Morning all.
Has anyone obtained or created (which they are happy to share) a document which defines the system changes made whenever XP and/or Vista is shutdown normally, rather than it's power pulled? It would be great to have any reference as a backdrop to my forthcoming testing.
If not, has anyone ever been challenged by a lawyer to define the same? If so, in the absence of verified documentation, how did you approach the question?
Guess what I'm expecting in my next witness conference. Sometimes I do feel the client should face some tough questions lol
Here there is helpful information about the ExitWindowsEx() and InitiateSystemShutdownEx() functions. Its a basic overview but should give you some good references.
You might find evidence of an "other than normal shutdown" or "unexpected shutdown" by looking for Event ID 6008.
If you think it might help with supporting documentation in your case, search support.microsoft.com for that event ID or shutdown-related event ID's.
Douglas provided good information. It talks about logging shutdown, but I miss where it specifies the location where the info is written.
The log file is a good area as well bu certainly not an absolute record. Doing event log file analysis (check out Windows Forensic Analysis 2E - Chapter 5 for some great pointers) can help set a time line for events and recorded shut down events.