As in the console (CMD) to see whether you initiated a system shutdown?

Hello!
With this program shutdown.exe you can initiate a reboot/shutdown.
The question is: how to know when the scheduled shutdown/reboot, and what's next, a reboot/shutdown?

For example, I called shutdown.exe such-r-f-t 6000, as it is now in the console to know when there will be a reboot? And restart it to be, and suddenly off?

For what? Want check sarixe to do...
July 9th 19 at 11:20
1 answer
July 9th 19 at 11:22
Solution
Simple API to get such information exists.

-- You can see that the system is running delayed shutdown/restart:
EventLog ID 1074 (STATUS_SHUTDOWN_CLEAN) - the event of a planned restart (including pending)
EventLog ID 1074 (WARNING_ISSE_SHUTDOWN_CANCELLED) - event cancellation restart (including pending)

Delaying the restart using shutdown /t time is a process wlmdr.exewho draws the babble about "Your session will be terminated. The work will be completed through the Windows 111 min".

The presence of fresh EventLog with ID 1074 and availability wlmdr.exe the processes may indicate a planned shutdown/restart. On these two conditions it is possible to build a trigger.

-- You can see that it will be running:
EventLog ID 1074 contains the line "Type of shutdown" (Shutdown Type), which will "Restart" or "power Off" (in English.: reboot or shutdown).

-- Low-level way to learn and as and time:
You can check the status "ShutdownInProgress" and "ShutdownTime" debugger connecting to winlogon.exe.

https://blogs.msdn.microsoft.com/ntdebugging/2007/...

Of course this is a much more difficult way, which is not very suitable for mass implementation sabbirsa on employee workstations.
in the event 1074 no data on what the-t option was specified:
- <event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <system>
 <provider name="User32" guid="{b0aa8734-56f7-41cc-b2f4-de228e98b946}" eventsourcename="User32"> 
 <eventid qualifiers="32768">1074</eventid> 
 <version>0</version> 
 <level>4</level> 
 <task>0</task> 
 <opcode>0</opcode> 
 <keywords>0x8080000000000000</keywords> 
 <timecreated systemtime="2016-05-26T17:52:49.127477700 Z"> 
 <eventrecordid>68769</eventrecordid> 
 <correlation> 
 <execution processid="456" threadid="504"> 
 <channel>System</channel> 
 <computer>WSUS</computer> 
 <security userid="S-1-5-21-481101324-1246693978-2159924419-4915"> 
</security></execution></correlation></timecreated></provider></system>
- <eventdata>
 <data name="param1">C:\Windows\system32\shutdown.exe (WSUS)</data> 
 <data name="param2">WSUS</data> 
 <data name="param3">the Reason listed</data> 
 <data name="param4">0x800000ff</data> 
 <data name="param5">Restart</data> 
 <data name="param6"> 
 <data name="param7">support</data> 
</data></eventdata>
 </event>
- minnie.Shields87 commented on July 9th 19 at 11:25
: Usually it is transmitted in param6. You have it empty.
Here's how it usually looks: https://i.imgur.com/E9ddojF.jpg

I assume You have on the screen was a signal from WSUS on an instant restart. - Carli commented on July 9th 19 at 11:28
: no, shutdown-r -f-t 6000, tried on my computer ( win 10) on the domain and not the domain. The result is the same
- <event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <system>
 <provider name="User32" guid="{b0aa8734-56f7-41cc-b2f4-de228e98b946}" eventsourcename="User32"> 
 <eventid qualifiers="32768">1074</eventid> 
 <version>0</version> 
 <level>4</level> 
 <task>0</task> 
 <opcode>0</opcode> 
 <keywords>0x8080000000000000</keywords> 
 <timecreated systemtime="2016-05-26T18:33:30.167601300 Z"> 
 <eventrecordid>26767</eventrecordid> 
 <correlation> 
 <execution processid="460" threadid="620"> 
 <channel>System</channel> 
 <computer>DESKTOP-LO9A11R</computer> 
 <security userid="S-1-5-21-3527467583-512056185-1310179951-1001"> 
</security></execution></correlation></timecreated></provider></system>
- <eventdata>
 <data name="param1">C:\Windows\system32\shutdown.exe (DESKTOP-LO9A11R)</data> 
 <data name="param2">DESKTOP-LO9A11R</data> 
 <data name="param3">the Reason listed</data> 
 <data name="param4">0x800000ff</data> 
 <data name="param5">Restart</data> 
 <data name="param6"> 
 <data name="param7">DESKTOP-LO9A11R\user</data> 
</data></eventdata>
 </event>
- minnie.Shields87 commented on July 9th 19 at 11:31
: on 2008r2 checked writes. - minnie.Shields87 commented on July 9th 19 at 11:34
: Sory for disinfo, EventLog do not write this information. param6 is the comment (-c "comment").

I updated my answer with a more detailed analysis of the topic. - Carli commented on July 9th 19 at 11:37
: apparently, the easiest way is to specify the-c switch and it write the same as in -t.
To restart the server, expect script is called from sabinsa, in response to the trigger, so the-c is quite acceptable. Thank you for your help. - minnie.Shields87 commented on July 9th 19 at 11:40
: Yes, it would have been easier.
From the condition of the question, I decided that restarts runs someone else, i.e., control -c no. =) - Carli commented on July 9th 19 at 11:43

Find more questions by tags cmd/batSystem administrationWindows