Overview
The LastShutdown command retrieves the timestamp of the last system shutdown from the registry. This information helps understand system uptime, reboot schedules, and can be useful for timeline analysis during investigations.Syntax
Remote Execution
Output
Returns:- Last shutdown date and time
- Registry source of information
Use Cases
- Red Team
- Blue Team
- Estimate system uptime
- Plan persistence requiring reboots
- Assess maintenance windows
- Understand patch/reboot schedules
Example Output
Remote Execution
This command supports remote execution using the
-computername parameter.Detection Considerations
Minimal detection surface - reads single registry value.
Related Commands
- OSInfo - Operating system information including boot time
- PoweredOnEvents - Reboot and sleep schedule
- Processes - Running processes with start times