[RESOLVED] Executing a InitiateSystemShutdown() from a service running as Local System

[DeepT]

We have this computer management tool that runs as a service, which runs as Local System. I have been asked, to write something that will enable some administrators to shut down a bunch of computers at some designated time. I think this is a bad idea, but my opinion in this matter is not being asked.

The InitiateSystemShutdown Function requires the SE_SHUTDOWN_NAME privilege.

Local System Account has this privilege, but it is disabled.

I have been reading the API stuff on AdjustTokenPrivileges Function, but I am getting a bit confused.

I am confused on two fronts. The first is, do I have all the privileges to enable the SE_SHUTDOWN_NAME privilege on "Local System".

The next is, how do I do that? I am not sure how to get the current process access token. Furthermore, my experience with tokens is to get a token, and then to "CreateProcessWithTokenW".

What is different here is that I want to affect the current token I am running under to execute an API call I am not normally allowed to call.

To make it harder, I can't debug and test very well because I am not running as Local System. Admin users can shut down the system, so that would succeed for me if I were trying to test.

If anyone has some code snippets I can build around, I would greatly appreciate it.

[dc_2000]

The InitiateSystemShutdown Function requires the SE_SHUTDOWN_NAME privilege.
.

Well, if you follow your own link and scroll all the way down that page you'll see an example of how you can adjust that privilege:
http://msdn.microsoft.com/en-us/libr...61(VS.85).aspx

[DeepT]

I am not sure I understand that Java code, but I might make sense of it. That works for local system, right? It seems you just OpenProcessToken from the current process, then lookup the LIUD, and then adjust the privilege and in place, you instantly get the ability to use that function. No impersonation or anything.

Ill pursue it and see.

Oh, and that link isn't to any page I linked to.

[dc_2000]

I am not sure I understand that Java code...

You need the code sample from MSDN page, not the user comment at the bottom. The sample is written in C++, but if you need Java help then you're posting in the wrong forum.

[DeepT]

No, this is a c++project.

[AstroTux]

Hi,

It says [RESOLVED], but I don't see a hint of a solution?

I'm currently trying to achieve the same thing, also from a service. Despite following the example to the letter, it doesn't work *IN A SERVICE*.

HOWEVER... as a stand-alone EXE running from a normal admin account - no problems.

HOW was this resolved? My code is in assembler, but those that understand C++ should at least see how it is working sufficiently to spot any errors with what I'm doing from an API stand-point:

Code:

	invoke GetCurrentProcessId

	invoke OpenProcessToken, eax, TOKEN_ADJUST_PRIVILEGES, addr hToken

	mov TP.PrivilegeCount, 1
	mov TP.Privileges[0].Attributes, SE_PRIVILEGE_ENABLED

	invoke LookupPrivilegeValue, ebx, addr SEShutName, addr TP.Privileges[0].Luid

	invoke AdjustTokenPrivileges, hToken, FALSE, addr TP, NULL, NULL, NULL

	invoke InitiateSystemShutdown, 0, 0, 0, TRUE, FALSE

eax is a register, but you can consider it a 32-bit variable if it helps. Functions return their results in eax unless the API defines otherwise.

I've also tried running the service as Administrator, and even permitted it to interact with the desktop, but none of this worked.

Best regards,
AstroTux.