$start = [datetime]'2026-05-14 18:00:00'
$end   = [datetime]'2026-05-15 02:00:00'

# Application log — GuruRMM or sshd errors
$evts = Get-WinEvent -LogName Application -MaxEvents 5000 -ErrorAction SilentlyContinue |
  Where-Object { $_.TimeCreated -gt $start -and $_.TimeCreated -lt $end }

Write-Host "Application events in window: $($evts.Count)"

foreach ($e in ($evts | Sort-Object TimeCreated)) {
    $msg1 = ($e.Message -split "`n")[0] -replace '\s+',' '
    Write-Host "$($e.TimeCreated.ToString('HH:mm:ss'))  [$($e.LevelDisplayName)]  $($e.ProviderName)  ID=$($e.Id)  $msg1"
}

# Also: check sshd event log
Write-Host ""
Write-Host "=== OpenSSH/sshd events ==="
try {
    Get-WinEvent -LogName 'OpenSSH/Operational' -MaxEvents 100 -ErrorAction Stop |
      Where-Object { $_.TimeCreated -gt $start -and $_.TimeCreated -lt $end } |
      Sort-Object TimeCreated |
      ForEach-Object { Write-Host "$($_.TimeCreated.ToString('HH:mm:ss'))  ID=$($_.Id)  $(($_.Message -split '`n')[0])" }
} catch { Write-Host "OpenSSH log: $($_.Exception.Message)" }

# Check when GuruRMMAgent service last started/stopped (any time)
Write-Host ""
Write-Host "=== GuruRMMAgent service history ==="
Get-WinEvent -LogName System -MaxEvents 10000 -ErrorAction SilentlyContinue |
  Where-Object { $_.Message -like '*GuruRMMAgent*' } |
  Sort-Object TimeCreated -Descending |
  Select-Object -First 20 |
  ForEach-Object { Write-Host "$($_.TimeCreated.ToString('yyyy-MM-dd HH:mm:ss'))  ID=$($_.Id)  $(($_.Message -split '`n')[0] -replace '\s+',' ')" }