Who Restarted or Shutdown their computer?

Snojack · May 5, 2020, 1:59pm

Help! Looking for a quick Analyses to tell me the user who either shutdown or restarted their computer.

Many thanks, folks…

Sno

brolly33 · May 6, 2020, 7:16pm

@Snojack
Need more data.
What OS would be a good start.

on Windows, I would probably work off of the System Event log
https://developer.bigfix.com/relevance/reference/event-log.html#system-event-log-event-log

jgstew · May 6, 2020, 8:11pm

Do you mean which BigFix User Shutdown or Restarted a computer with a BigFix action?

Or do you mean which user, while logged into a computer directly, restarted or shutdown that computer?

AlanM · May 6, 2020, 8:24pm

If its a BigFix action that performs a restart or shutdown then we do add the action into the Windows System Event Log and log it also in the client log.

Snojack · May 6, 2020, 11:03pm

I need the user who logged of the computer or shut it down. Windows 10.

Thanks!

Snojack · May 6, 2020, 11:06pm

Definitely Windows 10. Just need an analyses to tell me which user restarted it or shut it down. (Not the Big Fix Operator), but the Windows users who was logged in at the time.

Snojack · May 7, 2020, 12:23am

I need to know which user, while logged into a computer directly restarted or shutdown that computer. Thanks a million!

jgstew · May 7, 2020, 12:28am

You would definitely need to use the windows event log for this.

The hard part is, it won’t be easy to tell who did it based upon the event log shutdown event if it was just turned off and is still off because it is unlikely the bigfix agent will be able to report in between the time the shut down started and it finished shutting down. You would have to use the last logged on user as a proxy for offline machines.

rgangemi · May 7, 2020, 8:32am

Also, I’m not sure you can actually be precise in determining if a user did it. The windows event log entries at help here should be the ones with ID: 41, 1074, 6006, 6008.

You probably want to use a negative logic. If you see 41 or 6008, you should be sure it wasn’t a user that did it.

The event you should look for is the one with ID 1074 but is not precise in terms of whether it was a user intent to initiate the operation or was caused by an application, e.g. Windows Update.

brolly33 · May 7, 2020, 3:40pm

Great input all. Here is some relevance to try. Please note that event logs are sometimes large and expensive for the Windows API to load. You probably want to use relevance debugger locally to test… and when you go into Prod, you might want to use a BigFix Query to do a one time query of only the interesting endpoints. I would avoid using an analysis property or retrieved property for this.

make sure we have a system event log and see how big it is  -  Note the 13 second runtime here - very expensive,  might want to use Query for a one-time run instead of a permanent property.
q: number of records of system event log
A: 48123
T: 12800.608 ms
I: singular integer

check our filtered results based on prior poster suggesting these are the interesting event IDs  (whose creates a filter...)
q: number of records whose (event id of it is contained by set of (41;1074;6006;6008)) of system event log
A: 20
T: 10098.544 ms
I: singular integer

Now that we know there are 20 entries,  lets see if we can pull the "who" part of the records
q: account names of user sids of records whose (event id of it is contained by set of (41;1074;6006;6008)) of system event log
A: brolly
A: brolly
A: brolly
A: brolly
A: brolly
A: brolly
A: brolly
A: brolly
A: brolly
A: brolly
T: 6746.267 ms
I: plural string

ok, we can pull user name, lets pull a bunch of other interesting properties while we are in there, since it will not cost that much more once the records are open.

q: (account name of user sid of it, time generated of it as string, source of it, record number of it,  description of it, event ID of it) of records whose (event id of it is contained by set of (41;1074;6006;6008)) of system event log
A: brolly, ( Mon, 20 Apr 2020 10:40:52 -0400 ), User32, 170189, The process C:\Windows\System32\RuntimeBroker.exe (MyComputer) has initiated the restart of computer MyComputer on behalf of user HCL\brolly for the following reason: Other (Unplanned)%0d%0a Reason Code: 0x0%0d%0a Shutdown Type: restart%0d%0a Comment: , 1074
E: Singular expression refers to nonexistent object.

Dang, singular expression… not all records have all of those properties. Using a PIPE (|) to trap and suppress those errors. Final query took about 3 seconds in relevance debugger… still a bit expensive.

q: (account name of user sid of it|"NoAccount", time generated of it as string|"NoTimeGen", source of it|"NoSource", record number of it|0,  description of it|"NoDesc", event ID of it|0) of records whose (event id of it is contained by set of (41;1074;6006;6008)) of system event log
A: brolly, ( Mon, 20 Apr 2020 10:40:52 -0400 ), User32, 170189, The process C:\Windows\System32\RuntimeBroker.exe (MyComputer) has initiated the restart of computer MyComputer on behalf of user HCL\brolly for the following reason: Other (Unplanned)%0d%0a Reason Code: 0x0%0d%0a Shutdown Type: restart%0d%0a Comment: , 1074
A: NoAccount, ( Mon, 20 Apr 2020 10:40:59 -0400 ), EventLog, 170195, The Event log service was stopped., 6006
A: brolly, ( Wed, 22 Apr 2020 10:19:48 -0400 ), User32, 170829, The process C:\Windows\System32\RuntimeBroker.exe (MyComputer) has initiated the restart of computer MyComputer on behalf of user HCL\brolly for the following reason: Other (Unplanned)%0d%0a Reason Code: 0x0%0d%0a Shutdown Type: restart%0d%0a Comment: , 1074
A: NoAccount, ( Wed, 22 Apr 2020 10:19:51 -0400 ), EventLog, 170836, The Event log service was stopped., 6006
A: brolly, ( Wed, 22 Apr 2020 17:59:20 -0400 ), User32, 171026, The process C:\Windows\System32\RuntimeBroker.exe (MyComputer) has initiated the power off of computer MyComputer on behalf of user HCL\brolly for the following reason: Other (Unplanned)%0d%0a Reason Code: 0x0%0d%0a Shutdown Type: power off%0d%0a Comment: , 1074
A: NoAccount, ( Thu, 23 Apr 2020 15:23:54 -0400 ), EventLog, 171092, The Event log service was stopped., 6006
A: brolly, ( Fri, 24 Apr 2020 09:56:08 -0400 ), User32, 171303, The process C:\Windows\System32\RuntimeBroker.exe (MyComputer) has initiated the restart of computer MyComputer on behalf of user HCL\brolly for the following reason: Other (Unplanned)%0d%0a Reason Code: 0x0%0d%0a Shutdown Type: restart%0d%0a Comment: , 1074
A: NoAccount, ( Fri, 24 Apr 2020 09:56:15 -0400 ), EventLog, 171305, The Event log service was stopped., 6006
A: brolly, ( Fri, 24 Apr 2020 16:07:34 -0400 ), User32, 171503, The process C:\Windows\System32\RuntimeBroker.exe (MyComputer) has initiated the restart of computer MyComputer on behalf of user HCL\brolly for the following reason: Other (Unplanned)%0d%0a Reason Code: 0x0%0d%0a Shutdown Type: restart%0d%0a Comment: , 1074
A: NoAccount, ( Fri, 24 Apr 2020 16:07:51 -0400 ), EventLog, 171510, The Event log service was stopped., 6006
A: brolly, ( Mon, 27 Apr 2020 18:41:20 -0400 ), User32, 171751, The process C:\Windows\System32\RuntimeBroker.exe (MyComputer) has initiated the power off of computer MyComputer on behalf of user HCL\brolly for the following reason: Other (Unplanned)%0d%0a Reason Code: 0x0%0d%0a Shutdown Type: power off%0d%0a Comment: , 1074
A: NoAccount, ( Tue, 28 Apr 2020 11:49:37 -0400 ), EventLog, 171833, The Event log service was stopped., 6006
A: brolly, ( Thu, 30 Apr 2020 09:05:50 -0400 ), User32, 172322, The process C:\Windows\System32\RuntimeBroker.exe (MyComputer) has initiated the restart of computer MyComputer on behalf of user HCL\brolly for the following reason: Other (Unplanned)%0d%0a Reason Code: 0x0%0d%0a Shutdown Type: restart%0d%0a Comment: , 1074
A: NoAccount, ( Thu, 30 Apr 2020 09:05:57 -0400 ), EventLog, 172323, The Event log service was stopped., 6006
A: brolly, ( Mon, 04 May 2020 08:57:11 -0400 ), User32, 173135, The process C:\Windows\System32\RuntimeBroker.exe (MyComputer) has initiated the restart of computer MyComputer on behalf of user HCL\brolly for the following reason: Other (Unplanned)%0d%0a Reason Code: 0x0%0d%0a Shutdown Type: restart%0d%0a Comment: , 1074
A: NoAccount, ( Mon, 04 May 2020 08:57:27 -0400 ), EventLog, 173147, The Event log service was stopped., 6006
A: brolly, ( Wed, 06 May 2020 10:38:33 -0400 ), User32, 173411, The process C:\Windows\System32\RuntimeBroker.exe (MyComputer) has initiated the restart of computer MyComputer on behalf of user HCL\brolly for the following reason: Other (Unplanned)%0d%0a Reason Code: 0x0%0d%0a Shutdown Type: restart%0d%0a Comment: , 1074
A: NoAccount, ( Wed, 06 May 2020 10:38:45 -0400 ), EventLog, 173413, The Event log service was stopped., 6006
A: brolly, ( Thu, 07 May 2020 09:32:00 -0400 ), User32, 173772, The process C:\Windows\System32\RuntimeBroker.exe (MyComputer) has initiated the restart of computer MyComputer on behalf of user HCL\brolly for the following reason: Other (Unplanned)%0d%0a Reason Code: 0x0%0d%0a Shutdown Type: restart%0d%0a Comment: , 1074
A: NoAccount, ( Thu, 07 May 2020 09:32:11 -0400 ), EventLog, 173773, The Event log service was stopped., 6006
T: 3379.312 ms
I: plural ( string, string, string, integer, string, integer )

jgstew · May 7, 2020, 5:04pm

What is the goal of this reporting? What is the use case?