none
How to reliably identify if there was system crash/abrupt shutdown in previous boot. RRS feed

  • Question

  • I have developed an user mode utility which reads the event viewer system logs and looks for eventId 1001 received just after eventId 6005. The eventId 1001 indicates a system crash(bugcheck) and eventId 6005 logged at boot time noting that the Event Log service was started.

    I performed a critical operations based on this identification that if the system was crashed in previous boot or not.

    But one corner case is what if by any means the system logs are deleted and even problematic is if only the event 1001 is deleted? If anything of this sort happens them my solution goes for toss.

    I want to know is there any reliable way to identify if the system was crashed in previous boot or not. I do have an existence in kernel as well. I am having a disk filter driver.

    Could somebody please help me with this? 

    Tuesday, February 26, 2019 9:31 AM

Answers

  • Ultimately, there is no way to be sure; however, if the system were to crash between early and late shutdown notification (extremely unlikely, because very little code runs between those times), it generally won't matter because any kind of normal processing will have stopped before early notification and the caches were flushed to disk. Thus, you wouldn't be able to tell the difference between a crash an a normal shutdown. To quote Steven Wright: "Someone broke into my apartment and replaced everything I own with exact duplicates". 

    If this isn't sufficient, then what is the larger problem that you're trying to solve?

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog



    Thursday, February 28, 2019 6:58 PM
    Moderator

All replies

  • HKLM\System\CCS\Control\Session Manager\Memory Management\PrefetchParameters\BootId appears to be incremented on every boot. It isn't documented, so it may disappear or its functionality may change without warning

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog


    Tuesday, February 26, 2019 6:21 PM
    Moderator
  • Thanks Brian for the reply,

    The mentioned registry will just give me the boot count right? But I need to know if machine was crashed. So say VM is booted and running, now it got crashed and it caused restart. Now post crash the VM is running. Now during this time I want to identify the machine was crashed in its very previous running session.

    Wednesday, February 27, 2019 8:11 AM
  • Your disk filter driver will see the IRP_MJ_SHUTDOWN, right? When it does, copy the BootId to your area of the registry. Then when the system boots, compare that to the current BootId. If (new-old) != 1, then the system crashed.

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog


    Wednesday, February 27, 2019 6:53 PM
    Moderator
  • Brian thanks for the reply.

    There are two APIs:

    IoRegisterShutdownNotification(early shutdown)

    IoRegisterLastChanceShutdownNotification(late shutdown)

    I have already registered for the IoRegisterLastChanceShutdownNotification as I want to be sure that there are no-more Disk IO's here onward. And so I could not add any registry entry here. If I register for IoRegisterShutdownNotification  then I would get a chance to right the BootId in the registry, but there are possibilities of crash even after this write operation, right? So say once I get the early Shutdown notification and I write BootId in the registry, and then the system crash. 

    Thursday, February 28, 2019 6:55 AM
  • Ultimately, there is no way to be sure; however, if the system were to crash between early and late shutdown notification (extremely unlikely, because very little code runs between those times), it generally won't matter because any kind of normal processing will have stopped before early notification and the caches were flushed to disk. Thus, you wouldn't be able to tell the difference between a crash an a normal shutdown. To quote Steven Wright: "Someone broke into my apartment and replaced everything I own with exact duplicates". 

    If this isn't sufficient, then what is the larger problem that you're trying to solve?

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog



    Thursday, February 28, 2019 6:58 PM
    Moderator