Loading...

Using PowerShell to get the real device uptime even with fast startup enabled

1 A+ A-


In this post I will show you a function allowing you to get the real utptime of a device event if fat startup is enabled on the device.


Basic solution to get uptime

In many posts I saw people using the basic LastBootUpTime WMI query, the one below: 

I also used it in my scripts before.

However there is an issue with this one given that it may not return the real good time.


When the issue occurs ?

The issue occurs if fast startup is enabled on the device and the user shutdown the device instead of just rebooted it.

When he starts it again, the toast notification tells him his device has not been rebooted since 10 days (date of the last reoot).

If you have a schedule toast it be really annoying for the user who does not make difference between reboot and a shutdown.

You can find here a toast notification I did displaying "Hey you haven't restarted your device since 5 days..."


What is the issue ?

The issue with this method is that if fast boot is enabled on a device, when the user shutdown the device (and not reboot) the time collected will be wrong.


Reproduce the issue

1. Go into Control Panel\All Control Panel Items\Power Options\System Settings

2. Enable fast startup by checking below property

2. Wait a bit like 5 minutes

3. Shutdown your device

4. Start the device

5. Use the command mentioned above

6. This won't dipslay the correct time

7. Go to Task Manager

8. It won't display the correct time either

9. Disable fast startup

10. Shutdown your device

11. Start the device

12. Check uptime

13. This dipslays the correct time


Get the good time ?

In order to get the good time if fast boot is enabled or not, if device has been rebooted or shutdowned, we will use event log.

The event log name to check is: Microsoft-Windows-Kernel-Boot

The event ID to check if: 27


See below what code mean:

- 0x0: Full shutdown or reboot

- 0x1: Shutdown with fast boot

- 0x2: Resume from hibernation


See below how to check for code 0x0 or 0x1:

See below returns for each case:

0x0: Full shutdown or reboot

0x1: Shutdown with fast boot


Get the script

Click on the below GitHub picture to get the Proactive Remediation script.


How it works ?

Get the uptime date

To display the full date just type: Get_DeviceUpTime


Get utptime in days

If you want to display how many days your device has not been restart add parameter Show_Days: Get_DeviceUpTime -Show_Days

Enregistrer un commentaire

1 commentaire

FoxyNC a dit…

Where it might work with Windows 10, it does not work with Windows 11, at least for me.
After few hours of testing, I found out the event type should be "18" instead of "27" when looking for "0x1" reboots (FastBoot).
So here is the correct request:

$Boot_Event = Get-WinEvent -ProviderName 'Microsoft-Windows-Kernel-Boot'| where {$_.ID -eq 18 -and $_.message -like "*0x1*"}

Accueil item

Award

Learn KQL in one month

Sponsors

You want to support me ?

Mes articles en français

Books in French


Stats