| Date: | October 20, 2006 / year-entry #355 |
| Tags: | tipssupport |
| Orig Link: | https://blogs.msdn.microsoft.com/oldnewthing/20061020-02/?p=29313 |
| Comments: | 35 |
| Summary: | When you are connected to a workstation via Remote Desktop, the "Turn Off Computer" option changes to "Disconnect". But what if you really want to turn off the computer, hibernate it, or put it on stand-by? Note: These tips work on Windows XP, but there is no guarantee that they will work in future versions of... |
When you are connected to a workstation via Remote Desktop, the "Turn Off Computer" option changes to "Disconnect". But what if you really want to turn off the computer, hibernate it, or put it on stand-by? Note: These tips work on Windows XP, but there is no guarantee that they will work in future versions of Windows. One way to do this is to run Task Manager and select your shutdown option from the "Shut Down" menu. Another trick is to click on the desktop and type Alt+F4. This will call up the shutdown dialog, where you get the usual shutdown options like "Shut down", "Shut down without installing updates", "Restart", "Stand by", and "Hibernate". These next two tricks are documented and will continue to work in future versions of Windows: If you're a command line person, you can run Finally, if your computer isn't using Fast User Switching, you can type the Ctrl+Alt+End hotkey, which is the Remote Desktop version of Ctrl+Alt+Del and consequently takes you to a dialog where you can do various system-type things, among them logging off and shutting down. |
Comments (35)
Comments are closed. |
You can also choose Windows Security from the Start Menu, and then Shutdown.
The real question is why does shutdown.exe require admin privs?
I generally don’t like to shutdown the machine through remote desktop, but I do hibernate it with remote desktop.
rundll32 powerprof.dll,SetSuspendState
Especially with servers, you SHOULD be required to have admin rights. Just my 2 cents…
Since it’s a remote machine, I’m fond of using shutdown.exe to kill the thing remotely:
shutdown.exe -s -f -t 01 -m RemoteMachineName
I recently ran into a problem where a remote machine would reboot fine from the menu, but not with "shutdown -r". In that case it would start shutting down, but fail somewhere in the middle such that somebody had to physically push the power button. That was really annoying the first few times!
Ack, don’t use rundll32 unless the target function is expecting a specific set of parameters!
http://blogs.msdn.com/oldnewthing/archive/2004/01/15/58973.aspx
You’re passing a random value for the Hibernate flag, zero (…I think) for ForceCritical, and a random pointer for the DisableWakeEvent flag. Plus the function isn’t cleaning the stack correctly.
Anyway. It’s interesting that Server 2003’s RDP server allows you to shut the machine down, while the XP’s does not. It’s not because of some issue with XP only allowing one client, because allowing The One client to shut down the machine is better than letting one (admin-level) client out of fifty shut it down. It must just be one of those features that was removed from XP’s version or something. (Or a feature that was never added, one of the two. I guess I assumed that Server 2003’s implementation was copied and modified; that may not be the way it happened.)
The issue with using Task Manager to shutdown is that Hibernate is always disabled or the shutdown menu is not present.
Any reason for that?
Francisco
I thought that the Windows Security menu was the correct way to shutdown a machine accessed via Terminal Services? Or because it can be removed by group policy you need another way?
This KB article also seems to suggest yet another way: http://support.microsoft.com/kb/q303070/
Personally I don’t see anything wrong with requiring admin, or at least some escalated, privileges to remotely shut down a server connected via remote desktop.
It’s one more line of defence against some malicious attacker trying to attack your servers by remotely turning them all off. Provided they haven’t got an admin login (and if they have, you’re already screwed).
Linux mandates a root login to run the "shutdown" command, and I don’t see too many people complaining about that.
If you’re not responsible for the running and upkeep of the server, why do you need to reboot it? I’ve got several 2003 server boxes that have been up for months without ever requring a reboot, and that’s not saying much.
shutdown requires admin privs because you don’t want any random
person who happens to be able to remotely log into your system to be
able to shut it down!
Yes, anyone sat at the physical console can shutdown a system, but
they could also pull the plug out, hit the box with a sledgehammer,
waft large magnets nearby, etc…, so there’s not much point preventing
someone sat at the console from shutting down a system.
However, you don’t want everyone who’s remotely logged into a system
(not just DB,web servers, think terminal services!) to be able to
Denial-of-service it to everyone else by shutting it down. Therefore,
command-line programs should have access restrictions on them.
Arguably, that an ordinary user can shut a computer down via remote desktop should be considered a security hole.
Unless there’s a way of configuring it so that this is not possible?
E.g. a number of unix systems have an option to select who is
allowed to shutdown a system, from which the options are: only root,
member of group (with selectable group), console user, everyone.
(I generally set this to “console user” and /also/ give sudo (run as administrator) rights to “shutdown” for the “staff” group)
can shut down a Windows machine. The behavior I consider a bug is that
shutdown.exe checks for admin privilege instead of SeShutdownPrivilege.
But there may be a good reason for it (e.g. shutdown.exe writes to the
event log before shutting down). -Raymond]
And of course they’re nice and up-to-date on the latest round of Microsoft patches from last week that required a reboot, aren’t they? :-P
using the policy editor you can specify which users can shutdown a computer remotely.
Remote_Shutdown_Should_Require_Admin_Privileges++;
This is easy.
Just open a run prompt dialog (Windows key + R) (Start > Run)
type:
shutdown -s -t ##
Replace ## with the time you want it to take for the computer in question (the one you’re connected to) to actually start the shutdown process.
Restart flag is -r
So if you wanted to restart, simply connect to the machine, as I’m sure this is what you’ve been doing and are questioning above and type:
shutdown -r -t ##
If you do not specify the -t flag it will default to 30 seconds.
-Raymond]
What most posters here seem to be missing is that shutting down requires Shutdown privledges. By default, just Administrators get this privledge (I think), but you can give a user the shutdown privledge without giving them full Administrator rights. I think that Raymond is saying that shutdown.exe checks for Administrator rights when it should be checking for shutdown privledge rights.
By default the "Shut down the system" local security privilege is extended to:
Administrators
Backup Operators
Power Users
Users
… which sort of makes sense. I agree that non-admin users should be able to shut down a system if they’re logged in interactively, as opposed to through TS.
So once we have shut down the system, how do we turn it back on remotely?
I’d be interested to hear other people’s solutions.
http://en.wikipedia.org/wiki/Wake_on_LAN
Do people even read the blog post before they comment?
"I don’t use X because of this problem."
"Why don’t you use X?!?!"
"What a fine suggestion!"
For the record, shutdown.exe works more or less "correctly" in Vista. I can execute ‘shutdown’ non-elevated to get a shutdown, a restart, or to hibernate. Still doesn’t appear to support sleep.
The other (extremely) useful parameter to shutdown.exe is /a, which aborts a shutdown in progress. Sometimes I’m just not ready to go yet.
Shutdown.exe does not explicitly check for admin membership. See my blog post explaining it and offering a workaround:
Workaround for Shutdown.exe LUA bug
http://blogs.msdn.com/aaron_margosis/archive/2006/01/27/518214.aspx
Of course there’s also SysInternals’ psshutdown tool: http://www.sysinternals.com/Utilities/PsShutdown.html
Not having wake-on-lan capable hardware I used to wire the DTR signal of one serial port of my (always on) router to the RING signal of the machine I wanted to wake up and enable wake-on-modem-ring in the BIOS.
Used that to boot the machine while being a few thousand kilometers away. Amazing stuff, technology.
Oh, and of course I could also have just used a real modem and an unused ISDN number. Eliminates the need for a second PC, but then anybody dialing the number even by accident would cause it to boot, which I didn’t like.
Also, if you use Process Explorer from sysinternals (everyone here SHOULD be!), it’s TaskMgr.exe-alike menus include all the shutdown/logoff options.
Process Explorer has a simple menu option that causes it to replace TaskMgr.exe, which works even when you use tm’s CTRL-SHIFT-ESC.
I don’t how many times I’ve needed to reboot a machine while accessing it over Remote Desktop. I usually…
I don’t how many times I’ve needed to reboot a machine while accessing it over Remote Desktop. I usually
Once I tried to reboot a workstation via Remote Desktop, but the shutdown process hung. According to the event viewer there was more than one person logged in to the computer but I have no idea whom that was supposed to be nor why the warning did not display in the desktop.
I have the same problem as Francisco Moraes; task manager’s shut down menu has hybernate and standby disabled. I don’t know why. I *can* instigate a hybernate by using the ALT-F4 in explorer trick.
> how do we turn it back on remotely?
Buy some canes* from your local garden centre, tape them together (lengthwise), and with practice you should be able to press the power button from quite a distance.
* I suppose you could also buy canes from your local bdsm shop, but they tend to be somewhat shorter.
rundll32 user32.dll,ExitWindowsEx
What flags do I pass to shutdown.exe or the shutdown dialog so I can restart and install updates?
I only see the Shutdown and Install updates, when I really want Reboot and Install updates.
Mike
Mike — I would *hope* you can just "Reboot", and that will install the updates. But I don’t know for sure…
It may not be optimal, but I use a desktop shortcut with "runas" to elevate privileges. Of course, you *DON’T* want to put the admin password in the shortcut. When you click on the shorcut, you can type your admin password, and it will shut down.
My desktop shortcut with the following path:
%windir%system32runas.exe /user:AdminAcctNameHere "%windir%system32shutdown.exe -s "
I’ve got a second shortcut with the "-r" flag to do a restart.
I don’t how many times I’ve needed to reboot a machine while accessing it over Remote Desktop. I usually