An user on FreeNode recently asked a question regarding how he can run a backup script only if the system is shutting down. At the face of it, it sounds simple, use a shutdown script like people have for years, but the keyword here is only. He needed to be able to run a script if the system was sent a shutdown event, but not run the script if the system was rebooted. This throws a wrench into using a shutdown script because a shutdown script runs regardless of whether the system is rebooted or shutdown. When an application or user initiates a shutdown Windows will write an event to the Event Viewer System log. The event originates from the USER32 event source with an Event ID of 1074. A typical 1074 event looks like this:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="USER32" />
<EventID Qualifiers="32768">1074</EventID>
<Level>4</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2012-12-05T01:34:03.000000000Z" />
<EventRecordID>6649</EventRecordID>
<Channel>System</Channel>
<Computer>computer.domain.local</Computer>
<Security UserID="S-1-5-21-2671312382-3219971570-2213343823-1105" />
</System>
- <EventData>
<Data>C:\Windows\system32\shutdown.exe (COMPUTERNAME)</Data>
<Data>COMPUTERNAME</Data>
<Data>No title for this reason could be found</Data>
<Data>0x800000ff</Data>
<Data>restart</Data>
<Data />
<Data>DOMAIN\username</Data>
<Binary>FF000080000000000000000000000000000000000000000000000000000000000000000000000000</Binary>
</EventData>
</Event>
This is the XML view of the event data generated by a reboot request. The part we are interested in is under the EventData node, where it says restart. If it was a shutdown event that was initiated it would say shutdown rather than restart. This is perfect as we now have a way to determine whether or not the system was sent a shutdown or restart request. So how can we get this data programatically via our shutdown script? Simple, we can use the wevtutil utility that ships with Windows Vista and up. The help context for the utility is quite lengthy so I won't post it all here, but you can open a Command Prompt and run wevtutil /? to see all the options. The wevtutil can make use of XPath queries for querying the XML output of an event. We can use an XPath query to query only for the data we need to check whether or not the system was sent a shutdown or restart. The following command will grab all the 1074 events from the USER32 source in the System event log:
C:\>wevtutil qe system /f:text /q:"*[System/EventID=1074]"
Event[0]:
Log Name: System
Source: USER32
Date: 2012-10-05T01:10:59.000
Event ID: 1074
Task: N/A
Level: Information
Opcode: N/A
Keyword: Classic
User: S-1-5-18
User Name: NT AUTHORITY\SYSTEM
Computer: computername
Description:
The process C:\Windows\system32\winlogon.exe (COMPUTERNAME) has initiated the restart of computer COMPUTERNAME on be
half of user NT AUTHORITY\SYSTEM for the following reason: Operating System: Upgrade (Planned)
Reason Code: 0x80020003
Shutdown Type: restart
Comment:
Event[1]:
Log Name: System
Source: USER32
Date: 2012-10-04T18:55:14.000
Event ID: 1074
Task: N/A
Level: Information
Opcode: N/A
Keyword: Classic
User: S-1-5-18
User Name: NT AUTHORITY\SYSTEM
Computer: computername
Description:
The process C:\Windows\System32\shutdown.exe (COMPUTERNAME) has initiated the restart of computer COMPUTERNAME on behalf of u
ser NT AUTHORITY\SYSTEM for the following reason: No title for this reason could be found
Reason Code: 0x800000ff
Shutdown Type: restart
Comment:
...
We use the /f switch here to specify that the output should be in plain text as it defaults to XML. So now we can query for the events we need, but we need a way to sort them and to only grab the last event. We can use the /c and /rd switches to do this. The /c switch takes an unsigned integer as a parameter that tells wevtutil how many events to return. The /rd switch takes a boolean and tells wevtutil do sort them in reverse direction. Now our command looks like this:
C:\>wevtutil qe system /c:1 /rd:true /f:text /q:"*[System/EventID=1074]"
Event[0]:
Log Name: System
Source: USER32
Date: 2012-12-04T19:34:03.000
Event ID: 1074
Task: N/A
Level: Information
Opcode: N/A
Keyword: Classic
User: S-1-5-21-2671312382-3219971570-2213343823-1105
User Name: DOMAIN\username
Computer: computer.domain.local
Description:
The process C:\Windows\system32\shutdown.exe (WIN7) has initiated the restart of computer WIN7 on behalf of user DOMAIN\username for the following reason: No title for this reason could be found
Reason Code: 0x800000ff
Shutdown Type: restart
Comment:
Now all we have to do is parse out the Shutdown Type which is made simple with the for command:
C:\>for /f "tokens=3 delims= " %i in ('wevtutil qe system /c:1 /rd:true /f:text /q:"*[System/EventID=1074]" ^| findstr /c:"Shutdown Type"') do @echo %i
restart
C:\>
Now that we have parsed out the shutdown type we can set it to a variable and then run conditional code based on the value of the variable.
@echo off
for /f "tokens=3 delims= " %%i in ('wevtutil qe system /c:1 /rd:true /f:text /q:"*[System/EventID=1074]" ^| findstr /c:"Shutdown Type"') do (
set shutdownType=%%i
)
if ["%shutdownType%"]==["shutdown"] (
:: your shutdown code here
) else (
:: if not a shutdown, do something else
)
Just to be safe we can make sure the event we are grabbing is the event that was just initiated by using the XPath timediff() function. This will make sure the event was initiated within the last 60 seconds, specified in milliseconds:
@echo off
for /f "tokens=3 delims= " %%i in ('wevtutil qe system /c:1 /rd:true /f:text /q:"*[System/EventID=1074] and TimeCreated[timediff(@SystemTime) >= 60000]" ^| findstr /c:"Shutdown Type"') do (
set shutdownType=%%i
)
if ["%shutdownType%"]==["shutdown"] (
:: your shutdown code here
) else (
:: if not a shutdown, do something else
)
for /f "tokens=3 delims= " %%i in ('wevtutil qe system /c:1 /rd:true /f:text /q:"*[System/EventID=1074] and TimeCreated[timediff(@SystemTime) >= 60000]" ^| findstr /c:"Shutdown Type"') do (
set shutdownType=%%i
)
if ["%shutdownType%"]==["shutdown"] (
:: your shutdown code here
) else (
:: if not a shutdown, do something else
)
And that's it. You can learn more about using XPath for querying the Windows Event Viewer at the links below:
http://msdn.microsoft.com/en-us/library/windows/desktop/dd996910(v=vs.85).aspx#limitations
http://blogs.technet.com/b/askds/archive/2011/09/26/advanced-xml-filtering-in-the-windows-event-viewer.aspx
http://msdn.microsoft.com/en-us/library/windows/desktop/dd996910(v=vs.85).aspx#limitations
http://blogs.technet.com/b/askds/archive/2011/09/26/advanced-xml-filtering-in-the-windows-event-viewer.aspx
Looks like timediff is not working for me. I tried increasing the time difference to more than 2 hours but it is still not working. Example of what I am trying is as follows
ReplyDeletewevtutil qe system /c:1 /rd:true /f:text /q:"*[System/EventID=1074] and TimeCreated[timediff(@SystemTime) >=60000000000000]"