Solved

Win2003 InitiateSystemShutdownEx() question

Posted on 2006-06-15
10
949 Views
Last Modified: 2013-12-03
InitiateSystemShutdownEx() has dwReason parameter which is saved somewhere in the Registry. I need to know this place in the Registry
0
Comment
Question by:alex1234
10 Comments
 
LVL 86

Expert Comment

by:jkr
ID: 16916233
See http://msdn.microsoft.com/library/en-us/sysinfo/base/system_shutdown_reason_codes.asp ("System Shutdown Reason Codes"):

"You can also define your own shutdown reasons and add them to the registry. Each reason code should be stored as a registry value in the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability"
0
 
LVL 2

Expert Comment

by:mannujam
ID: 16918036
You can find it yourself , download regmon from www.sysinternals.com.
and execute regmon and your exe which is using the API , it will show you which process is accessing which registry value in whole system.
0
 
LVL 1

Author Comment

by:alex1234
ID: 16921133
mannujam,

thanks a lot for the excellent utility, however I can't use it in my case because InitiateSystemShutdownEx() terminates the utility before I have any chance to examine its output

jkr,

"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability" does not store 'dwReason' code that I supply to InitiateSystemShutdownEx(), so my question is still opened because I need to know where this value is saved after InitiateSystemShutdownEx() is executed.

0
 
LVL 1

Author Comment

by:alex1234
ID: 16921233
What I'm doing is restoring the registry and at the end of the restore I call InitiateSystemShutdownEx() with a 'planned' flag to re-start the PC. When it is re-started it displays "Unplanned shutdown" message because it loads the restored registry which did not contain the 'planned' reboot flag

So, if I knew where the 'planned' stamp goes, I would 'fake' the stamp at the time of restore and place it to the restored registry so the reboot would not have the "Unplanned shutdown" message
0
 
LVL 3

Expert Comment

by:griffin36
ID: 16940828
The reason parameter isn't actually stored in the registry; it is stored in the event log located at: C:\WINDOWS\system32\config\SysEvent.Evt

It's possible that the problem could be due to not including reason codes (you only mentioned the planned flag, so I'm not sure if you have others). Windows wants to have major and maybe minor codes in the dwReason parameter, the planned flag is just a toggle to be used in addition to these. If you omitted these codes, the message may appear because Windows wants to be able to store some code. In your case, the following combination of flags may be appropriate:
SHTDN_REASON_MAJOR_OPERATINGSYSTEM | SHTDN_REASON_MINOR_RECONFIG | SHTDN_REASON_FLAG_PLANNED

Hope this helps!
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 1

Author Comment

by:alex1234
ID: 16941817
griffin36, I didn't ommit the reason codes. Also, if the 'planned' shutdown was stored in the event log, I wouldn't have this problem because I don't replace the event log. Event log stores these events, this is true, but for the information purposes only
0
 
LVL 3

Accepted Solution

by:
griffin36 earned 250 total points
ID: 16944672
I thought it might be worth a shot, like I said, I didn't know if you included the reason or not.

At any rate, I found the following document useful:
http://technet2.microsoft.com/WindowsServer/en/Library/5c6e30b2-6803-418d-a7b5-e4eb79323db51033.mspx?mfr=true

The document describes the mechanism by which the shutdown event tracker knows whether to appear at startup. I had to find the registry values that are used myself, they are:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability
->LastAliveStamp
->LastAliveUptime

If you remove these values from the restored registry without allowing the Event Log service to write them back, then you'll be fine. If restoring the backup consists of copying all the "software" and other files back to C:\windows\system32\config, then you can simply load the software registry hive into the active registry at an alternate location such as software.old and then remove the values from that hive. Then, just unload the hive and you should be good to go.
0
 
LVL 1

Author Comment

by:alex1234
ID: 16944733
Thanks, griffin36, I'll try your suggestion in a day or so..
0
 
LVL 1

Author Comment

by:alex1234
ID: 16954771
LastAliveStamp is the one, LastAliveUptime seems to be not involved.

Thanks!!
0
 
LVL 3

Expert Comment

by:griffin36
ID: 16957272
Glad I could help!
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

This article shows how to make a Windows 7 gadget that extends its U/I with a flyout panel -- a window that pops out next to the gadget.  The example gadget shows several additional techniques:  How to automatically resize a gadget or flyout panel t…
If you have ever found yourself doing a repetitive action with the mouse and keyboard, and if you have even a little programming experience, there is a good chance that you can use a text editor to whip together a sort of macro to automate the proce…
This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA. http://www.experts-exchange.com/videos/1478/Excel-Error-Handlin…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now