Hi there,
we've combined the data from a few queries to present an all-in-one view of devices which need to be rebooted by returning the total uptime, the last time a Microsoft patch was installed, and if there are any pending restart requests.
Fullscreen
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
-- Recomended use: export results, filter devices reporting rsults in "Reboot pending evidence" column,
-- then sort by "Uptime, decial days)", descending. Reboot the longest running machines first.
-- Then sort by "Latest MS patch install data", ascending and check for updates on the machines
-- which have not had an update applied for the longest time.
--
-- Thanks to Sophos Rapid Response team and Mike Graves for their input with this query
WITH
daysup AS (SELECT CAST((1.0*total_seconds) / (86400*1.0) as DECIMAL) as "Uptime (decimal days)" FROM uptime),
lastpatch AS (select installed_on as "Latest MS patch install date" FROM patches
ORDER BY installed_on DESC
LIMIT 1),
reboot AS (
SELECT
CAST(group_concat(path, CHAR(10)) AS TEXT) as "Reboot pending evidence"
FROM
registry
WHERE
(path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations')
OR (path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations2')
OR (path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\UpdateExeVolatile' AND data != 0)
