Using PowerShell to get the real device uptime even with fast startup enabled
In this post I will show you a function allowing you to get the real utptime of a device event if fat startup is enabled on the device.
Basic solution to get uptime
In many posts I saw people using the basic LastBootUpTime WMI query, the one below:
I also used it in my scripts before.
However there is an issue with this one given that it may not return the real good time.
When the issue occurs ?
The issue occurs if fast startup is enabled on the device and the user shutdown the device instead of just rebooted it.
When he starts it again, the toast notification tells him his device has not been rebooted since 10 days (date of the last reoot).
If you have a schedule toast it be really annoying for the user who does not make difference between reboot and a shutdown.
You can find here a toast notification I did displaying "Hey you haven't restarted your device since 5 days..."
What is the issue ?
The issue with this method is that if fast boot is enabled on a device, when the user shutdown the device (and not reboot) the time collected will be wrong.
Reproduce the issue
1. Go into Control Panel\All Control Panel Items\Power Options\System Settings
2. Enable fast startup by checking below property
2. Wait a bit like 5 minutes
3. Shutdown your device
4. Start the device
5. Use the command mentioned above
6. This won't dipslay the correct time
7. Go to Task Manager
8. It won't display the correct time either
9. Disable fast startup
10. Shutdown your device
11. Start the device
12. Check uptime
13. This dipslays the correct time
Get the good time ?
In order to get the good time if fast boot is enabled or not, if device has been rebooted or shutdowned, we will use event log.
The event log name to check is: Microsoft-Windows-Kernel-Boot
The event ID to check if: 27
See below what code mean:
- 0x0: Full shutdown or reboot
- 0x1: Shutdown with fast boot
- 0x2: Resume from hibernation
See below how to check for code 0x0 or 0x1:
See below returns for each case:
0x0: Full shutdown or reboot
0x1: Shutdown with fast boot
Get the script
Click on the below GitHub picture to get the Proactive Remediation script.
How it works ?
Get the uptime date
To display the full date just type: Get_DeviceUpTime
Get utptime in days
If you want to display how many days your device has not been restart add parameter Show_Days: Get_DeviceUpTime -Show_Days
1 commentaire
Where it might work with Windows 10, it does not work with Windows 11, at least for me.
After few hours of testing, I found out the event type should be "18" instead of "27" when looking for "0x1" reboots (FastBoot).
So here is the correct request:
$Boot_Event = Get-WinEvent -ProviderName 'Microsoft-Windows-Kernel-Boot'| where {$_.ID -eq 18 -and $_.message -like "*0x1*"}
Enregistrer un commentaire