Hi,
Is there a way to get the shutdown time of the device? I know a way to get the last boot time but I want to know when did machine shut down or who is shutting down their devices. We want to make sure that some of the devices do not shut down.
I’m not aware of native inspectors that can do that. If its a Windows OS then possible parsing the event logs is one possible method though that could be an “expensive” query depending on the size and number of events in the system log (it took 7 seconds to run for me and that’s without the throttling layer that the agent adds to reduce impact system performance). Based on info here, relevance to pull that info could be
(event id of it, time generated of it, description of it) of (records whose (event id of it is contained by set of (41;1074;6006;6008)) of system event log)
3 Likes
Thank you! Let me try this.
Thanks for this. I took this and RAN with it. 
We are multi-tenant and it sometimes takes 10 to 15 minutes to log into a customer system due to all of the security, MFA, jump boxes and so on, needed to get to a customer machine.
We also use a Registry Key we created to store data we use in BigFix. Example, during the log4j scans, we put a time stamp on the scan so we knew the age of our results.
I created a fixlet task to create a regkey called “ShowShutdownEvents” and set it to true, or flase (two actions in the task)
I then created an analysis that will only be relevant to those with the key set to true. Then I took the code you shared and put it in the property.
now I can turn on the query, wait for BigFix to pull it, gather and save the data, then disable the query for that machine. I can do all of this in under 5 min if the machine is online and responding.
Thanks for this.
2 Likes
I bet we can “Strawgate” this for better efficiency with the assumption that the interesting event is likely in the last 1000 log records
23 seconds vs 1/2 a second on my box.
q: (event id of it, time generated of it, description of it) of (records whose (event id of it is contained by set of (41;1074;6006;6008)) of system event log)
A <.snip.>
A: 6006, ( Mon, 07 Feb 2022 12:34:08 -0500 ), The Event log service was stopped.
A: 6008, ( Wed, 09 Feb 2022 13:01:07 -0500 ), The previous system shutdown at 12:45:02 PM on 2/9/2022 was unexpected.
A: 41, ( Wed, 09 Feb 2022 13:00:57 -0500 ), ( The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly. )
A: 1074, ( Fri, 11 Feb 2022 09:29:16 -0500 ), The process C:\Windows\System32\RuntimeBroker.exe (xxxxxx) has initiated the restart of computer xxxxxx on behalf of user xxxx\xxxxxx for the following reason: Other (Unplanned)%0d%0a Reason Code: 0x0%0d%0a Shutdown Type: restart%0d%0a Comment:
A: 6006, ( Fri, 11 Feb 2022 09:29:29 -0500 ), The Event log service was stopped.
A: 1074, ( Wed, 16 Feb 2022 17:48:14 -0500 ), The process C:\Windows\System32\RuntimeBroker.exe (xxxxxx) has initiated the power off of computer xxxxxx on behalf of user xxxx\xxxxxx for the following reason: Other (Unplanned)%0d%0a Reason Code: 0x0%0d%0a Shutdown Type: power off%0d%0a Comment:
A: 6006, ( Wed, 16 Feb 2022 17:48:30 -0500 ), The Event log service was stopped.
T: 23826.321 ms
vs
q: (event id of it, time generated of it, description of it) of records ((integers in(item 0 of it + item 1 of it - 1,maximum of (item 0 of it + item 1 of it - 1000;item 1 of it))) of (record count of it, oldest record number of it)) whose (event id of it is contained by set of (41;1074;6006;6008)) of system event log
A: 6006, ( Wed, 16 Feb 2022 17:48:30 -0500 ), The Event log service was stopped.
A: 1074, ( Wed, 16 Feb 2022 17:48:14 -0500 ), The process C:\Windows\System32\RuntimeBroker.exe ( ) has initiated the power off of computer on behalf of user \ for the following reason: Other (Unplanned)%0d%0a Reason Code: 0x0%0d%0a Shutdown Type: power off%0d%0a Comment:
T: 571.719 ms
5 Likes