Share via


Workaround for Shutdown.exe LUA bug

The "shutdown.exe" command-line utility in Windows XP has a LUA bug that prevents non-admin users from using it to shut down or restart the computer. There is a simple workaround.

Shutdown.exe offers a number of command-line options, including the ability to shut down a remote system (assuming you have the privilege to do so on the remote machine). The problem is that when something other than "logoff" is specified, Shutdown.exe tries to enable both the SeShutdownPrivilege ("Shut down the system") and the SeRemoteShutdownPrivilege ("Force shutdown from a remote system"), even if local shutdown or reboot is all that is being requested. On XP, Users have SeShutdownPrivilege by default, but they don't have SeRemoteShutdownPrivilege.

The workaround: Grant "INTERACTIVE" the SeRemoteShutdownPrivilege.

How to do it (requires admin privileges): Open Administrative Tools \ "Local Security Settings". Navigate to Security Settings \ Local Policies \ User Rights Assignment. Double-click "Force shutdown from a remote system" in the right pane. Click "Add User or Group". Enter the name INTERACTIVE in the text box and click "Check names", then click OK, and OK again.

Does granting this privilege this way open up the computer to remote attack? No. The "INTERACTIVE" SID appears in the user's token only in the interactive logon session. Remotely invoked code does not have INTERACTIVE in its token.

Comments

  • Anonymous
    January 28, 2006
    I presume shutdown.exe will be fixed, at least for Vista?

  • Anonymous
    February 01, 2006
    Thanks a million Aaron. You made my day by providing the trick in using 'Shutdown.exe" under non-admin users. Keep it coming my man, you are the greatest!

  • Anonymous
    February 01, 2006
    OK. So I have given my LUA, the listed rights for a machine. I remotely attempt to shutdown the machine I had just given those rights and I receive a "A required privilege is not held by client." As a sidenote, I happen to be running the shutdown command from a RunAs prompt. Any ideas?I am trying to create a batch script for a tester to reboot his assigned machines.

  • Anonymous
    February 02, 2006
    Interesting -- it had never occured to me that this was an issue. I've always been running it from my MakeMeAdmin window!

  • Anonymous
    February 05, 2006
    Complete list of Aaron Margosis' non-admin / least privilege posts, for easy lookup.

  • Anonymous
    February 12, 2006
    The comment has been removed

  • Anonymous
    March 03, 2006
    Can this action be scripted and done automatically?

  • Anonymous
    March 03, 2006
    MichaƂ Szkutnik - it could be applied through Group Policy, through a startup script (not a logon script), and possibly through the "Restricted Groups" feature of GP.

  • Anonymous
    March 14, 2006
    I am scheduling Shutdown.exe to run thru the task scheduler.  This workaround works fine if a person is logged in, but if it's at the login screen, it will not perform a shutdown.  Aaron, is there a way to make this work for a power user when the computer is at the login screen?

  • Anonymous
    March 14, 2006
    Brian Paul - A program started from the task scheduler with no one logged on will (I'm quite sure) not have INTERACTIVE in its token.  You could try granting the privilege to the user account you're configuring it to run as, but be aware that that grants the privilege to that account for a real remote shutdown.  You might also try granting the privilege to "BATCH" instead of "INTERACTIVE" - I can't remember what logon type task scheduler processes use.  If that doesn't work, "SERVICE" might.

  • Anonymous
    March 24, 2006
    when i want to remotely shut down computers, some computers will work and some computers will not.  It will say "cannot find network path"

    Any Ideas?

  • Anonymous
    May 14, 2006
    You might need to put the PC name like \PCName instead of PCName

    Or try pinging the computer name to be sure its connected to the network.

  • Anonymous
    July 06, 2006
    for "shutdown.exe -s -m \PCName" would work for windows 2000, and windows xp pro, but not for windows xp home. I have not found any info on why XP home has an issue with receiving remote shutdown commands from shutdown.exe

  • Anonymous
    July 07, 2006
    The comment has been removed

  • Anonymous
    July 28, 2006
    The comment has been removed

  • Anonymous
    August 30, 2006
    I tried to add more permissions, and I am still getting access denied.  I have these two machines, that have 2 PC's on each. They are on their own internal networks (Read: Machines not connected to each other). Both use the same logons (With Admin Rights), one machine works, one doesn't.  

    The one that doesn't I can't shut down either pc from either PC.

  • Anonymous
    September 03, 2006
    The Shutdown.exe LUA bug appears to also effect how Wake on Lan (WOL) works.  

    On my IBM ThinkCenter, shutting down remotely worked both through ctrl-alt-end and choosing shutdown, and through shutdown.exe.

    However, the system would not Wake on Lan if it was shutdown with Shutdown.exe.  The workaround listed here has fixed the problem.

  • Anonymous
    October 04, 2006
    The comment has been removed

  • Anonymous
    October 26, 2006
    I am trying to do the following... use the WinXP Shutdown.exe on Win2k PC's with users in both AD and non-AD WinNT Domains, the pc's in AD work, the pc's not in AD do not work. I am using a shortcut to the shutdown.exe from the users desktop. Any help appreciated. chkidd Just to understand:  are you trying to shut down remote computers or the local computer?  If remote, the logged on user must be recognized as a member of the administrators group on the remote computer.  There may also be issues with using the WinXP shutdown.exe -- Windows 2000's shutdown.exe came with the Windows 2000 Resource Kit.  You might want to use that if you're running it on a Windows 2000 computer.  Also to clarify:  by "non-AD WinNT domains", do you mean that the domain controllers are running Windows NT 4.0 or earlier? -- Aaron

  • Anonymous
    January 20, 2007
    You know.. making sure that the Simple File Sharing was unchecked allowed me to accomplish the remote shutdown from a different computer on the same LAN.  I tried all sorts of other stuff to get the remote shutdown to work with shutdown.exe but in the end all I had to do is uncheck the use Simple File Sharing option in Folder OptionsViewAdavnced Settings window. Joe Smith:  When Simple File Sharing is enabled, all network access authenticates as Guest.  Remote Shutdown requires administrator rights, which can't be obtained when you're authenticating as Guest. Hope this clarifies... -- Aaron

  • Anonymous
    February 27, 2007
    Thanks! This seems to work. Where the setting is in the registry? TP:  It can't be edited directly -- it's buried under HKLMSecurity. -- Aaron

  • Anonymous
    March 23, 2007
    The comment has been removed

  • Anonymous
    June 03, 2007
    I have XP Home. According to Help and Support center, simple file sharing cannot be turned off in XP Home edition. How can I remotely shutdown one XP Home computer using shutdown? I already tried shutdown -s -m //NAME and got the error "The network path was not found." Thanks!!!

  • Anonymous
    October 19, 2007
    Thats because its \name  not//

  • Anonymous
    October 19, 2007
    I'm having problems with this too. I have two XP Home computers. I've tried everything I could find (both fiddling and searching the internet) to try to get them to shut each other down. They keep giving me the "the network path was not found" error message. Any help would be appreciated. [Aaron Margosis] XP Home Edition has "Simple File Sharing" always on.  That means that anyone connecting remotely does so as "Guest". That further means that remote administration (including remote shutdown) of XP Home Edition computers is not possible.

  • Anonymous
    December 09, 2007
    mayby because, you are not the adminstrator

  • Anonymous
    March 13, 2008
    The comment has been removed

  • Anonymous
    April 13, 2008
    How am I supposed to copy the NtRights.exe program to Windowssystem32? [Aaron Margosis]  You need to be running as admin to do that.

  • Anonymous
    September 06, 2008
    Aaron, I never would have figured that out - thank you!

  • Anonymous
    December 04, 2008
    Instead of using NtRights for granting the Guest account the privilege to access the shutdown, one can simply add Guest account to the Administrators group. That would solve the problem with remote shutdown easily [Aaron Margosis]  You forgot the emoticon to tell people, "Of course I'm joking."

  • Anonymous
    December 22, 2008
    The comment has been removed

  • Anonymous
    January 12, 2009
    The comment has been removed

  • Anonymous
    August 26, 2009
    The local policy setting works fine for me. Is there a corresponding Active Directory setting that does the same thing? I have 500 or so computers I need to modify and it would be a shame to have to touch all those computers when I could just make a change in Active Directory that does the same thing. [Aaron Margosis]  Can't you make the same change in the same place in domain policy that you do in local policy?

  • Anonymous
    August 20, 2010
    Thank You. Joe Smith You know.. making sure that the Simple File Sharing was unchecked allowed me to accomplish the remote shutdown from a different computer on the same LAN.  I tried all sorts of other stuff to get the remote shutdown to work with shutdown.exe but in the end all I had to do is uncheck the use Simple File Sharing option in Folder OptionsViewAdavnced Settings window. It worked

  • Anonymous
    February 07, 2011
    Thanks for the info. However, in my case after pulling my hair out i finally realised that the server using the user "Administrator" had a different password to the user "Administrator" on the workstations.

  • Anonymous
    May 16, 2011
    Thank you for telling me about the "Force shutdown..." user rights assignment. I knew there had to be a simple solution to the "Access Denied" error message, but I read 26 articles before finding this one with the right answer!