When I logged into a user's Microsoft Windows 10 system to check on a problem,
I found the system had rebooted late the night before, September 12, 2003, at
a time much later than I would expect the user to be working, so I didn't think
she had rebooted it. I didn't know if the reboot might be related to the
problem she reported to me or could possibly just be Microsoft Windows
rebooting because of an automatically installed update. From a
command prompt window, you can
obtain the last time the system was rebooted using the
systeminfo
command. To see just the last reboot time and not all of the other output
it provides, you can filter the output with the
find command
by piping the output of the systeminfo
command to the
find
command. You can check on updates that have been
installed using the
Windows Management Instrumentation Command-line (WMIC) command
wmic qfe list
("qfe" stands for "Quick Fix Engineering").
Since that command can also generate a lot of output for updates on dates
you may not be interested in, you can also filter that output
with the find
command.
C:\>systeminfo | find "Boot Time" System Boot Time: 9/12/2023, 7:41:35 PM C:\>wmic qfe list | find "9/12/2023" http://support.microsoft.com/?kbid=5029923 THELMA-LOU Update KB5029923 NT AUTHORITY\SYSTEM 9/12/2023 https://support.microsoft.com/help/5030211 THELMA-LOU Security Update KB5030211 NT AUTHORITY\SYSTEM 9/12/2023 THELMA-LOU Update KB5029709 NT AUTHORITY\SYSTEM 9/12/2023 C:\>
Since I saw three updates were installed on 9/12/2023, I thought it
likely the reboot occurred because of the updates, but since the wmic
command didn't show me the time the updates were installed, I thought I
should check the time they were installed to be certain. That can be
done from a PowerShell
window, which can be opened by typing PowerShell
in the Windows
"Type here to search" field and selecting "Windows PowerShell" when you
see the app listed in the search results. You can use the same
systeminfo
command in PowerShell, but to select a particular
string from the output, pipe its output into the select-string
command.
PS C:\> systeminfo | Select-String "Boot Time" System Boot Time: 9/12/2023, 7:41:35 PM PS C:\>
You can use the get-wmiobject
command to obtain the date
and time updates were installed, but again you will get a lot of data
for other dates than the one you are interested in. You can not use
the Select-String
command to filter its output because the
installation dates aren't
strings,
but are date objects. You can filter the output of the
get-wmiobject
using the where-object
command,
instead. Since I want to see any updates installed on or after September
12, 2023, I can limit the output by specifying a date equal to that date with
-eq "9/12/2023"
. The full command is
get-wmiobject -class win32_quickfixengineering | Where-Object
{$_.InstalledOn -eq "9/12/2023"}
.
PS C:\> get-wmiobject -class win32_quickfixengineering | Where-Object {$_.InstalledOn -eq "9/12/2023"} Source Description HotFixID InstalledBy InstalledOn ------ ----------- -------- ----------- ----------- THELMA-LOU Update KB5029923 NT AUTHORITY\SYSTEM 9/12/2023 12:00:00 AM THELMA-LOU Security Update KB5030211 NT AUTHORITY\SYSTEM 9/12/2023 12:00:00 AM THELMA-LOU Update KB5029709 NT AUTHORITY\SYSTEM 9/12/2023 12:00:00 AM PS C:\>
If I wanted to see any updates installed on or after September
12, 2023, I can limit the output by specifying a date greater than or
equal to that date with -ge "9/12/2023"
. If I didn't want
to include any updates on 9/12/2023, but only updates after that date,
I could use -gt
instead of -ge
, i.e.,
get-wmiobject -class win32_quickfixengineering |
Where-Object {$_.InstalledOn -gt "9/12/2023"}
.
If you wish to filter on other values, you can see values you can filter
on in the column headings of the output. If you wished to look for information
for a particular hotfix
ID, for instance, you could replace "InstalledOn" in the command with
"HotFixID" to search based on the variable $_.HotFixID
, instead,
e.g., get-wmiobject -class win32_quickfixengineering | Where-Object
{$_.HotFixID -eq "KB5030211"}
.
Since the time the updates were installed was many hours off from the time
the system rebooted, I realized I would have to check the system's event log
to determine why the system rebooted. But I also thought I should look for
other updates that day besides the
hotfixes. Another
PowerShell get-wmiobject
command you can use to check for updates
to software on a Microsoft Windows system is get-wmiobject
-class Win32_ReliabilityRecords
where you use the the class
Win32_ReliabilityRecords
instead of the class
win32_quickfixengineering
. If I only want to look for any updates
to the system for Microsoft software between the times of 7:00 AM and
11:59 PM on September 12, 2023, I can use the command below. The command filters
the output from get-wmiobject
to just records where the
"SourceName" equals Microsoft-Windows-WindowsUpdateClient
. For the
date and time values, I need to specify the object TimeGenerated
for the records. The date and time format is different from the format I used
for dates for the win32_quickfixengineering
class and I need to
specify the time boundaries as YYYYMMDDHHMMSS
where YYYY
is the four digit year, MM is the two digit month, HH is the two digit
hour, MM is the number of minutes using two digits, and SS is the number of
seconds, if I wish to specify the time to that granularity. The hour value
is in 24-hour
clock format, aka "military time". So 7:00 in the morning is
0700
and 11:59 at night is 2359
. To use
an upper and lower value for the time range, you can use the
logical
operator "and" between a greater than (gt) value and a lesser than
(lt) value.
PS C:\> get-wmiobject -class Win32_ReliabilityRecords -Filter "SourceName = 'Microsoft-Windows-WindowsUpdateClient'" | Where-Object {$_.TimeGenerated -gt "202309120700" -and $_.TimeGenerated -lt "202309122359"} __GENUS : 2 __CLASS : Win32_ReliabilityRecords __SUPERCLASS : Win32_Reliability __DYNASTY : Win32_Reliability __RELPATH : Win32_ReliabilityRecords.Logfile="System",RecordNumber=202073,TimeGenerated="20230912203018.810000-0 00" __PROPERTY_COUNT : 10 __DERIVATION : {Win32_Reliability} __SERVER : THELMA-LOU __NAMESPACE : root\cimv2 __PATH : \\THELMA-LOU\root\cimv2:Win32_ReliabilityRecords.Logfile="System",RecordNumber=202073,TimeGenerated= "20230912203018.810000-000" ComputerName : thelma-lou.office.example.com EventIdentifier : 19 InsertionStrings : {Windows Malicious Software Removal Tool x64 - v5.117 (KB890830), {91722aa2-d45a-4a79-b59a-2365f590b8c6}, 200, {7971f918-a847-4430-9279-4a52d1efe18d}} Logfile : System Message : Installation Successful: Windows successfully installed the following update: Windows Malicious Software Removal Tool x64 - v5.117 (KB890830) ProductName : Windows Malicious Software Removal Tool x64 - v5.117 (KB890830) RecordNumber : 202073 SourceName : Microsoft-Windows-WindowsUpdateClient TimeGenerated : 20230912203018.810000-000 User : NT AUTHORITY\SYSTEM PSComputerName : THELMA-LOU PS C:\>
In the above example, I can see there was an update to the Windows Malicious
Software Removal Tool at 2030, i.e., 8:30 PM. If I wish to look for issues with
other software on the system besides software provided by Microsoft, I can omit
the -Filter
parameter. E.g., if I wish to look for any issues
with software on the system noted in the Reliability Records between 4:00 AM
and 7:59 PM, I can use the command below, which shows me there was a problem
with QuickBooks on the
system at 10:48 AM.
PS C:\> get-wmiobject -class Win32_ReliabilityRecords | Where-Object {$_.TimeGenerated -gt "202309120400" -and $_.TimeGenerated -lt "202309121959"} __GENUS : 2 __CLASS : Win32_ReliabilityRecords __SUPERCLASS : Win32_Reliability __DYNASTY : Win32_Reliability __RELPATH : Win32_ReliabilityRecords.Logfile="Application",RecordNumber=555487,TimeGenerated="20230912104800.268 000-000" __PROPERTY_COUNT : 10 __DERIVATION : {Win32_Reliability} __SERVER : THELMA-LOU __NAMESPACE : root\cimv2 __PATH : \\THELMA-LOU\root\cimv2:Win32_ReliabilityRecords.Logfile="Application",RecordNumber=555487,TimeGener ated="20230912104800.268000-000" ComputerName : thelma-lou.office.example.com EventIdentifier : 1000 InsertionStrings : {QBCFMonitorService.exe, 4.0.6992.8981, 5c6f3451, KERNELBASE.dll...} Logfile : Application Message : Faulting application name: QBCFMonitorService.exe, version: 4.0.6992.8981, time stamp: 0x5c6f3451 Faulting module name: KERNELBASE.dll, version: 10.0.19041.3324, time stamp: 0xbe39fd8b Exception code: 0xe0434352 Fault offset: 0x0013d8c2 Faulting process id: 0x4080 Faulting application start time: 0x01d9e56511598a3b Faulting application path: C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe Faulting module path: C:\WINDOWS\System32\KERNELBASE.dll Report Id: 915b08a3-b3c2-4b10-bbc5-e46c17288b07 Faulting package full name: Faulting package-relative application ID: ProductName : QBCFMonitorService.exe RecordNumber : 555487 SourceName : Application Error TimeGenerated : 20230912104800.268000-000 User : PSComputerName : THELMA-LOU PS C:\>
References: