I'd like to know what is the Windows API function (if any exists) that provides information about the last Windows reboot source. There are three main possible causes:

1. The computer crashed on a blue screen
2. A user or a program shutdown/restarted the computer
3. A power lost

The more details I can get the better. However, I need to know at least which reason it is from the main ones.

I need to support Windows Vista and Windows 7.

Answer:

It seems that there is no direct API to get that information. Instead, we have to harvest the Windows Event Log. System reboot information is located in Event Viewer/Windows Logs/System. Here is the various information provided by the event ids:

• 6005: Windows start-up
• 6006: Windows shutdown (properly)
• 6008: Windows shutdown (unexpectedly)

I do not yet get the difference between power lost and system crash, but it's a good start.

This article explains in detail how to find the reason for last startup/shutdown. In my case, this was due to windows SCCM pushing updates even though I had it disabled locally. Visit the article for full details with pictures. For reference, here are the steps copy/pasted from the website:

1. Press the Windows + R keys to open the Run dialog, type eventvwr.msc, and press Enter.

2. If prompted by UAC, then click/tap on Yes (Windows 7/8) or Continue (Vista).

3. In the left pane of Event Viewer, double click/tap on Windows Logs to expand it, click on System to select it, then right click on System, and click/tap on Filter Current Log.

4. Do either step 5 or 6 below for what shutdown events you would like to see.

5. To see the dates and times of all user shut downs of the computer

   A) In Event sources, click/tap on the drop down arrow and check the USER32 box.

   B) In the All Event IDs field, type 1074, then click/tap on OK.

   C) This will give you a list of power off (shutdown) and restart shutdown type of events at the top of the middle pane in Event Viewer.

   D) You can scroll through these listed events to find the events with power off as the shutdown type. You will notice the date and time, and what user was responsible for shutting down the computer per power off event listed.

   E) Go to step 7.

6. To see the dates and times of all unexpected shut downs of the computer

   A. In the All Event IDs field type 6008, then click/tap on OK.

   B. This will give you a list of unexpected shutdown events at the top of the middle pane in Event Viewer. You can scroll through these listed events to see the date and time of each one.

7. When finished, you can close Event Viewer.

Other useful event IDs (source)

Take a look at the Event Log API. Case a) (bluescreen, user cut the power cord or system hang) causes a note ('system did not shutdown correctly' or something like that) to be left in the 'System' event log the next time the system is rebooted properly. You should be able to access it programmatically using the above API (honestly, I've never used it but it should work).

You may automate your investigation for the last 5 days with this powershell script:

$today = Get-Date
$startDay = $today.AddDays(-5)
$eventIds=(6005,6006,6008,6009,1074,1076,12,13,43,109)
$systEvents=Get-WinEvent -LogName System 
$rebootEvents=$systEvents| Where-Object {$_.TimeCreated -gt $startDay} | Where-Object {$_.Id -in $eventIds}  
format-table TimeCreated,Id,Message -AutoSize -wrap -InputObject $rebootEvents

There is a simple way using powershell.

powershell "Get-WinEvent -FilterHashtable @{logname = 'System'; id = 1074, 6005, 6006, 6008} -MaxEvents 6 | Format-Table -wrap"

you can set the max events to display too.