Get Reboot History

What the reboot history reporter does

This Automox Worklet™ queries Windows System event logs to retrieve the five most recent reboot events on each endpoint. For each reboot, the Worklet captures the timestamp, user who initiated the restart, system action, process name, reboot reason, reason code, and any associated comments.

The Worklet uses PowerShell to filter event ID 1074 from the System log, extracting structured data from the Windows event properties. You can customize the number of reboots returned by modifying the $numReboots parameter in the script.

Why collect reboot history data

Reboot history provides critical operational and security visibility. By tracking which endpoints have been restarted and when, you can verify that critical updates and patches have been applied successfully. You can also identify endpoints experiencing unexpected restarts or restart loops, which often indicate underlying hardware or software issues.

From a compliance perspective, many security policies and frameworks require evidence that systems have been rebooted after security patches are deployed. Reboot reports provide audit trails for regulatory reviews. Also, understanding reboot patterns helps you plan scheduled maintenance, avoid disruptions during peak hours, and validate that automated patching is completing successfully across your infrastructure.

How reboot event collection works

1. Evaluation phase: The Worklet queries the Windows System event log for event ID 1074, which represents shutdown or restart events. PowerShell parses the event data, extracting Date, User, Action, Process, Reason, ReasonCode, and Comment fields. The five most recent entries are retrieved and formatted as output.

2. Remediation phase: This Worklet is reporting only and does not perform any remediation actions. The output generates a formatted report of recent reboot activity.

Reboot history collection requirements

• Windows 7 or later

• PowerShell 3.0 or higher

• Ability to read System event logs (typically available to local administrators)

• Optional: Modify $numReboots parameter to return more or fewer reboot events (default is 5)

Expected reboot history report output

After running this Worklet, you receive a structured report displaying the five most recent reboot events. Each record includes the reboot timestamp, the user account that initiated the restart, the action type (shutdown or restart), the process name, the reason code (such as 1 for user-initiated or 2 for system update), and any associated comments from Windows about the restart. You can verify this change through the Automox Activity Log or by checking the endpoint configuration directly.

This data helps you validate that endpoints have been restarted following patch deployments, identify unexpected restart patterns that indicate system instability, and maintain a historical audit trail for compliance purposes. The customizable report depth allows you to adjust detail levels based on your operational needs.

How to validate get reboot history changes

1. Run this Worklet on a pilot Windows endpoint and review evaluation output for get reboot history.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as the evaluation and remediation scripts.

4. Validate remediation effects from script operations such as Get-WinEvent, ForEach-Object, New-Object, then rerun evaluation for compliance.