly do the same thing you were looking for... determine the last shutdown.. but it determines at least the last reboot or boot.

If you were to use the following:

get-wmiobject Win32_OperatingSystem LocalDateTime

__GENUS : 2
__CLASS : Win32_OperatingSystem
__SUPERCLASS :
__DYNASTY :
__RELPATH :
__PROPERTY_COUNT : 1
__DERIVATION : {}
__SERVER :
__NAMESPACE :
__PATH :
LocalDateTime : 20070528215947.031000-240

Then you can subtract LastBootUpTime : 20070528123000.375000-240 from LocalDateTime : 20070528215947.031000-240 then you can determine that my computer has been "up" for about 9:29:47 giving you the uptime.

Wait! There's more!

You've already observed that one of the last services to stop before a shutdown/reboot is the eventlog. That happens to be stored in the system log and has an event id of 6006. As far as I know, this service can't be stopped any other way than a shutdown or reboot. (Though, I'm sure it's possible via system privledge elevation or a rootkit of sorts.)

get-eventlog System | where {$_.EventID -eq 6006} | format-list

Index : 18667
EntryType : Information
EventID : 6006
Message : The Event log service was stopped.
Category : (0)
CategoryNumber : 0
ReplacementStrings : {}
Source : EventLog
TimeGenerated : 5/27/2007 2:28:39 PM
TimeWritten : 5/27/2007 2:28:39 PM
UserName :

That coupled with entries in the security log of evenit id 551
(User initiated logoff)

get-eventlog Security | where {$_.EventID -eq 551} | format-list

Index : 422
EntryType : SuccessAudit
EventID : 551
Message : User initiated logoff:

User Name: user

Domain: DOMAIN

Logon ID: (0x0,0xxxxxx)

Category : Logon/Logoff
CategoryNumber : 2
ReplacementStrings : {user, COMPUTER, (0x0,0xxxxxx)}
Source : Security
TimeGenerated : 5/27/2007 2:28:07 PM
TimeWritten : 5/27/2007 2:28:07 PM
UserName : COMPUTER\user

So, from the above entries, we can determine that I logged off my computer around 2:28pm on 5-27-07 and turned it on again around 12:30pm on 5-28-07. This is pretty close if I had to guess. I don't recall the exact time I logged off (shutdown) and turned it on again today... but the above looks pretty damn close.

If you really need to get closer, you can probably use more info from that get-wmiobject Win32_OperatingSystem I posted above. To find out all the info you can query from it use

get-wmiobject Win32_OperatingSystem | get-member

That will list all the stuff you can query.
The following may be useful;

CountryCode
CurrentTimeZone
LastBootUpTime
LocalDateTime
Locale

Actually, I'm not sure those others would be useful at all. The CurrentTimeZone is also listed in the lastbootuptime and localdatetime (240 for me during eastern daylight time). countrycode and local will only give you info on country and what kind of language set they're using.

[Ignatius]

I'd forgotten about the good old Sysinternals tools. Thanks for the reminder.

I have PowerShell but haven't used it (I regret I'm a "collector", just in case I might need XYZ some day!). It's confusing to see that my Security log is empty but the Application and System logs are packed with entries. I've not (knowingly) disabled it from logging things for me. I'm not sure that I can, anyway.

[phishphreek]

You have to enable security auditing.
It is not enabled by default... who knows why...

http://netsecurity.about.com/cs/tuto...t/ht040503.htm

[Ignatius]

Yeeks - that's so logical (hint of sarcasm!) isn't it?

Thanks