This project is read-only.

Trying to detect "Shutdown.exe /r /t 1000"

Topics: Archive - General
Jan 28, 2015 at 7:23 PM
Trying to detect "Shutdown.exe /r /t 1000"

I came close with ideas from this

which translated to PS I get:
$m = [System.Windows.Forms.Message]
$msg=$m.GetProperty("msg") #returns $null
Even found something here but it wasn't usable (

Do I really need to go through [System.Windows.Forms] just to get the MSG property to read/detect WM_QUERYENDSESSION?

PS: I'm no C# wiz, I just get by in PowerShell.
Jan 29, 2015 at 10:44 PM
Edited Jan 29, 2015 at 10:44 PM
I ended up using this clunky but effective code:
shutdown.exe /a 2>&1 | out-null
switch ($LASTEXITCODE) {
    0 {
        Write-Host "pending shutdown was stopped"
    1116 {
        Write-Host "No pending shutdown found"
    default {
        Write-Host "ABNORMAL: shutdown.exe /a returned $LASTEXITCODE"
It was either this or hunt event codes 1074/1075 in the event logs.
Shutdown.exe must use user32.dll because User32.dll puts out event ID 1074/1075
BTW: There are no registry changes or tasks created when you schedule a shutdown.