Windows Services maintain detailed event logs that record all state changes including start, stop, and restart operations. The most reliable way to determine the last restart time is by querying the Windows Event Log system.

PowerShell provides direct access to event logs through the Get-WinEvent cmdlet:

# Get last restart time for a specific service
$serviceName = "wuauserv"
$events = Get-WinEvent -FilterHashtable @{
    LogName='System'
    ProviderName='Service Control Manager'
    ID=7036
    Data=$serviceName
} -MaxEvents 1

if ($events) {
    $lastRestart = $events.TimeCreated
    Write-Host "Last restart time for $serviceName : $lastRestart"
}

For .NET applications, you can use the EventLogReader class:

using System;
using System.Diagnostics.Eventing.Reader;

string serviceName = "WinRM";
string queryString = $@"*[System/Provider[@Name='Service Control Manager'] 
    and EventData[Data[@Name='param1']='{serviceName}']]";

var query = new EventLogQuery("System", PathType.LogName, queryString);
var reader = new EventLogReader(query);
var lastEvent = reader.ReadEvent();

if (lastEvent != null)
{
    Console.WriteLine($"Service {serviceName} last restarted at: {lastEvent.TimeCreated}");
}

While less precise, WMI can provide service state change information:

$query = "SELECT * FROM __InstanceModificationEvent WITHIN 10 WHERE " +
         "TargetInstance ISA 'Win32_Service' AND " +
         "TargetInstance.Name='BITS' AND " +
         "TargetInstance.State='Running'"

Register-WmiEvent -Query $query -Action {
    param($event)
    Write-Host "Service state changed at: $(Get-Date)"
}

When working with service events, consider:

• Filtering for specific event IDs (7035 for service start, 7036 for state change)
• Handling event log truncation or rotation
• Accounting for system reboots where services restart automatically

For production systems, avoid querying the entire event log repeatedly. Instead:

• Cache results when possible
• Use event subscriptions for real-time monitoring
• Consider querying specific time ranges

When managing Windows services, it's often necessary to track when a service was last restarted. This information can be crucial for troubleshooting, auditing, or monitoring purposes. While Windows doesn't provide a direct property for this in the Service Control Manager, there are several ways to retrieve this information programmatically.

PowerShell provides a straightforward way to check service status and events:

# Get the last time a specific service was started
$serviceName = "wuauserv"
$event = Get-WinEvent -FilterHashtable @{
    LogName = 'System'
    ProviderName = 'Service Control Manager'
    ID = 7036
} -MaxEvents 100 | Where-Object {
    $_.Message -match "The $serviceName service entered the running state"
} | Select-Object -First 1

if ($event) {
    Write-Host "Service $serviceName was last started at: $($event.TimeCreated)"
} else {
    Write-Host "No start events found for service $serviceName"
}

For more robust applications, you might want to use C#:

using System;
using System.Diagnostics;

class Program {
    static void Main() {
        string serviceName = "wuauserv";
        EventLog log = new EventLog("System");
        var entries = log.Entries;
        
        foreach (EventLogEntry entry in entries) {
            if (entry.InstanceId == 7036 && 
                entry.Source == "Service Control Manager" &&
                entry.Message.Contains($"The {serviceName} service entered the running state")) {
                Console.WriteLine($"Service {serviceName} was last started at: {entry.TimeGenerated}");
                break;
            }
        }
    }
}

You can also use WMI to get service information, though it doesn't directly provide restart time:

Get-WmiObject Win32_Service | Where-Object { $_.Name -eq 'wuauserv' } | 
Select-Object Name, State, StartMode, StartName

• Event log entries might be overwritten if your logs rotate frequently
• Some services might restart themselves without generating event log entries
• For critical services, consider implementing custom logging

For production environments, you might want to create a more robust solution:

# Monitor service restarts in real-time
$query = New-Object System.Diagnostics.Eventing.Reader.EventLogQuery(
    'System', 
    [System.Diagnostics.Eventing.Reader.PathType]::LogName,
    "*[System/Provider[@Name='Service Control Manager'] and EventID=7036]"
)

$watcher = New-Object System.Diagnostics.Eventing.Reader.EventLogWatcher($query)
Register-ObjectEvent -InputObject $watcher -EventName EventRecordWritten -Action {
    $event = $EventArgs.EventRecord
    if ($event.Properties[0].Value -match 'entered the running state') {
        $serviceName = $event.Properties[0].Value -replace '^The (.+?) service.*','$1'
        Write-Host "Service $serviceName restarted at $($event.TimeCreated)"
    }
}
$watcher.Enabled = $true