Introduction
Sometimes an application just needs to quickly shutdown Windows. Unfortunately, there is no well-documented method to do this, and Microsoft does not support it. In fact, neither do I. However, I am presenting two methods to do so just as a mere idea.
Disclaimer: I am not responsible for any unwanted behavior of this program. If your computer doesn't start up again afterwards, it is not my fault. The program is presented merely as a "proof of concept".
Background
Many of the Nt/Zw functions inside the Windows kernel are documented, but some are not. The NtShutdownSystem function is documented pretty well here at NTInternals. The NtSetSystemPowerState function, however, is not.
At the final stages of the Windows shutdown process, NtShutdownSystem is called. It is responsible for shutting down all drivers, flushing Registry hives and the disc cache, clearing the page file, etc. After doing so, it calls the NtSetSystemPowerState function.
NtSetSystemPowerState then causes all plug-and-play devices to be shut down and the system to be either halted, powered off, or rebooted.
However, calling these two functions without notifying the system first is extremely dangerous, and may cause instability in the system.
Using the code
Both NtShutdownSystem and NtSetSystemPowerState are inside NTDLL.DLL, which is why we have to load it first. We also have to enable the SE_SHUTDOWN_NAME privilege in order to call it:
OpenProcessToken(GetCurrentProcess(),TOKEN_QUERY|TOKEN_ADJUST_PRIVILEGES, &hToken);
LookupPrivilegeValue(NULL, SE_SHUTDOWN_NAME, &tkp.Privileges[0].Luid);
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken, FALSE, &tkp, 0, NULL, 0);
CloseHandle(hToken);
hNTDLL = LoadLibrary("NTDLL.DLL");
After doing so, we obtain the functions:
typedef DWORD (WINAPI* lpNtShutdownSystem)(SHUTDOWN_ACTION Action);
lpNtShutdownSystem NtShutdownSystem =
(lpNtShutdownSystem)GetProcAddress(hNTDLL, "NtShutdownSystem");
typedef DWORD (WINAPI* lpNtSetSystemPowerState)(
IN POWER_ACTION SystemAction,IN SYSTEM_POWER_STATE MinSystemState,IN ULONG Flags);
lpNtSetSystemPowerState NtSetSystemPowerState =
(lpNtSetSystemPowerState)GetProcAddress(hNTDLL, "NtSetSystemPowerState");
As the typedefs show, NtShutdownSystem requires a SHUTDOWN_ACTION parameter, which is documented here. The three options, ShutdownNoReboot, ShutdownReboot, and ShutdownPowerOff are self-explanatory.
NtSetSystemPowerState is a bit more complicated. Microsoft makes it a bit easier for us by documenting all three parameters. The first two, POWER_ACTION and SYSTEM_POWER_STATE, are documented well. The third, flags, is simply the reason for shutdown, which is also documented here on MSDN.
Calling the actual functions is rather simple:
void CEmergency_ShutdownDlg::OnShutdown()
{
if (NtShutdownSystem)
{
DWORD returnval = NtShutdownSystem(ShutdownPowerOff);
if (returnval != 0) FormatNtMessage(returnval);
}
}
void CEmergency_ShutdownDlg::OnPowerdown()
{
if (NtSetSystemPowerState)
{
DWORD returnval = NtSetSystemPowerState(
PowerActionShutdownOff,
PowerSystemShutdown,
SHTDN_REASON_MAJOR_OTHER |
SHTDN_REASON_MINOR_OTHER |
SHTDN_REASON_FLAG_PLANNED
);
if (returnval != 0) FormatNtMessage(returnval);
}
}
FormatNtMessage is simply a specialized function to display an error, given an NTSTATUS error code. It uses the FormatMessage function.
Points of interest
Only one point of interest: save all un-saved work before executing any one of the functions, or else it'd be rather interesting what happens to them.
History
I probably won't be updating this, unless there is a critical flaw anywhere in the code.
