6 Replies Latest reply on Apr 26, 2006 12:21 PM by Greg Kullberg

# Auditing for server requiring reboot

On behalf of Phil Pergola:

Anybody know if there is a setting I can check in an audit to see if a server requires a reboot after a hotfix? Merck is concerned that some servers that have been patched are not actually getting rebooted. We were hoping to use an audit to report on this. I need to figure out if there is a native setting we can audit or if we could use an extended object. Any thoughts this AM would be appreciated.

• ###### 1. Re: Auditing for server requiring reboot

On behalf of Damon Miller

Phil--There are at least four places in the registry where this information is stored. The general concept is called a "pending rename" operation, and Microsoft has implemented it as a registry key or keys where the system looks while it's booting. During the boot process, it is supposed to renames the new file (usually DLL's or drivers) to put them in place before the OS locks them as it loads them. Here are the four primary locations:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

If there is anything in these locations aside from the "(Default)" value, it implies that the system has not yet completed some action, and that a reboot is required.

Damon

• ###### 2. Re: Auditing for server requiring reboot

Has anyone out there ever had any success with this? I have a deploy job I ran against ten servers. The job ran successfully, but afterwards half of them showed in the Simulate column "Copy on reboot files present - ignoring". How exactly do we do a check for this?

The reason I ask is that afterwards I created an audit of the registry items Damon noted above and ran it against the same group of servers. My master was a server that did not need a reboot. When I ran the audit, my results were very different from what I expected, with some servers that needed reboot from the deploy job not showing any differences in the audit, and other various differences.

Is there an easy way to check if a server needs reboot? How do we do this behind the scenes? I'm trying to write a script that checks if a Windows server needs reboot and if so set a NEEDS_REBOOT property against that server.

• ###### 3. Re: Auditing for server requiring reboot

I researched this when I was over there, Greg. I think we could use system info more efficiently than this but I found this little script from technet:

http://www.microsoft.com/technet/community/columns/scripts/default.mspx#E4BAC

This script cannot be run against remote computers.

Set objSysInfo = CreateObject("Microsoft.Update.SystemInfo")

If objSysInfo.RebootRequired Then

Wscript.Echo "This computer needs to be rebooted."

Else

Wscript.Echo "This computer does not need to be rebooted."

End If



• ###### 4. Re: Auditing for server requiring reboot

I found that page you're referencing and already have a script which creates the VBScript on the target machine, executes it, and then echoes whether or not the server needs to be rebooted.

However, when I run the VBScript against some of my target hosts who should be rebooted based on the Simulate stage of my deploy job, the VBScript still says that they don't need to be rebooted.

• ###### 5. Re: Auditing for server requiring reboot

The two places I would look are:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager

Value name: PendingFileRenameOperations Data type : REG_MULTI_SZ Value data: \??\c:\original\path\oldfile.txt !\??\c:\new\path\newfile.txt

Also, Windows 95 used to employ wininit.ini for this stuff, but generally installers use the above registry-based method or even both. If we take a look in wininit.ini file, we should see something like:

NUL=C:\path\to\file\new.txt

C:\path\to\another\file\original.txt=C:\path\to\another\file\destination.txt

These two methods and the RunOnce keys mentioned by Damon should cover pending file renames due to patching.

http://support.microsoft.com/?kbid=181345

http://support.microsoft.com/default.aspx?scid=kb;en-us;140570