Getting uptimes from eventlog in Windows
Written: 19 August 2012
I recently needed a way to find out how many hours a Windows machine was running per day. After a little digging aroung the eventlog and searching the internet, I found that this could be done pretty easily through some C# code. All I needed to know are the EventIDs.
Here are the relevant EventIDs.
| EventID | Source | Description |
| 12 | Kernel General | Operating System Start |
| 13 | Kernel General | Operating System Shutdown |
| 1 | Power-Troubleshooter | Operating System Woke up from Sleep |
| 42 | Kernel-Power | Operating System going to Hibernate/Sleep |
Armed with this information, I put together some C# code to query the eventlog.
public DataTable getBootAndShutdowns()
{
createDataTable();
string queryString =
"" +
"" +
"" + " ";
EventLogQuery eventsQuery = new EventLogQuery("System", PathType.LogName, queryString);
EventLogReader logReader = new EventLogReader(eventsQuery);
ProcessLog(logReader);
return dt;
}
private void ProcessLog(EventLogReader logReader)
{
for (EventRecord eventInstance = logReader.ReadEvent();
null != eventInstance; eventInstance = logReader.ReadEvent())
{
try
{
if (eventInstance.Id == 1 && eventInstance.ProviderName == "Microsoft-Windows-Power-Troubleshooter")
{
DataRow dr = dt.NewRow();
dr["EventDateTime"] = eventInstance.TimeCreated;
dr["EventType"] = "BOOT";
dr["Comments"] = eventInstance.Id.ToString() + "-" + eventInstance.FormatDescription();
dt.Rows.Add(dr);
}
else if (eventInstance.Id == 12 && eventInstance.ProviderName == "Microsoft-Windows-Kernel-General")
{
DataRow dr = dt.NewRow();
dr["EventDateTime"] = eventInstance.TimeCreated;
dr["EventType"] = "BOOT";
dr["Comments"] = eventInstance.Id.ToString() + "-" + eventInstance.FormatDescription();
dt.Rows.Add(dr);
}
else if (eventInstance.Id == 13 && eventInstance.ProviderName == "Microsoft-Windows-Kernel-General")
{
DataRow dr = dt.NewRow();
dr["EventDateTime"] = eventInstance.TimeCreated;
dr["EventType"] = "SHUTDOWN";
dr["Comments"] = eventInstance.Id.ToString() + "-" + eventInstance.FormatDescription();
dt.Rows.Add(dr);
}
else if (eventInstance.Id == 42 && eventInstance.ProviderName == "Microsoft-Windows-Kernel-Power")
{
DataRow dr = dt.NewRow();
dr["EventDateTime"] = eventInstance.TimeCreated;
dr["EventType"] = "SHUTDOWN";
dr["Comments"] = eventInstance.Id.ToString() + "-" + eventInstance.FormatDescription();
dt.Rows.Add(dr);
}
}
catch (EventLogException)
{
// The event description contains parameters, and no parameters were
// passed to the FormatDescription method, so an exception is thrown.
}
}
}
void createDataTable()
{
dt = new DataTable();
DataColumn dc = new DataColumn("EventDateTime", System.Type.GetType("System.DateTime"));
dt.Columns.Add(dc);
dc = new DataColumn("EventType", System.Type.GetType("System.String"));
dt.Columns.Add(dc);
dc = new DataColumn("Comments", System.Type.GetType("System.String"));
dt.Columns.Add(dc);
}
This gave me the startup and shutdown times. Calculating the number of hours the system was running was then easy.
blog comments powered by Disqus