Hello. I am wondering if someone managed to monitor whether a Windows host has a restart pending or not with WMI . My Approach was the "Setup" Eventlog (event id 4), which, unfortunately, seems not to be accessible through WMI.

Any Ideas?

We use Opsview to check the

We use Opsview to check the Event logs for a number of things. This is a typical check that we use, this one checks for an unexpected restart (system crash and auto restart)

check_nrpe -H $HOSTADDRESS$ -t 90 -c nsc_CheckEventLog -a 'filter=new file=system filter+generated=<12h filter+eventID==6008 filter=in filter=all descriptions truncate=200 unique "syntax=%Severity%: %Count%: EventID:%id%, %message% " MaxCrit=1'

Basically it sets a critical alert if one instance of EventID 6008 is found in the system log in the last 12 hours. We use 12 hours as it means we're alerted in the morning if a server has crashed overnight. We also get the incident logged of course, but a nice red block on the screen is immediately noticeable first thing in the morning ;)

Alternatively, you could write a powershell script using Get-Eventlog to check the setup log - you'd have to be careful to ensure that your code checks each PackageIdentifier (KB number) for a pending and matching subsequent 'installed' status though.


thanks for your suggestion. I am running an agentless approach here, so check_nrpe is no option for me.

PowerShell script
This looks to be very useful

This looks to be very useful functionality - I'll see if we can get it included (or something very similar) in our agent and agentless solutions.