I'd like to know what is the Windows API function (if any exists) that provides information about the last Windows reboot source. There are three main possible causes:
The more details I can get the better. However, I need to know at least which reason it is from the main ones.
I need to support Windows Vista and Windows 7.
Answer:
It seems that there is no direct API to get that information. Instead, we have to harvest the Windows Event Log. System reboot information is located in Event Viewer/Windows Logs/System. Here is the various information provided by the event ids:
I do not yet get the difference between power lost and system crash, but it's a good start.
To check the Event Viewer logs and determine why the device was shut down or restarted on Windows 10, use these steps: Open Start. Search for Event Viewer and click the top result to open the app. Browse the following path: Event Viewer > Windows Logs > System.
In the text field, type cmd to search for Command Prompt. Then press Ctrl+Shift+Enter to open Command Prompt with admin privileges. Also, click the Yes button if a UAC prompts on the screen. You will see the possible causes and times for the shutdown that occurred on your computer.
This article explains in detail how to find the reason for last startup/shutdown. In my case, this was due to windows SCCM pushing updates even though I had it disabled locally. Visit the article for full details with pictures. For reference, here are the steps copy/pasted from the website:
Press the Windows + R keys to open the Run dialog, type
eventvwr.msc
, and press Enter.If prompted by UAC, then click/tap on Yes (Windows 7/8) or Continue (Vista).
In the left pane of Event Viewer, double click/tap on Windows Logs to expand it, click on System to select it, then right click on System, and click/tap on Filter Current Log.
Do either step 5 or 6 below for what shutdown events you would like to see.
To see the dates and times of all user shut downs of the computer
A) In Event sources, click/tap on the drop down arrow and check the
USER32
box.B) In the All Event IDs field, type
1074
, then click/tap on OK.C) This will give you a list of power off (shutdown) and restart shutdown type of events at the top of the middle pane in Event Viewer.
D) You can scroll through these listed events to find the events with power off as the shutdown type. You will notice the date and time, and what user was responsible for shutting down the computer per power off event listed.
E) Go to step 7.
To see the dates and times of all unexpected shut downs of the computer
A. In the All Event IDs field type
6008
, then click/tap on OK.B. This will give you a list of unexpected shutdown events at the top of the middle pane in Event Viewer. You can scroll through these listed events to see the date and time of each one.
When finished, you can close Event Viewer.
Other useful event IDs (source)
ID | Description |
---|---|
41 | The system has rebooted without cleanly shutting down first. |
1074 | The system has been shutdown properly by a user or process. |
1076 | Follows after Event ID 6008 and means that the first user with shutdown privileges logged on to the server after an unexpected restart or shutdown and specified the cause. |
6005 | The Event Log service was started. Indicates the system startup. |
6006 | The Event Log service was stopped. Indicates the proper system shutdown. |
6008 | The previous system shutdown was unexpected. |
6009 | The operating system version detected at the system startup. |
6013 | The system uptime in seconds. |
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With