Re: Follow up to InitiateSystemShutdown / LookupPrivilegeValue problem



Hmm. Well, I checked into it more, and it seems that the
InitiateSystemShutdown RPC server *is* actually started before the GINA is
loaded:

..text:010296C8 loc_10296C8: ; CODE XREF:
ExecSystemProcesses()+4Aj
..text:010296C8 push ebx
..text:010296C9 push edi
..text:010296CA push _InitShutdown_ServerIfHandle ; IfSpec
..text:010296D0 push offset
??_C@_1BK@JADBKLGE@?$AAI?$AAn?$AAi?$AAt?$AAS?$AAh?$AAu?$AAt?$AAd?$AAo?$AAw?$AAn?$AA?$AA@
; "InitShutdown"
..text:010296D5 call _RpcpStartRpcServer@8 ;
RpcpStartRpcServer(x,x)


Which is called by:

..text:010312A1 call _ExecSystemProcesses@0 ;
ExecSystemProcesses()
..text:010312A6 test eax, eax
..text:010312A8 jnz short loc_10312B4
..text:010312AA push 403h ; uExitCode
..text:010312AF call edi ; __declspec(dllimport)
GetCurrentProcess() ; __declspec(dllimport) GetCurrentProcess()
..text:010312B1 push eax ; hProcess
..text:010312B2 call esi ; __declspec(dllimport)
TerminateProcess(x,x) ; __declspec(dllimport) TerminateProcess(x,x)


Which later calls:

..text:010314C8 push 0Ch
..text:010314CA lea eax, [ebp+var_238]
..text:010314D0 push eax
..text:010314D1 push esi
..text:010314D2 push edi ; ShutdownType
..text:010314D3 call _RtlCheckProcessParameters@16 ;
RtlCheckProcessParameters(x,x,x,x)
..text:010314D8 lea eax, [ebp+var_21C]
..text:010314DE push eax ; int
..text:010314DF push esi ; lpLibFileName
..text:010314E0 push edi ; int
..text:010314E1 mov [ebp+var_21C], ebx
..text:010314E7 call _LoadGinaDll@12 ; LoadGinaDll(x,x,x)


And LoadGinaDll appears to call into the gina dll after loading it. So, I
would expect that it should in fact contact the winlogon RPC server
successfully.

Some possible things you might try from here:

- breakpoint on winlogon!BaseInitiateShutdownEx. This the RPC server
routine that implements InitiateSystemShutdown/InitiateSystemShutdownEx. If
your breakpoint gets hit after InitiateSystemShutdown/Ex, then we can at
least rule out the RPC server being unreachable at this point.
- try (again) using ExitWindowsEx instead of InitiateSystemShutdown here,
but this time with the SE_SHUTDOWN_NAME privilege enabled.


"Mike Collins" <its@xxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:u2rYLJ2RGHA.6084@xxxxxxxxxxxxxxxxxxxxxxx
Hi all, just wanted to post a follow up to the two previous posts that I
made regarding rebooting the system using InitiateSystemShutdown/Ex.
Firstly, thanks for all the posts, they were very helpful and food for
thought.

Just to recap on my problem, I'm creating a GinaStub dll and there was a
certain situation where I had to make some checks on the initial startup
and then re-start the system for them to take effect. I was trying to do
this with a call to InitiateSystemShutdown/Ex which persisted on failing
returning error code #53[ ERROR_BAD_NETPATH ] - "The network path was not
found".

After posting here, it was suggested that this was due to a lack of
sufficient privileges, specifically SeShutdownPrivilege. I tried to
adjust the privileges which
fell over on the initial call to LookupPrivilegeValue() (error code 1722
[ RPC_S_SERVER_UNAVAILABLE ]). Again, this was the subject of much
discussion and the two suggestions where made. Firstly, Kellie Fitton
suggested that again, this was due to a lack of sufficient privileges.
Secondly, Skywing argued that it was not a privileges issue and more
lightly due to the fact that certain core services had not fully started,
namely LSA.

To determine this, I altered the structure of my stub and remove this
initialisation code from the DLLMain to WlxNegotiate(). This seemed to
make more sense anyway as from this point I can indicate to winlogon that
there is an issue (if I do this from DLLMain i.e. return 0, winlogon
repeatedly calls my dll). So now I perform my checks and then elevate the
privileges before calling InitiateSystemShutdown/Ex.

This seems to have resolved the issue with the call to
LookupPrivilegeValue() - which suggests that skywing was correct and it
was because LSA had not fully started. However, I still get exactly the
same error when I call InitiateSystemShutdown/Ex - error code #53[
ERROR_BAD_NETPATH ] - "The network path was not found". The code to
include the SE_SHUTDOWN_NAME executes without error - but
InitiateSystemShutdown still falls over. Just for interest and reference,
I've include my code below - note I've tried many, many manifestations of
this and non work, this is also extended a bit for debug purposes...


char aLocalComputerName[MAX_COMPUTERNAME_LENGTH + 1];
DWORD aLocalComputerNameLength = MAX_COMPUTERNAME_LENGTH + 1;
GetComputerName(aLocalComputerName, &aLocalComputerNameLength);

// Get a token for this process.
HANDLE aToken;
BOOL aStatus =
OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES |
TOKEN_QUERY, &aToken);
if (!aStatus)
{
ShowMessage("OpenProcessToken failed with last error code:" +
IntToStr(GetLastError()) + " Decription: " +
SysErrorMessage(GetLastError()).c_str());
return iRtn;
}
// Get the LUID for the appropriate shutdown privilege.
TOKEN_PRIVILEGES aTokenPrivileges;
aStatus = LookupPrivilegeValue(aLocalComputerName, SE_SHUTDOWN_NAME,
&aTokenPrivileges.Privileges[0].Luid);
if (!aStatus)
{
ShowMessage("LookupPrivilegeValue failed with last error code:" +
IntToStr(GetLastError()) + " Decription: " +
SysErrorMessage(GetLastError()).c_str());
CloseHandle(aToken);
return iRtn;
}

// Set the appropriate shutdown privileges for this process.
aTokenPrivileges.PrivilegeCount = 1;
aTokenPrivileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
aStatus = AdjustTokenPrivileges(aToken, FALSE, &aTokenPrivileges, 0,
(PTOKEN_PRIVILEGES) 0, 0);
if (GetLastError() != ERROR_SUCCESS) // Testing the return value is NOT
sufficient
{
ShowMessage("AdjustTokenPrivileges failed with last error code:" +
IntToStr(GetLastError()) + " Decription: " +
SysErrorMessage(GetLastError()).c_str());
CloseHandle(aToken);
return iRtn;
}

// Reboot the host.
aStatus = ::InitiateSystemShutdownEx((LPTSTR)(LPCTSTR)aLocalComputerName,
0, 0, TRUE,TRUE,0x00050000);
if (!aStatus)
{
ShowMessage("InitiateSystemShutdownEx failed with last error code:" +
IntToStr(GetLastError()) + " Decription: " +
SysErrorMessage(GetLastError()).c_str());
}

CloseHandle(aToken);



.