Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Detect if previous boot had a BSOD?

Dejan_MaksimovicDejan_Maksimovic Member - All Emails Posts: 334
via Email in NTDEV
Any way to do this without hacks like "write a key/file on boot load,
and remove it later"?
It is of not importance in my case who caused the blue screen, just
that we know if the previous boot shut down properly.
TIA

Comments

  • Eric_WittmayerEric_Wittmayer Member Posts: 50

    Check system event logs for previous boot times and messages about unclean shutdown + a check for minidump files with date time stamps close to the event log entries? Not sure how feasible that is programmatically.

  • Dejan_MaksimovicDejan_Maksimovic Member - All Emails Posts: 334
    via Email
    That is more of a hack.. I am looking for something more documented as an
    API
  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,013

    Well, the Event Log entry is the “standard way” to do this. So, no... not so much of a hack.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • Dejan_MaksimovicDejan_Maksimovic Member - All Emails Posts: 334
    via Email
    Would that entry exist for a boot load minifilter? Event Log would be up
    already?
  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,013

    Would that entry exist for a boot load minifilter

    Hmmm.. it’s not like you’re gonna read the event log in kernel mode, right? Or, perhaps you know something I don’t.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • Dejan_MaksimovicDejan_Maksimovic Member - All Emails Posts: 334
    via Email
    That is what I needed, and had spent 2o mins figuring how to do it...
    finding I could not :(

    So, to respecify the question: how does a BOOT load minifilter detect if a
    previous boot/shutdown failed or not?
  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,336

    When the system crashes Windows writes the contents of memory out to a paging file and reboots the machine. On reboot, SMSS.EXE looks in the paging file to see if there's a crash dump in it. At that point it will copy the file over to MEMORY.DMP and write the error log entries.

    So, historically speaking, even Windows doesn't know if there was a crash until user mode comes online and checks. Even then the system only knows there was a crash if the crash dump was successfully written out to a paging file. For example, if you crash early in boot there's no paging file yet so you don't get a crash dump and there's no trace of it in the event log.

    To overcome this newer versions of Windows will write minimal crash dump information out to a UEFI variable prior to attempting to write the dump. That way you can at least detect the crash on reboot even if there's no crash dump. I don't know of any documented way to read this from a driver though.

    -scott
    OSR

  • Dejan_MaksimovicDejan_Maksimovic Member - All Emails Posts: 334
    via Email
    That may be for a BSOD, but the system knows even before it loads
    minifilters that the last session did not shutdown properly (you get that
    Start normally vs Stsrt Repair prompt).
    That was what I was hoping to check.

    For now, we will do the manual thing: create a file to indicate a
    successful shutdown, check it on boot and delete it.

    Kind regards, Dejan.
  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,013

    Well, Windows does... or at least it DID... write bootstat.dat to indicate a clean shutdown.

    Is that what you’re looking for?

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • Dejan_MaksimovicDejan_Maksimovic Member - All Emails Posts: 334
    via Email
    Something like that!
    Is it documented at all?
  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,013

    Well, I’ve never seen any MSFT docs.

    Geoff Chappell has a write-up here.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • Dejan_MaksimovicDejan_Maksimovic Member - All Emails Posts: 334

    Much oblige, Pete!

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,013

    This could be "old shit" that Windows doesn't even support anymore, Mr. Maksimovic. So, if you get some help from it, I'll be glad.

    I remember tripping across this file when I was doing a project that restricted writes to disk. This DAMN file always wanted to be the LAST thing to be written and read. It was vexsome, IIRC.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA