Boot time versus Uptime versus Last Time System Rebooted

(imported topic written by jr6591)

Essentially, shouldn’t these 2 properties give the same information. I am encountering some differences. What I really wanted was to show the last time the system was rebooted. I am trying to report on when the last time a server was rebooted.

I have this:

boot time of Operating System give returns a lerge number such as 83 days, 78 days, etc

(if it = 1 then it as string & " day" else it as string & " days") of ((uptime of operating system) / day) returns Nov 8, 2006.

So, which one do I believe?

Also, I have a few Windows XP PC’s that are showing as the boot time from 2 days ago yet the Uptime shows as 1384 days.

(imported comment written by jessewk)

jr,

This thread explains the diffrences:

http://forum.bigfix.com/viewtopic.php?id=367

-Jesse

(imported comment written by jr6591)

The bug with boot time of Operating System does not mention Windows XP and Windows 2000 which we are running.

But the real issue here is which to believe and why is there a difference is the results.

if (name of operating system != “WinNT”) then (uptime of operating system) else (now - boot time of operating system) and boot time of Operating System show different results.

Hence the problem.

(imported comment written by jessewk)

jr,

As Ben noted, the boot time property rolls back to zero after 49.7 days. This issue is a by-product of a Windows 32-bit millisecond counter that overflows (2^32 ms = 49.71 days). A similar issue is at http://support.microsoft.com/kb/216641.

The Windows XP machines that are showing a very large uptime likely have a problem with their performance counter. Again, see Ben’s post.

So, the short answer: If you’re not on NT uptime is the reliable one, but some machines may have performance counter problems that give skewed results.

-Jesse

(imported comment written by dave_dunn91)

Try this expression, which looks for Event ID 6009 (see http://support.microsoft.com/kb/196452/EN-US/ ):

if exists record whose (event id of it = 6009 OR event id of it = 2147489657) of system event log then (now - maximum of (time generated of it) of records whose (event id of it = 6009 OR event id of it = 2147489657) of system event log) as string else “unknown”

(imported comment written by BenKus)

Hey Dave,

Actually, that will be problematic if there are remote logons… also, it is a very slow query (over 10 seconds to search most event logs)… This is much faster and more accurate:

q: uptime of operating system
A: 09:03:53
T: 14.789 ms

Ben