1

I have the following problem: I need to know when the PC start, if the computer has started up after being turned off (cold start), or if the computer has simply been restarted (hot start). Through a startup script set in gpedit, I should know the answer, something like:

If PC restarted then

    msg: The PC has been warm reboot

elseif PC shutdown then

    msg: The PC has been cold reboot

end if

(note: in fact an email is sent, but this particular is not important).

Now, I ask the community, how can I recover this information from the system? My starting point is the "Eventviewer" tool, but I'm not very satisfied with this solution. I think ACPI events are stored in the BCD store and I wonder if it is possible to recover them in any way. Perhaps through WMIC? Or also, is there a system log file from which it is possible to retrieve the information directly?

Does anyone have any ideas on how to proceed?

Note: for now, I'm only interested in the Windows environment, but I think it is also interesting for the Unix and Unix like (such as Linux).

Improve this question
7
  • To Windows, there isn't a difference between a reboot and a shutdown, once you log back into your account. Windows knows a reboot happen and knows a shutdown happen, but there is no different when it comes to the logon event
    – Ramhound
    Commented Oct 21, 2018 at 15:14
  • Could compare the time since last shutdown
    – Xen2050
    Commented Oct 21, 2018 at 15:43
  • Hello Ramhound This is a question for the more experienced, and it is also probable to remain unanswered. In any case, what you say is not correct: If you try to restart the machine (and check the time) and the next restart open "Eventviewer" and filters "Windows Logs" -> "System", level "Information", source "USER32", ID 1074 tells you how it was restarted the machine (check the time!).
    – Luciano
    Commented Oct 21, 2018 at 16:03
  • I'll tell you more: if the computer turns off due to a power failure, at the next restart the EMS menu appears where you can choose whether to start the machine in "Safe mode", "Normally", etc. and this implies that this information is stored somewhere in the BCD, it's obvious. Finally, for completeness, I add that in server systems (and only in server systems) in addition to choosing the shutdown mode, you can add a description to the event, which is then stored somewhere in the system (I suppose in a log file), but where exactly?
    – Luciano
    Commented Oct 21, 2018 at 16:04
  • Probably this information can also be found in the register, in the "System" hive, but also here, where?
    – Luciano
    Commented Oct 21, 2018 at 16:05

1 Answer 1

Reset to default
2

You can use powershell to get the details

Get-WinEvent -FilterHashTable @{LogName="System"; ProviderName="User32"} -MaxEvents 1

The above command will get you latest System shutdown / Restart event information. By default logs are retrieved latest first, so limiting to 1 will give latest event. Btw, Thanks to @Luciano's comment, which helped a lot. Below is the complete script for your case.

$lastEvent = Get-WinEvent -FilterHashTable @{LogName="System"; ProviderName="User32"} -MaxEvents 1
$restarted = $lastEvent.Message -like "*restart*"
if($restarted)
{
    Write-Host "The PC has been warm reboot" -ForegroundColor Red
}
else
{
    Write-Host "The PC has been cold reboot" -ForegroundColor Green
}

You can refer here on how to execute the powershell script on startup.

Improve this answer
2
  • Hello Ram, the output does not appear in the prompt window on my system, but in PowerShell ISE work great. Thank you very much. Really good.
    – Luciano
    Commented Oct 22, 2018 at 10:09
  • I think you're looking for a press any key to continue.. behavior, you can check this link : stackoverflow.com/questions/20886243/press-any-key-to-continue Also I don't know much about Provider Names for these events, I came with User32 based on one of your comment, I learnt a lot from you as well, thank you :)
    – Ram Kumaran
    Commented Oct 22, 2018 at 11:07

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .