92
13
Actually, this question struck me because of power cuts in my house. When there is a power cut, there is a sudden loss of power from the computer.
How does the computer know that the shutdown was not properly done?
92
13
Actually, this question struck me because of power cuts in my house. When there is a power cut, there is a sudden loss of power from the computer.
How does the computer know that the shutdown was not properly done?
104
Windows also uses the Dirty Bit method to detect whether the PC was shut down properly:
When powered off as normal, the bit is switched off. However, in case of power outage or improper (forced) shutdown, the bit will still be on the next time the PC is started.
This means that Windows can suggest remedial action - such as booting into Safe Mode.
In addition a Windows based PC will write an entry into event log detailing when and why (if known) it was shut down. It also writes an event when the PC starts up.
When the PC restarts it can check the event log and if it doesn't find a "shut down event" after the last "start up" event it knows that the PC wasn't shut down properly and there may be issues due to unsaved data etc.
121
For non-Windows based PCs, the detection is usually done on a per-filesystem basis. When a filesystem is mounted in read/write mode, an entry is written to the filesystem marking it dirty. When the filesystem is unmounted, an entry is written marking it clean. On startup, the operating system checks if its core filesystems are marked dirty, and if so it knows there wasn't a clean shutdown -- at least of those filesystems.
29+1 because the question is not asking about a specific OS. – Trevor Boyd Smith – 2012-09-26T12:54:34.510
42
In Windows, according to the authors of Windows Internals, 5th ed., it is the bootstat.dat file (located by default in the \boot directory of the system partition):
Windows uses a boot status file ... to record the fact that it has progressed through various stages of the system life cycle, including boot and shutdown. This allows the Boot Manager, Windows loader, and the Startup Repair tool to detect abnormal shutdown or a failure to shut down cleanly and offer the user recovery and diagnostic boot options ...
To contrast this with ChrisF's answer - the "dirty bit" maintained by each file system is for the state of that file system only; it is not system-wide. Note that you can "safely disconnect" a removable hard drive - this clears the dirty bit for that filesystem - and then an unexpected shutdown could occur after that. – Jamie Hanrahan – 2018-09-23T01:50:03.173
3Source of quote? – Paul DelRe – 2012-09-26T21:21:20.267
23"Windows Internals" by Mark Russinovich and David Solomon with Alex Ionescu, page 1010. – artm – 2012-09-26T21:55:46.980
0
On some computers, an OS independent method may be set in the hardwares BIOS. It depends on the computer vendor and supplier of the BIOS.
The mojors include American Megatrends Inc. (AMI), Award and Phoenix Technologies. Look at these manufacturers for specifics.
2Rather than just waving your hand and saying "the information is out there", how about actually linking to some relevant references? – G-Man Says 'Reinstate Monica' – 2015-05-04T00:30:12.530
2Isn't David's answer below more accurate? I thought NTFS had a 'dirty bit' which the FS detects when mounted. I have always assumed that the Event log is just a log of what is found rather than the actual detection and reasoning behind it? – HaydnWVN – 2012-09-26T09:21:09.303
@HaydnWVN - With Windows Server editions when you shut down you have to enter a reason so I thought it used that, but it could use the event log as a back up for the dirty bit. I'll have to do some more digging. – ChrisF – 2012-09-26T09:25:34.923
3
But in an unplanned power-off situation (with no UPS obviously) the shutdown would be 'unexpected' (mentioned by Event log). Great info here
– HaydnWVN – 2012-09-26T09:54:51.090If a program initiates an I/O operation that alters the structure of an NTFS volume - that is, changes the directory structure, extends a file, allocates space for a new file, and so on - NTFS treats that operation as an atomic transaction. It guarantees that the transaction is either completed or, if the system fails while executing the transaction, rolled back.
So NTFS itself is capable of 'detecting' (and repairing) the power-off. I dare say Event log just queries this and logs it! :) – HaydnWVN – 2012-09-26T09:56:58.293
3@HaydnWVN The filesystem dirty bit is used to identify an abnormal dismount, so that the OS knows that the filesystem may be in an indeterminate state, and can run a diagnostic (e.g.
chkdsk
) to identify potential filesystem problems. This is why you get the repair dialog sometimes when plugging in USB drives that weren't properly removed. In contrast, the term "dirty bit" simply means a field that is set, and unset later when proper termination of the system or device runtime occurs. An improper termination leaves the field set, so it is recognised upon the next initialisation of the device. – Polynomial – 2012-09-26T15:09:19.3301@ChrisF That requirement can be switched off in group/local policy. And will be bypassed if switched off via something like a VM host's control panel. Better to rely on events Kernel-General #12 (normal shutdown) and EventLog #6002 (last shutdown was unexpected). If it was a BSOD there should be a BugCheck #1001 as well. (All events: source #id.) – Richard – 2012-09-26T15:23:02.463
1First, how is that bit's state maintained in volatile memory after a power cycle? What about dual-booting? The wikipedia quote reads like conjecture - though I haven't read the Operating System Concepts book it references.
Second, the idea that Windows reads the event log to determine if a clean shutdown occurred is obviously incorrect.
The answer pointing to bootstat.dat for Windows is far more likely to be correct than either of these guesses, partly because it makes more sense, but mostly because of its cited source. – hemp – 2012-09-27T01:33:43.353
@Polynomial Thanks for the info and clarification! Was 99% certain that Windows wouldn't rely on system events to determine Filesystem state. It seems David's answer and kreemoweet's were much more accurate than ChrisF's original, kudos to ChrisF for updating. – HaydnWVN – 2012-09-27T07:12:05.050