0

I don't know if this is even possible but is there any way to programmatically detect that a BSOD has just occurred when rebooting just after the BSOD?

The BSOD could be for ANY reason or all reasons, doesn't matter. I know you could check for the dump file but if the user turns that setting off then no dump will be made. They can also change the path they want the dump files to go to which makes it unreliable for you to detect.

Any and/or all versions of Windows would be nice. It would be nice if I can check in the same manner on each OS but if it has to be OS-specific I suppose that would be fine as well.

Brian T Hannan
  • 3,925
  • 18
  • 56
  • 96
  • There's usually an entry in Event Viewer indicating the fact. You could look for that but I'd expect that to depend on the kind of failure, your mileage may vary – Luis Oct 30 '13 at 19:02
  • Can I access the Event Viewer programmatically from c++ without .NET? – Brian T Hannan Oct 30 '13 at 19:04
  • According to this [Wikipedia entry](http://en.wikipedia.org/wiki/Windows_NT_startup_process#Loading_the_Windows_NT_kernel) at least in Windows NT (since Windows Vista) - the information of last boot-up success is stored in registry. `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Failed` to be precise. BUT that just do include WinNT and boot-up errors. – Kamiccolo Oct 30 '13 at 19:12
  • 1
    Aren't minidump files created after a BSOD? – George Mitchell Oct 30 '13 at 19:12
  • Yes minidumps are created but like I said the user can change where those files are saved, so not reliable. – Brian T Hannan Oct 30 '13 at 19:14
  • @GeorgeMitchell that's right. And, as I remember, this is default behavior on *most* (?) Windows systems. – Kamiccolo Oct 30 '13 at 19:15
  • @BrianTHannan, at some Windows systems the location of `minidump` is also located in `Windows Registry`. `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\DumpFile`, to be precise. Worth mentioning, first way - is how Windows chooses to offer "Last Known Good Configuration" during boot. – Kamiccolo Oct 30 '13 at 19:17
  • 4
    Yes, you can access the Event Viewer without using .NET. That's how we accessed the Event Viewer prior to the invention of .NET. – Raymond Chen Oct 30 '13 at 19:23
  • 1
    Yes, you can access the event logs from C++. http://msdn.microsoft.com/en-us/library/windows/desktop/aa385780(v=vs.85).aspx – Ben Oct 30 '13 at 19:25
  • Ben, make that an answer and I'll mark it correct. Thanks! – Brian T Hannan Oct 30 '13 at 19:46

1 Answers1

1

Yes, you can access the event logs from C++.

The EventLog service will log a specific event 6008 after an unexpected shutdown. In addition, you will see the event 6006 logged on a successful shutdown, and 6009 and 6005 on a startup.

Ben
  • 34,935
  • 6
  • 74
  • 113
  • Actually, this does not solve the problem. After looking into it a bit more this is not specific enough to ONLY BSODs. Although any abnormal shutdown would be a useful thing to know that is not exactly what I'm looking for. Seems I will have to look at the registry here: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl 1) See if user has option set to save crash dump 2) Look at the crash dump's filename and/or timestamp to determine when it was last saved meaning the last time it happened. – Brian T Hannan Nov 04 '13 at 15:41
  • Relying on EventLog is shaky. The entire purpose of BSOD is to trap an unexpected fatal error. The system can become irresponsive before the EventLog got a chance to be updated – SomeWittyUsername Nov 10 '13 at 10:49
  • @icepack, If the "Shutdown" event is ***missing***, this indicates a crash. – Ben Nov 11 '13 at 09:56
  • @Ben 1. Not necessary - it can be also a crash of the EventLog service, for example. 2. You need a point of reference to search for the shutdown event. If the event is missing from the entire log, it's a bit problematic. – SomeWittyUsername Nov 11 '13 at 10:35
  • @icepack, If the eventlog service crashes the computer *always* BSODs anyway, **by design**, because this is a security violation. If you see the startup event without the shutdown event this indicates a crash. The eventlog service doesn't log many events, so just filter on that. – Ben Nov 11 '13 at 10:48
  • @Ben Do you have a formal confirmation for the first claim? Never heard of such behavior. Regarding the second claim - it's pretty subjective but in general I agree. – SomeWittyUsername Nov 11 '13 at 10:50