How to force a power down?

[Decipher]

KaFu tha DLL Master,

I was editing my previous post when my system just switched off. Is there any chance that the _NtSetSystemPowerState_PowerOff() function isn't working properly though?

Thanks,

Anonymous

Edited April 5, 2013 by Decipher

[shornw]

Looking at this slightly differently (and maybe wrongly) forcing a BSOD has the same effect as a 'finger-off restart', ie the O/S is completely offloaded.

For what it's worth (and this is certainly NOT a recommendation) I have in the past had cause to kill PC's remotely, but this also works locally. Same rules apply regarding saving work, potential corruption etc so USE AT YOUR OWN RISK.

Forcibly killing the process 'csrss.exe' is one way of causing a BSOD, usually followed by a reboot but there are other, more controlled, ways to invoke a BSOD (e.g. CrashOnCTRLScroll reg key). To date I have not experienced any ill effects but that most definitely isn't to say that it's safe.

[Decipher]

shornw,

You are correct but I can't verify what process actually does it as they are all viciously terminated.

$list = ProcessList()
For $i = 1 To $list[0][0]
ProcessClose($list[$i][0])
Next

Anonymous

*Edit - I still want to see what KaFu has to say.

Edited April 5, 2013 by Decipher

[shornw]

I don't think ProcessClose() will kill csrss.exe (End Task certainly doesn't), so could you not re-read processes (theorising, not tested)

[Decipher]

I have tested this in the past and coincidentally I tried it again before I read your initial post. It works. Also if I run _NtShutdownSystem(1) before killing processes that part of my script won't execute - nothing will. I would like to give the system at least some amount of time to hang itself before I finish it off with the iterative stabbing.

*Edit - Spelling

Edited April 5, 2013 by Decipher

[shornw]

I would like to give the system at least some amount of time to hang itself before I finish it off with the iterative stabbing

Fair point, but surely by the time this occurs, no code is going to work so the only option is going to be physical interaction, either power button or even power cable removal (dont seem to see a reset button any more)

[Decipher]

I quess I'm headed down the rewrite the process yourself so it works the way you want it to route. If KaFu or someone can get the emergency instant power off function to work correctly then I'm sure that the rest of the system can brought to a suitable state to run it safely.

*Edit

KaFu,

I'm about to research this myself but do you know of a way to do what I'm suggesting above? That is to not only send the QueryEndSession Message to running processes but also

; At the final stages of the Windows shutdown process, NtShutdownSystem is called. It is responsible for shutting down all drivers, flushing Registry hives and the disc cache, clearing the page file, etc. After doing so, it calls the NtSetSystemPowerState function.

; NtSetSystemPowerState then causes all plug-and-play devices to be shut down and the system to be either halted, powered off, or rebooted.

Without using NtShutdownSystem call - allowing a custom final phase. Edited April 5, 2013 by Decipher

[KaFu]

This one killed by XP in some 3 seconds.

WARNING: Might result in loss of data! Be sure to have any unsaved work saved and all unused processes closed before running the code!

expandcollapse popup

#include <SecurityConstants.au3>
#include <Security.au3>
#include <WinAPI.au3>

_EmergencyShutdown()

Func _EmergencyShutdown()
    ; by KaFu, visit http://funk.eu
    ; http://www.codeproject.com/Articles/34194/Performing-emergency-shutdowns

    ; At the final stages of the Windows shutdown process, NtShutdownSystem is called. It is responsible for shutting down all drivers, flushing Registry hives and the disc cache, clearing the page file, etc. After doing so, it calls the NtSetSystemPowerState function.
    ; NtSetSystemPowerState then causes all plug-and-play devices to be shut down and the system to be either halted, powered off, or rebooted.

    Local $hToken = _Security__OpenProcessToken(_WinAPI_GetCurrentProcess(), $TOKEN_ALL_ACCESS)
    If $hToken Then
        If _Security__SetPrivilege($hToken, $SE_SHUTDOWN_NAME, True) Then

            ; SHUTDOWN_ACTION enumeration
            ; http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/Hardware/SHUTDOWN_ACTION.html
            Local Const $ShutdownPowerOff = 2

            DllCall("ntdll.dll", "none", "NtShutdownSystem", "int", $ShutdownPowerOff)

            ; POWER_ACTION enumeration
            ; http://msdn.microsoft.com/en-us/library/aa373145%28v=vs.85%29.aspx
            ; PowerActionShutdownOff = 6
            Local Const $PowerActionShutdownOff = 6

            ; SYSTEM_POWER_STATE enumeration
            ; http://msdn.microsoft.com/en-us/library/aa373227%28v=vs.85%29.aspx
            ; PowerSystemShutdown    = 6
            Local Const $PowerSystemShutdown = 6

            ; System Shutdown Reason Codes
            ; http://msdn.microsoft.com/en-us/library/aa376885%28VS.85%29.aspx
            Local Const $SHTDN_REASON_FLAG_PLANNED = 0x80000000

            DllCall("ntdll.dll", "dword", "NtSetSystemPowerState", "int", $PowerActionShutdownOff, "int", $PowerSystemShutdown, "ulong", $SHTDN_REASON_FLAG_PLANNED)
            Return 1
        Else
            MsgBox(16 + 262144, "NtShutdownSystem - Error", "Could not obtain SE_SHUTDOWN_NAME privilege.")
        EndIf
        _WinAPI_CloseHandle($hToken)
    EndIf
    Return 0
EndFunc   ;==>_EmergencyShutdown

Edited April 5, 2013 by KaFu

[Decipher]

KaFu,

The _EmergencyShudown() mimicked NtShutdownSystem(). I think it is evident that my system is and that these system calls are waiting for Plug n Play devices or at least something(Like you mentioned) before they send that last signal.

Anonymous

[Decipher]

KaFu,

Would you mind checking this out: http://msdn.microsoft.com/en-us/library/windows/hardware/ff549518%28v=vs.85%29.aspx

The IoRegisterLastChanceShutdownNotification routine registers a driver to receive an IRP_MJ_SHUTDOWN IRP when the system is shut down, after all file systems have been flushed.

Its for unloading the drivers.

Edit #1 - http://msdn.microsoft.com/en-us/library/windows/desktop/ms724867%28v=vs.85%29.aspx Unlike RegCloseKey, the RegFlushKey function returns only when all the data for the hive that contains the key has been written to the registry store on disk. It uses Advapi32.dll

Edit #2 - http://technet.microsoft.com/sv-se/sysinternals/bb897438%28en-us%29.aspx Sync 40kb can be used to flush the system filesystem cache incase of system failure. Pherhaps http://msdn.microsoft.com/en-us/library/windows/desktop/aa364439%28v=vs.85%29.aspx the FlushFileBuffers function is reponsible for this? If hFile is a handle to a communications device, the function only flushes the transmit buffer.

Edited April 5, 2013 by Decipher

[KaFu]

If this does not work for you, I would assume it's related to BIOS / MoBo power capabilities / settings (ACPI?), maybe check there first.

[Decipher]

I doubled check by BIOS settings but its very basic. There is power management where I see a suspend mode option(S1 or S3) I changed it rebooted, no luck. There are no ACPI configuration options available from what I can see and I've seen a lots of BIOS and this one is real generic.

Edited April 5, 2013 by Decipher

[Decipher]

Is this formatted correctly because it doesn't return 0, none work.

$iReturnValue = DllCall("advapi32.dll", "int", "RegFlushKey", "long", "HKEY_CLASSES_ROOT")
if @error Then MsgBox(0, "", "Fail!")
MsgBox(0, "Flush Home Key Classes Root", $iReturnValue)


$bReturnValue = DllCall("kernel32.dll", "BOOL", "FlushFileBuffers", "HANDLE", "\\.\" & @HomeDrive)
if @error Then MsgBox(0, "", "Fail!")
MsgBox(0, "Flush System Drive Cache", $iReturnValue);Should return 1=true or 0=false.

Edited April 5, 2013 by Decipher

[Decipher]

I'm abandoning this topic as its clear that it has been answered. I'm starting a new topic inquiring about DLL usage and how to prep the system for shutdown.

Thanks to everyone and especially KaFu for their expertise.

Anonymous

*Edit -

Edited April 5, 2013 by Decipher

[MyDream]

Emergency shutdown with power off using an undocumented API call (the hard way ), here ya go...

WARNING: Might result in loss of data! Be sure to have any unsaved work saved and all unused processes closed before running the code!

#include <SecurityConstants.au3>
#include <Security.au3>
#include <WinAPI.au3>

; At the final stages of the Windows shutdown process, NtShutdownSystem is called. It is responsible for shutting down all drivers, flushing Registry hives and the disc cache, clearing the page file, etc. After doing so, it calls the NtSetSystemPowerState function.
; NtSetSystemPowerState then causes all plug-and-play devices to be shut down and the system to be either halted, powered off, or rebooted.

_NtShutdownSystem()

Func _NtShutdownSystem($iShutdown_Action = 2)
    ; by KaFu, visit http://funk.eu
    ; Undocumented API call found at http://forums.codeguru.com/showthread.php?188554-Emergency-shutdown
    ; According to "Windows NT/2000 Native API Reference" by Gary Nebbet, this function does not notify services and user applications before it shuts down the system.
    ; http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/Hardware/NtShutdownSystem.html
    ; http://www.codeproject.com/Articles/34194/Performing-emergency-shutdowns

    Local Const $ShutdownNoReboot = 0
    Local Const $ShutdownReboot = 1
    Local Const $ShutdownPowerOff = 2

    Local $hToken = _Security__OpenProcessToken(_WinAPI_GetCurrentProcess(), $TOKEN_ALL_ACCESS)
    If $hToken Then
        If _Security__SetPrivilege($hToken, $SE_SHUTDOWN_NAME, True) Then
            DllCall("ntdll.dll", "none", "NtShutdownSystem", "int", $iShutdown_Action)
            Return 1
        Else
            MsgBox(16 + 262144, "NtShutdownSystem - Error", "Could not obtain SE_SHUTDOWN_NAME privilege.")
        EndIf
        _WinAPI_CloseHandle($hToken)
    EndIf
    Return 0
EndFunc   ;==>_NtShutdownSystem

#include <SecurityConstants.au3>
#include <Security.au3>
#include <WinAPI.au3>

; At the final stages of the Windows shutdown process, NtShutdownSystem is called. It is responsible for shutting down all drivers, flushing Registry hives and the disc cache, clearing the page file, etc. After doing so, it calls the NtSetSystemPowerState function.
; NtSetSystemPowerState then causes all plug-and-play devices to be shut down and the system to be either halted, powered off, or rebooted.

_NtSetSystemPowerState_PowerOff()

Func _NtSetSystemPowerState_PowerOff()
    ; by KaFu, visit http://funk.eu
    ; http://www.codeproject.com/Articles/34194/Performing-emergency-shutdowns

    Local $hToken = _Security__OpenProcessToken(_WinAPI_GetCurrentProcess(), $TOKEN_ALL_ACCESS)
    If $hToken Then
        If _Security__SetPrivilege($hToken, $SE_SHUTDOWN_NAME, True) Then
            ; POWER_ACTION enumeration
            ; http://msdn.microsoft.com/en-us/library/aa373145%28v=vs.85%29.aspx
            ; PowerActionShutdownOff = 6

            ; SYSTEM_POWER_STATE enumeration
            ; http://msdn.microsoft.com/en-us/library/aa373227%28v=vs.85%29.aspx
            ; PowerSystemShutdown    = 6

            ; System Shutdown Reason Codes
            ; http://msdn.microsoft.com/en-us/library/aa376885%28VS.85%29.aspx

            DllCall("ntdll.dll", "dword", "NtSetSystemPowerState", "dword", 6, "dword", 6, "ulong", 0x80000000)
            Return 1
        Else
            MsgBox(16 + 262144, "NtShutdownSystem - Error", "Could not obtain SE_SHUTDOWN_NAME privilege.")
        EndIf
        _WinAPI_CloseHandle($hToken)
    EndIf
    Return 0
EndFunc   ;==>_NtSetSystemPowerState_PowerOff

Edit #1: This codeproject article contains an even more "direct" way, NtSetSystemPowerState... he does not recommend using any of these functions, neither do I! Bad usage might corrupt your system, you've been warned...

Edit #2: Tested both functions, the first works on my VM-XP and Win7, the second (even more direct) function does not seem to work on the VM, but does power down my physical computer instantly (Win7)...

Edit #3: Updated function, the forum ate the characters...

 

 

Just wanted to say the first code rocks.

But the second one do nothing on my computer though.

Anyway first code will suffice for shutdown and reboot. Thanks alot KaFu.