I have some monitoring software that users are attempting to bypass by booting Windows in Safe Mode. I can't prevent this, since any change I make to the boot menu programmatically can be undone manually, but it would be useful to know if the previous boot was in Safe Mode because that is potential evidence of tampering.
I know I can use GetSystemMetrics() to find out what the current boot state is, but I'm wondering if there's any record of the immediately previous boot.
Yes, you can tell this via eventvwr.exe. In Windows Logs\System, there will be event with ID 12 from source "Kernel-General"
This event's description is:
"The operating system started at system time <timestamp>"
In the details for this event, the event is tagged with "BootMode". A value of 0 indicates normal boot, a value of 1 indicates SafeMode.