How do I know if Windows has just recovered from a BSOD?

Question

From http://support.microsoft.com/kb/317277: If Windows XP restarts because of a serious error, the Windows Error Reporting tool prompts you...

How can my app know that "Windows XP has restarted because of a serious error"?

Answer 1

Note: this is a good question for a code-challenge

Here are some executable codes, but feel free to add other solutions, in other languages:

---

The uptime might be a good indication:

net stats workstation | find /i "since"

Now link that information with a way to read the windows event logs, like, say in PowerShell:

Get-EventLog -list | Where-Object {$_.logdisplayname -eq "System"}

And look for the last "Save Dump" messages

As Michael Petrotta said, WMI is a good way to retrieve that information.

Based on the update time, you can make a query like:

Set colEvents = objWMIService.ExecQuery _
    ("Select * from Win32_NTLogEvent Where LogFile = 'System' AND
    TimeWritten >= '" _
    & dtmStartDate & "' and TimeWritten < '" & dtmEndDate & "'")

to easily spot an event log with a "Save Dump" message in it, confirming the crash.

More in the Win32_NTLogEvent Class WMI class.

---

Actually, this Microsoft article Querying the Event Log for Stop Events does give it to you (the complete request):

strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
     & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery _
     ("SELECT * FROM Win32_NTLogEvent WHERE Logfile = 'System'" _
     & " AND SourceName = 'Save Dump'")
For Each objEvent in colLoggedEvents
    Wscript.Echo "Event date: " & objEvent.TimeGenerated
    Wscript.Echo "Description: " & objEvent.Message
Next