Workaround for Shutdown.exe LUA bug


The “shutdown.exe” command-line utility in Windows XP has a LUA bug that prevents non-admin users from using it to shut down or restart the computer.  There is a simple workaround.


Shutdown.exe offers a number of command-line options, including the ability to shut down a remote system (assuming you have the privilege to do so on the remote machine).  The problem is that when something other than “logoff” is specified, Shutdown.exe tries to enable both the SeShutdownPrivilege (“Shut down the system”) and the SeRemoteShutdownPrivilege (“Force shutdown from a remote system”), even if local shutdown or reboot is all that is being requested.  On XP, Users have SeShutdownPrivilege by default, but they don’t have SeRemoteShutdownPrivilege.


The workaround:  Grant “INTERACTIVE” the SeRemoteShutdownPrivilege.


How to do it (requires admin privileges):  Open Administrative Tools \ “Local Security Settings”.  Navigate to Security Settings \ Local Policies \ User Rights Assignment.  Double-click “Force shutdown from a remote system” in the right pane.  Click “Add User or Group”.  Enter the name INTERACTIVE in the text box and click “Check names”, then click OK, and OK again.


Does granting this privilege this way open up the computer to remote attack?  No.  The “INTERACTIVE” SID appears in the user’s token only in the interactive logon session.  Remotely invoked code does not have INTERACTIVE in its token.

Comments (36)

  1. Jonathan says:

    I presume shutdown.exe will be fixed, at least for Vista?

  2. Thanks a million Aaron. You made my day by providing the trick in using ‘Shutdown.exe” under non-admin users. Keep it coming my man, you are the greatest!

  3. somarr says:

    OK. So I have given my LUA, the listed rights for a machine. I remotely attempt to shutdown the machine I had just given those rights and I receive a “A required privilege is not held by client.” As a sidenote, I happen to be running the shutdown command from a RunAs prompt. Any ideas?

    I am trying to create a batch script for a tester to reboot his assigned machines.

  4. Lee says:

    Interesting — it had never occured to me that this was an issue. I’ve always been running it from my MakeMeAdmin window!

  5. Complete list of Aaron Margosis’ non-admin / least privilege posts, for easy lookup.

  6. Hell Baron says:

    There is another computer virus targeting Windows machines. This is not a surprise, I mean that Windows has always been a target and always will be as long as people always run Windows as Administrator instead of an unprivileged account. Apparently it is a e-mail virus requiring a less than intelligent person to click on a link in the e-mail and activate the virus. Although with Internet Explorer you can just visit a web page and you are infected. That is why a browser like Opera is a better choice. Or Firefox 1.7. Some websites have mp3’s for download and require you to download some software first before you can download their files. But of course it contains a Trojan Horse and you are infected. Infecting Windows has never taken much effort on the part of the spy-ware authors. Especially those types who still run Windows ’98. That OS is really insecure. But then again, so is Windows XP SP1. That is very insecure. People assume the Windows XP service pack 2 firewall is secure, but I am sure it is not. Not as secure as a dedicated Smoothwall box. Windows needs to run with more strict permissions and have greater control over which files are writable by the normal user. But that would be too much hassle for the usual Windows users who prefer to run as administrator, since they think they are gods to Computing. Slashdot fan-boys I am looking at you. And yes I am a Slashdot  person but I do not run Windows, and I do not run my computer that way. I run Linux with strict file permissions and a password on sudo. Some people just have it setup to run any command without a password but that is silly indeed. An American man is suing Apple because their Ipod music player can cause cause deafness… Turn down the volume you loser! Americans crack me up when they behave like that.

  7. Can this action be scripted and done automatically?

  8. Michał Szkutnik – it could be applied through Group Policy, through a startup script (not a logon script), and possibly through the "Restricted Groups" feature of GP.

  9. Brian Paul says:

    I am scheduling Shutdown.exe to run thru the task scheduler.  This workaround works fine if a person is logged in, but if it’s at the login screen, it will not perform a shutdown.  Aaron, is there a way to make this work for a power user when the computer is at the login screen?

  10. Brian Paul – A program started from the task scheduler with no one logged on will (I’m quite sure) not have INTERACTIVE in its token.  You could try granting the privilege to the user account you’re configuring it to run as, but be aware that that grants the privilege to that account for a real remote shutdown.  You might also try granting the privilege to "BATCH" instead of "INTERACTIVE" – I can’t remember what logon type task scheduler processes use.  If that doesn’t work, "SERVICE" might.

  11. Josh says:

    when i want to remotely shut down computers, some computers will work and some computers will not.  It will say "cannot find network path"

    Any Ideas?

  12. Euan says:

    You might need to put the PC name like \PCName instead of PCName

    Or try pinging the computer name to be sure its connected to the network.

  13. Matt M says:

    for "shutdown.exe -s -m \PCName" would work for windows 2000, and windows xp pro, but not for windows xp home. I have not found any info on why XP home has an issue with receiving remote shutdown commands from shutdown.exe

  14. @Matt M – do you have Simple File Sharing turned on on the XP Home box?  That will cause all remote users to authenticate as Guest, which can’t do a remote shutdown.  (There may be other causes as well.)

  15. Ryan says:

    is there another way to shut down the PC if i dont have the “start” button, i cant right click on the desktop and alt+f4 is not allowed?

    Ctrl-Alt-Del + “Shut Down”?  (Is this a machine you’re supposed to be able to shut down, or a kiosk system?)

    — Aaron

  16. Noah P says:

    I tried to add more permissions, and I am still getting access denied.  I have these two machines, that have 2 PC’s on each. They are on their own internal networks (Read: Machines not connected to each other). Both use the same logons (With Admin Rights), one machine works, one doesn’t.  

    The one that doesn’t I can’t shut down either pc from either PC.

  17. Carl says:

    The Shutdown.exe LUA bug appears to also effect how Wake on Lan (WOL) works.  

    On my IBM ThinkCenter, shutting down remotely worked both through ctrl-alt-end and choosing shutdown, and through shutdown.exe.

    However, the system would not Wake on Lan if it was shutdown with Shutdown.exe.  The workaround listed here has fixed the problem.

  18. pclady says:

    THANKS! This is great! Worked for me. I was simply trying to run shutdown.exe from command line from a USERS account. I applied workaround and it worked. So, now I need to know if this workaround can be applied via the REGISTRY or from a VB.NET application? Any info would be greatly appreciated.

    It can’t be applied via the registry.  You need to use the LsaAddAccountRights Win32 API.

    — Aaron

  19. chkidd says:

    I am trying to do the following…

    use the WinXP Shutdown.exe on Win2k PC’s with users in both AD and non-AD WinNT Domains,

    the pc’s in AD work, the pc’s not in AD do not work.

    I am using a shortcut to the shutdown.exe from the users desktop.

    Any help appreciated.

    chkidd

    Just to understand:  are you trying to shut down remote computers or the local computer?  If remote, the logged on user must be recognized as a member of the administrators group on the remote computer.  There may also be issues with using the WinXP shutdown.exe — Windows 2000’s shutdown.exe came with the Windows 2000 Resource Kit.  You might want to use that if you’re running it on a Windows 2000 computer.  Also to clarify:  by “non-AD WinNT domains”, do you mean that the domain controllers are running Windows NT 4.0 or earlier?

    — Aaron

  20. Joe Smith says:

    You know.. making sure that the Simple File Sharing was unchecked allowed me to accomplish the remote shutdown from a different computer on the same LAN.  I tried all sorts of other stuff to get the remote shutdown to work with shutdown.exe but in the end all I had to do is uncheck the use Simple File Sharing option in Folder OptionsViewAdavnced Settings window.

    Joe Smith:  When Simple File Sharing is enabled, all network access authenticates as Guest.  Remote Shutdown requires administrator rights, which can’t be obtained when you’re authenticating as Guest.

    Hope this clarifies…

    — Aaron

  21. TP says:

    Thanks! This seems to work. Where the setting is in the registry?

    TP:  It can’t be edited directly — it’s buried under HKLMSecurity.

    — Aaron

  22. Jeff says:

    I have 2 separate networks, both with 2 xp pro boxes running in a workgroup.  Adding the INTERACTIVE account as described and unchecking simple file sharing worked on the first network, but not the second.

    I still get “Access Denied” when the first box on the second network attempts to shutdown the second box.

    Netbios over TCP/IP is enabled.  They can ping each other.  File sharing works.  No events are captured in the event viewer.

    The user accounts on both machines have blank passwords.  Would that cause any issue?

    Any other ideas

    Jeff:  user accounts with blank passwords can be used only for console logon.  They can’t be used across the network, including through Remote Desktop, nor can they be used with RunAs (or MakeMeAdmin, which builds on RunAs).

    — Aaron

  23. David says:

    I have XP Home. According to Help and Support center, simple file sharing cannot be turned off in XP Home edition. How can I remotely shutdown one XP Home computer using shutdown?

    I already tried

    shutdown -s -m //NAME

    and got the error

    "The network path was not found."

    Thanks!!!

  24. Steve says:

    Thats because its \name  not//

  25. Ben says:

    I’m having problems with this too. I have two XP Home computers. I’ve tried everything I could find (both fiddling and searching the internet) to try to get them to shut each other down. They keep giving me the “the network path was not found” error message. Any help would be appreciated.

    [Aaron Margosis] XP Home Edition has “Simple File Sharing” always on.  That means that anyone connecting remotely does so as “Guest”. That further means that remote administration (including remote shutdown) of XP Home Edition computers is not possible.

  26. hey says:

    mayby because, you are not the adminstrator

  27. Chris says:

    Further to Aaron’s comment that Remote Shutdown of a XP Home PC is not possible because connecting remotely uses the rights of the Guest account – this is correct.

    What is not correct however is the statement that remote shutdown is not possible. The solution lies in granting the Guest account the privilege to access the shutdown.  

    To do this you need to use the NtRights.exe file found in the XP Resource Kit, here http://www.microsoft.com/downloads/details.aspx?FamilyID=9D467A69-57FF-4AE7-96EE-B18C4790CFFD&displaylang=en  You need to download the kit from Microsoft. Copy the NtRights.exe program to Windowssystem32. Next log-in as an administrator on the box top be shutdown remotely and perform the following commands from a command window:

    NtRights –u Guest +r SeRemoteShutdownPrivilege

    NtRights –u Guest +r SeShutdownPrivilege

    Be careful about the spelling – note there is no ‘t’ in the priv name where you would expect it to read SetRemoteShutdownPrivilege  

    See here for a full description of the NtRights.exe program http://support.microsoft.com/kb/279664

    Now you should be able to use the shutdown.exe programs from a remote computer. When you do the shutdown message on your XP Home machine will read ‘Shutdown initiated by \<pc name>Guest’

  28. Alvin says:

    How am I supposed to copy the NtRights.exe program to Windowssystem32?

    [Aaron Margosis]  You need to be running as admin to do that.

  29. Aaron,

    I never would have figured that out – thank you!

  30. Dilandau says:

    Instead of using NtRights for granting the Guest account the privilege to access the shutdown, one can simply add Guest account to the Administrators group. That would solve the problem with remote shutdown easily

    [Aaron Margosis]  You forgot the emoticon to tell people, “Of course I’m joking.”

  31. kroyce says:

    Here’s an odd situation for you. I open a vpn session from home to work. I then remote desktop in to my workstation at work. From the remote desktop session to my workstation I am trying to use a batch file to reboot (or shutdown) my laptop that is also running at work. Both computers are running Windows XP SP3 and I belong to the Administrators group on each one.

    I have explicitly granted "Allow logon through Terminal Services" AND "Force shutdown from a remote system" rights to myself, Remote Interactive Logon, Terminal Server User, Network Service, and Interactive. My login credentials come from Active Directory while the other accounts are local.

    When I run the batch file via a command line I get the infamous error message:

    Error opening Terminal server kroycelt.

    Error [5]:Access is denied.

    However, if I look at the security event logs it shows I logged in successfully but the laptop does not reboot.

    When I remote desktop directly into the laptop I have no problem rebooting it.

    I am using the tsshutdn utility in the batch file:

    <CODE>

    @echo off

    echo – Setup Log File date /T -> c:tsclean.log

    echo – New Run >> c:tsclean.log

    echo – Rebooting %msgto% >> c:tsclean.log

    set diagMessage = tsshutdn 0 /server:<my laptop name> /v /reboot >> c:tsclean.log

    diagMessage >> c:tsclean.log

    </CODE>

  32. Clemens Li says:

    I’d like to know how to run shutdown -s on my own computer in a network without any admin rights. It’s just when I leave my workplace, I want to double-click an icon not to do it the hard windows way via a couple of strokes.

    Any idea?

    TIA,

    Clemens

  33. Joe Benton says:

    The local policy setting works fine for me. Is there a corresponding Active Directory setting that does the same thing? I have 500 or so computers I need to modify and it would be a shame to have to touch all those computers when I could just make a change in Active Directory that does the same thing.

    [Aaron Margosis]  Can’t you make the same change in the same place in domain policy that you do in local policy?

  34. pavan says:

    Thank You.

    Joe Smith

    You know.. making sure that the Simple File Sharing was unchecked allowed me to accomplish the remote shutdown from a different computer on the same LAN.  I tried all sorts of other stuff to get the remote shutdown to work with shutdown.exe but in the end all I had to do is uncheck the use Simple File Sharing option in Folder OptionsViewAdavnced Settings window.

    It worked

  35. Reg Merritt says:

    Thanks for the info. However, in my case after pulling my hair out i finally realised that the server using the user "Administrator" had a different password to the user "Administrator" on the workstations.

  36. Jim Hughes says:

    Thank you for telling me about the "Force shutdown…" user rights assignment. I knew there had to be a simple solution to the "Access Denied" error message, but I read 26 articles before finding this one with the right answer!

Skip to main content