Bigfix Property to get the shutdown

brolly33 · February 17, 2022, 3:53pm

I bet we can “Strawgate” this for better efficiency with the assumption that the interesting event is likely in the last 1000 log records

23 seconds vs 1/2 a second on my box.

q: (event id of it, time generated of it, description of it) of (records whose (event id of it is contained by set of (41;1074;6006;6008)) of system event log)
A <.snip.>
A: 6006, ( Mon, 07 Feb 2022 12:34:08 -0500 ), The Event log service was stopped.
A: 6008, ( Wed, 09 Feb 2022 13:01:07 -0500 ), The previous system shutdown at 12:45:02 PM on 2/9/2022 was unexpected.
A: 41, ( Wed, 09 Feb 2022 13:00:57 -0500 ), ( The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly. )
A: 1074, ( Fri, 11 Feb 2022 09:29:16 -0500 ), The process C:\Windows\System32\RuntimeBroker.exe (xxxxxx) has initiated the restart of computer xxxxxx on behalf of user xxxx\xxxxxx for the following reason: Other (Unplanned)%0d%0a Reason Code: 0x0%0d%0a Shutdown Type: restart%0d%0a Comment: 
A: 6006, ( Fri, 11 Feb 2022 09:29:29 -0500 ), The Event log service was stopped.
A: 1074, ( Wed, 16 Feb 2022 17:48:14 -0500 ), The process C:\Windows\System32\RuntimeBroker.exe (xxxxxx) has initiated the power off of computer xxxxxx on behalf of user xxxx\xxxxxx for the following reason: Other (Unplanned)%0d%0a Reason Code: 0x0%0d%0a Shutdown Type: power off%0d%0a Comment: 
A: 6006, ( Wed, 16 Feb 2022 17:48:30 -0500 ), The Event log service was stopped.
T: 23826.321 ms

vs

q: (event id of it, time generated of it, description of it) of records ((integers in(item 0 of it + item 1 of it - 1,maximum of (item 0 of it + item 1 of it - 1000;item 1 of it))) of (record count of it, oldest record number of it)) whose (event id of it is contained by set of (41;1074;6006;6008)) of system event log
A: 6006, ( Wed, 16 Feb 2022 17:48:30 -0500 ), The Event log service was stopped.
A: 1074, ( Wed, 16 Feb 2022 17:48:14 -0500 ), The process C:\Windows\System32\RuntimeBroker.exe (   ) has initiated the power off of computer      on behalf of user    \    for the following reason: Other (Unplanned)%0d%0a Reason Code: 0x0%0d%0a Shutdown Type: power off%0d%0a Comment: 
T: 571.719 ms