Detect if previous boot had a BSOD?

Any way to do this without hacks like “write a key/file on boot load,
and remove it later”?
It is of not importance in my case who caused the blue screen, just
that we know if the previous boot shut down properly.
TIA

Check system event logs for previous boot times and messages about unclean shutdown + a check for minidump files with date time stamps close to the event log entries? Not sure how feasible that is programmatically.

That is more of a hack… I am looking for something more documented as an
API

Well, the Event Log entry is the “standard way” to do this. So, no… not so much of a hack.

Peter

Would that entry exist for a boot load minifilter? Event Log would be up
already?

Would that entry exist for a boot load minifilter

Hmmm… it’s not like you’re gonna read the event log in kernel mode, right? Or, perhaps you know something I don’t.

Peter

That is what I needed, and had spent 2o mins figuring how to do it…
finding I could not :frowning:

So, to respecify the question: how does a BOOT load minifilter detect if a
previous boot/shutdown failed or not?

When the system crashes Windows writes the contents of memory out to a paging file and reboots the machine. On reboot, SMSS.EXE looks in the paging file to see if there’s a crash dump in it. At that point it will copy the file over to MEMORY.DMP and write the error log entries.

So, historically speaking, even Windows doesn’t know if there was a crash until user mode comes online and checks. Even then the system only knows there was a crash if the crash dump was successfully written out to a paging file. For example, if you crash early in boot there’s no paging file yet so you don’t get a crash dump and there’s no trace of it in the event log.

To overcome this newer versions of Windows will write minimal crash dump information out to a UEFI variable prior to attempting to write the dump. That way you can at least detect the crash on reboot even if there’s no crash dump. I don’t know of any documented way to read this from a driver though.

That may be for a BSOD, but the system knows even before it loads
minifilters that the last session did not shutdown properly (you get that
Start normally vs Stsrt Repair prompt).
That was what I was hoping to check.

For now, we will do the manual thing: create a file to indicate a
successful shutdown, check it on boot and delete it.

Kind regards, Dejan.

Well, Windows does… or at least it DID… write bootstat.dat to indicate a clean shutdown.

Is that what you’re looking for?

Peter

Something like that!
Is it documented at all?

Well, I’ve never seen any MSFT docs.

Geoff Chappell has a write-up here.

Peter

Much oblige, Pete!

This could be “old shit” that Windows doesn’t even support anymore, Mr. Maksimovic. So, if you get some help from it, I’ll be glad.

I remember tripping across this file when I was doing a project that restricted writes to disk. This DAMN file always wanted to be the LAST thing to be written and read. It was vexsome, IIRC.

Peter