Workaround for Shutdown.exe LUA bug
The "shutdown.exe" command-line utility in Windows XP has a LUA bug that prevents non-admin users from using it to shut down or restart the computer. There is a simple workaround.
Shutdown.exe offers a number of command-line options, including the ability to shut down a remote system (assuming you have the privilege to do so on the remote machine). The problem is that when something other than "logoff" is specified, Shutdown.exe tries to enable both the SeShutdownPrivilege ("Shut down the system") and the SeRemoteShutdownPrivilege ("Force shutdown from a remote system"), even if local shutdown or reboot is all that is being requested. On XP, Users have SeShutdownPrivilege by default, but they don't have SeRemoteShutdownPrivilege.
The workaround: Grant "INTERACTIVE" the SeRemoteShutdownPrivilege.
How to do it (requires admin privileges): Open Administrative Tools \ "Local Security Settings". Navigate to Security Settings \ Local Policies \ User Rights Assignment. Double-click "Force shutdown from a remote system" in the right pane. Click "Add User or Group". Enter the name INTERACTIVE in the text box and click "Check names", then click OK, and OK again.
Does granting this privilege this way open up the computer to remote attack? No. The "INTERACTIVE" SID appears in the user's token only in the interactive logon session. Remotely invoked code does not have INTERACTIVE in its token.
Comments
Anonymous
January 28, 2006
I presume shutdown.exe will be fixed, at least for Vista?Anonymous
February 01, 2006
Thanks a million Aaron. You made my day by providing the trick in using 'Shutdown.exe" under non-admin users. Keep it coming my man, you are the greatest!Anonymous
February 01, 2006
OK. So I have given my LUA, the listed rights for a machine. I remotely attempt to shutdown the machine I had just given those rights and I receive a "A required privilege is not held by client." As a sidenote, I happen to be running the shutdown command from a RunAs prompt. Any ideas?I am trying to create a batch script for a tester to reboot his assigned machines.Anonymous
February 02, 2006
Interesting -- it had never occured to me that this was an issue. I've always been running it from my MakeMeAdmin window!Anonymous
February 05, 2006
Complete list of Aaron Margosis' non-admin / least privilege posts, for easy lookup.Anonymous
February 12, 2006
The comment has been removedAnonymous
March 03, 2006
Can this action be scripted and done automatically?Anonymous
March 03, 2006
MichaĆ Szkutnik - it could be applied through Group Policy, through a startup script (not a logon script), and possibly through the "Restricted Groups" feature of GP.Anonymous
March 14, 2006
I am scheduling Shutdown.exe to run thru the task scheduler. This workaround works fine if a person is logged in, but if it's at the login screen, it will not perform a shutdown. Aaron, is there a way to make this work for a power user when the computer is at the login screen?Anonymous
March 14, 2006
Brian Paul - A program started from the task scheduler with no one logged on will (I'm quite sure) not have INTERACTIVE in its token. You could try granting the privilege to the user account you're configuring it to run as, but be aware that that grants the privilege to that account for a real remote shutdown. You might also try granting the privilege to "BATCH" instead of "INTERACTIVE" - I can't remember what logon type task scheduler processes use. If that doesn't work, "SERVICE" might.Anonymous
March 24, 2006
when i want to remotely shut down computers, some computers will work and some computers will not. It will say "cannot find network path"
Any Ideas?Anonymous
May 14, 2006
You might need to put the PC name like \PCName instead of PCName
Or try pinging the computer name to be sure its connected to the network.Anonymous
July 06, 2006
for "shutdown.exe -s -m \PCName" would work for windows 2000, and windows xp pro, but not for windows xp home. I have not found any info on why XP home has an issue with receiving remote shutdown commands from shutdown.exeAnonymous
July 07, 2006
The comment has been removedAnonymous
July 28, 2006
The comment has been removedAnonymous
August 30, 2006
I tried to add more permissions, and I am still getting access denied. I have these two machines, that have 2 PC's on each. They are on their own internal networks (Read: Machines not connected to each other). Both use the same logons (With Admin Rights), one machine works, one doesn't.
The one that doesn't I can't shut down either pc from either PC.Anonymous
September 03, 2006
The Shutdown.exe LUA bug appears to also effect how Wake on Lan (WOL) works.
On my IBM ThinkCenter, shutting down remotely worked both through ctrl-alt-end and choosing shutdown, and through shutdown.exe.
However, the system would not Wake on Lan if it was shutdown with Shutdown.exe. The workaround listed here has fixed the problem.Anonymous
October 04, 2006
The comment has been removedAnonymous
October 26, 2006
I am trying to do the following... use the WinXP Shutdown.exe on Win2k PC's with users in both AD and non-AD WinNT Domains, the pc's in AD work, the pc's not in AD do not work. I am using a shortcut to the shutdown.exe from the users desktop. Any help appreciated. chkidd Just to understand: are you trying to shut down remote computers or the local computer? If remote, the logged on user must be recognized as a member of the administrators group on the remote computer. There may also be issues with using the WinXP shutdown.exe -- Windows 2000's shutdown.exe came with the Windows 2000 Resource Kit. You might want to use that if you're running it on a Windows 2000 computer. Also to clarify: by "non-AD WinNT domains", do you mean that the domain controllers are running Windows NT 4.0 or earlier? -- AaronAnonymous
January 20, 2007
You know.. making sure that the Simple File Sharing was unchecked allowed me to accomplish the remote shutdown from a different computer on the same LAN. I tried all sorts of other stuff to get the remote shutdown to work with shutdown.exe but in the end all I had to do is uncheck the use Simple File Sharing option in Folder OptionsViewAdavnced Settings window. Joe Smith: When Simple File Sharing is enabled, all network access authenticates as Guest. Remote Shutdown requires administrator rights, which can't be obtained when you're authenticating as Guest. Hope this clarifies... -- AaronAnonymous
February 27, 2007
Thanks! This seems to work. Where the setting is in the registry? TP: It can't be edited directly -- it's buried under HKLMSecurity. -- AaronAnonymous
March 23, 2007
The comment has been removedAnonymous
June 03, 2007
I have XP Home. According to Help and Support center, simple file sharing cannot be turned off in XP Home edition. How can I remotely shutdown one XP Home computer using shutdown? I already tried shutdown -s -m //NAME and got the error "The network path was not found." Thanks!!!Anonymous
October 19, 2007
Thats because its \name not//Anonymous
October 19, 2007
I'm having problems with this too. I have two XP Home computers. I've tried everything I could find (both fiddling and searching the internet) to try to get them to shut each other down. They keep giving me the "the network path was not found" error message. Any help would be appreciated. [Aaron Margosis] XP Home Edition has "Simple File Sharing" always on. That means that anyone connecting remotely does so as "Guest". That further means that remote administration (including remote shutdown) of XP Home Edition computers is not possible.Anonymous
December 09, 2007
mayby because, you are not the adminstratorAnonymous
March 13, 2008
The comment has been removedAnonymous
April 13, 2008
How am I supposed to copy the NtRights.exe program to Windowssystem32? [Aaron Margosis] You need to be running as admin to do that.Anonymous
September 06, 2008
Aaron, I never would have figured that out - thank you!Anonymous
December 04, 2008
Instead of using NtRights for granting the Guest account the privilege to access the shutdown, one can simply add Guest account to the Administrators group. That would solve the problem with remote shutdown easily [Aaron Margosis] You forgot the emoticon to tell people, "Of course I'm joking."Anonymous
December 22, 2008
The comment has been removedAnonymous
January 12, 2009
The comment has been removedAnonymous
August 26, 2009
The local policy setting works fine for me. Is there a corresponding Active Directory setting that does the same thing? I have 500 or so computers I need to modify and it would be a shame to have to touch all those computers when I could just make a change in Active Directory that does the same thing. [Aaron Margosis] Can't you make the same change in the same place in domain policy that you do in local policy?Anonymous
August 20, 2010
Thank You. Joe Smith You know.. making sure that the Simple File Sharing was unchecked allowed me to accomplish the remote shutdown from a different computer on the same LAN. I tried all sorts of other stuff to get the remote shutdown to work with shutdown.exe but in the end all I had to do is uncheck the use Simple File Sharing option in Folder OptionsViewAdavnced Settings window. It workedAnonymous
February 07, 2011
Thanks for the info. However, in my case after pulling my hair out i finally realised that the server using the user "Administrator" had a different password to the user "Administrator" on the workstations.Anonymous
May 16, 2011
Thank you for telling me about the "Force shutdown..." user rights assignment. I knew there had to be a simple solution to the "Access Denied" error message, but I read 26 articles before finding this one with the right answer!