How to detect whether Windows is shutting down or restarting

by

In Windows 7 (and probably also in Vista / 8 / Server) you could use the system events to track whether Windows is shutting down (and powering off the computer) or just restarting. Every time a shutdown/reboot is initiated (by any means – clicking the button in Start menu, or programmatically), Windows 7 writes one or two events in the System log, source USER32, event ID 1074. You can see these events recorded if you open the Event Viewer from Administrative Tools (filter the System log to see only ID 1074). The description (message) of these events contains the shutdown type. So you could parse the description of the most recent event of this type (after the shutdown was initiated), looking for the necessary word (shutdown, reboot/restart).

I didn’t try to see the shutdown type written in the event when using the power button to gracefully shutdown Windows (I usually disable this function), but some site suggests that it states a “power off” type instead of “shutdown” – so check it out, if you need to be sure. Or simply look for a “reboot” type – if it’s not found, then a “shutdown” type is assumed.

In Windows XP, from my experience, an event 1074 is recorded only if the shutdown/reboot is done programmatically (e.g. during a program install or using the shutdown.exe utility). So it does not register the shutdowns initiated from the shell (Explorer), but perhaps you could combine this method with reading the value from registry as proposed in another answer. Also, keep in mind that in WinXP the message of event 1074 contains the word “restart” no matter what the real type of shutdown is, so you should look at the “Shutdown Type:” field, which will state either “shutdown” or “reboot”.

Related to this, an event ID 1073 is recorded whenever Windows fails to shutdown/reboot for some reason (e.g. if an application doesn’t allow to shutdown as a response to WM_QUERYENDSESSION). In that case the message will also contain words as “shutdown”, “reboot” or “power off” – in WinXP. For Win7 this type of event is less useful in our case, since it won’t make any difference between shutdown and reboot. But for WinXP – if you only need to intercept the shutdown/reboot, perform some actions, then continue the corresponding shutdown or reboot process – it should work as expected.

More Related Contents:

  1. How to detect the current screen resolution?
  2. Drawing in a Win32 Console on C++?
  3. Is there a way to create a c++ gui game without win32 api, openGL, direct X and stuff? [closed]
  4. Windows threading: _beginthread vs _beginthreadex vs CreateThread C++
  5. What is the equivalent to Posix popen() in the Win32 API?
  6. How can I get a process handle by its name in C++?
  7. What does “WINAPI” in main function mean?
  8. What is the easiest way to parse an INI File in C++? [closed]
  9. How to convert char* to wchar_t*?
  10. Cannot convert parameter from ‘const char[20]’ to ‘LPCWSTR’
  11. Creating a transparent window in C++ Win32
  12. SetupDiGetDeviceProperty usage example
  13. WaitForInputIdle doesn’t work for starting mspaint programmatically
  14. How can I change the background color of a button WinAPI C++
  15. How to query a running process for its parameters list? (Windows, C++)
  16. Best way to determine if two path reference to same file in Windows?
  17. Detecting simulated keyboard/mouse input
  18. How to programmatically create a shortcut using Win32
  19. Use CreateProcess to Run a Batch File
  20. How can I save HICON to an .ico file?
  21. Load the same dll multiple times [closed]
  22. Find what directory the running process EXE is stored in [duplicate]
  23. Size of a directory [duplicate]
  24. Is it possible for the executable to ask for Administrator rights? (Windows 7)
  25. Why there are three unexpected worker threads when a Win32 console application starts up? [duplicate]
  26. How can I enumerate/list all installed applications in Windows XP?
  27. DoEvents equivalent for C++?
  28. Is a memory barrier required to read a value that is atomically modified?
  29. Win32: Bring a window to top
  30. Are there any downsides to using UPX to compress a Windows executable?

Leave a Comment