Sunday, November 20, 2016

windows - How am I able to shutdown the system when I don't have SeShutdownPrivilege




Users in Windows can be granted various privileges




Privileges determine the type of system operations that a user account can perform. An administrator assigns privileges to user and group accounts. Each user's privileges include those granted to the user and to the groups to which the user belongs.




There are currently 35 privileges. Some of the more interesting ones are:





  • SeSystemtimePrivilege: Required to modify the system time.

  • SeTimeZonePrivilege: Required to adjust the time zone associated with the computer's internal clock

  • SeBackupPrivilege: This privilege causes the system to grant all read access control to any file, regardless of the access control list (ACL) specified for the file.

  • SeCreatePagefilePrivilege: Required to create a paging file.

  • SeRemoteShutdownPrivilege: Required to shut down a system using a network request.

  • SeDebugPrivilege: Required to debug and adjust the memory of a process owned by another account.



But the one I'm interested in is:





  • SeShutdownPrivilege: Required to shut down a local system.



I noticed that I don't actually have this privilege. From an elevated command prompt:



>whoami /priv

PRIVILEGES INFORMATION
----------------------


Privilege Name Description State
=============================== ========================================= ========
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeSecurityPrivilege Manage auditing and security log Disabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Disabled
...
SeShutdownPrivilege Shut down the system Disabled
...



This is confirmed when using Process Explorer to examine the security token of an elevated process running as me:



enter image description here



And yet I can shut down the system. Why?





If you use the Local Security Policy editor snapin (secpol.msc), you can see that I should have the privilege:





  • secpol.msc




    • Security Settings

    • Local Policies

    • User Rights Assignment

    • Shut down the system




      enter image description here





The Explaination of the privilege:




Shut down the system



This security setting determines which users who are logged on locally

to the computer can shut down the operating system using the Shut Down
command. Misuse of this user right can result in a denial of service.



Default on Workstations: Administrators, Backup Operators, Users.



Default on Servers: Administrators, Backup Operators.



Default on Domain controllers: Administrators, Backup Operators,
Server Operators, Print Operators.





I'm a User. Sometimes I'm an Administrator, and other times I'm a NotAdministrator.



Perhaps the question should be why don't I have the privilege.



But the reality is that I don't have the privilege; and yet when locally logged in I can shut down the local system.



Why?







@Mehrdad had a good answer, that he deleted, which i think deserves attention and answers the question nicely and succinctly:




You have the privilege. It's merely disabled by default. If you
didn't have the privilege then it wouldn't be listed at all.
Notice
that SE_PRIVILEGE_REMOVED is different from lacking
SE_PRIVILEGE_ENABLED or SE_PRIVILEGE_ENABLED_BY_DEFAULT.








Answer



You have the permission, but it is disabled. That's what PowerShell is telling you.



To shutdown system you use the Win32API function called InitiateSystemShutdown or ExitWindowsEx:



ExitWindowsEx(EWX_POWEROFF, 0);



These functions note:




To shut down the local computer, the calling thread must have the SE_SHUTDOWN_NAME privilege. By default, users can enable the SE_SHUTDOWN_NAME privilege on the computer they are logged onto, and administrators can enable the SE_REMOTE_SHUTDOWN_NAME privilege on remote computers.




As you can see, Windows checks thread privileges (any thread has token with privileges). If you call ExitWindowsEx without the SE_SHUTDOWN_NAME privilege, the function will fail with the error:



Error code: 1314

A required privilege is not held by the client


Threads that you create by default inherit your privileges; but a program can enable a disabled privilege that it has been granted using AdjustTokenPrivileges:



TOKEN_PRIVILEGES tp;
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = LookupPrivilegeValue(NULL, "SeShutdownPrivilege");
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;


HANDLE processToken = OpenProcessToken(GetCurrentProcess, TOKEN_ADJUST_PRIVILEGES);
AdjustTokenPrivileges(processToken, false, tp, 0, NULL, NULL);
CloseHandle(processToken);


Changing Privileges in a Token says:




AdjustTokenPrivileges cannot add or remove privileges from the token. It can only enable existing privileges that are currently disabled or disable existing privileges that are currently enabled








So, why is this privilege disabled by default? To make sure that no program can shut down Windows by accident. Applications should ask for this explicitly.



There is an ancient but very good book: https://www.amazon.com/Programming-Windows-Security-Keith-Brown/dp/0201604426/ about all that stuff.


No comments:

Post a Comment

hard drive - Leaving bad sectors in unformatted partition?

Laptop was acting really weird, and copy and seek times were really slow, so I decided to scan the hard drive surface. I have a couple hundr...