Shutdown.exe - Change the path in registry

0

I have a problem with the registry. In my school are some trolls which create links and batch files to shutdown the computers of others by placing them into shared folders and giving them names similar to the files we should use (eg. "tcp.bat" or "tcp.java(.lnk)" instead of "tcp.java", which is hidden in a subdir so the students open the bad file).

To do this they all use shutdown [args] or shutdown.exe [args]. For my school I have written a program to stop this by modifying the -t argument to at least one minute so the students can get some help from a teacher. But now I have a problem:

I thought that there are entries in the registry which point to the complete path of shutdown.exe, but nothing. I searched for shutdown.exe and shutdown, but found noting pointing to the shutdown.exe. So now my question:

What do I have to change where to make using shutodwn or shutdown.exe points to my program instead of the shutdown.exe?

Thank you for any help!

BDevGW

Posted 2019-04-10T19:07:39.847

Reputation: 73

1

This sounds like an XY problem. Rather than figuring out how to intercept "their" shutdown.exe attempt and replace it with "your" version, you are probably better off to prevent the malicious users from being able to place the malicious files where innocent users might launch them. (That might not be easy on a shared machine, depending on what other restrictions you might have.)

– Doug Deden – 2019-04-10T21:11:15.207

Answers

0

To answer the question you asked (spoiler - it wont solve your issue)...

open a command prompt and type:

 echo %PATH%

That list of directories is where Windows looks for executable files (after the current directory), working from left to right until it finds a matching .exe or fails. If you insert a folder into your users' PATH variable before c:\windows\system32; eg c:\myscripts;c:\windows\system32; your c:\myscripts\shutdown.exe will be found first.

You may need to update both the system, and each users PATH variables to ensure your shutdown.exe is found, but this can be easily defeated. There are several methods to shutdown a computer via script or compiled code or even rundll32.exe. Also this wont prevent absolute or relative paths to the real file. Shutdown.exe is just a convenience, its not core to Windows shutting down. That said, I wouldnt try tampering with the file itself, while you might get your version to "stick", its only a matter of time before windows replaces it with the original.

Personally I would seriously look at group or local policy (depending on your network) to just revoke shutdown permissions for the problem users. It doesn't matter if a user runs the exe, if they dont have permission to shutdown the machine, the operation will fail.

If you cant lock down the systems for whatever reason your options are pretty limited.

Maybe instead of writing a shutdown replacement, run a script on a schedule (or write a service etc) on your file server that scans for any suspect files like .lnk, or .bat files and deletes them (or better yet take ownership and revoke access to the file so you can inspect / log who created it/which computer etc) and take any action.

You could take this even further with some code by using a filesystem watcher on the shared folder (from the file server itself!) your application will be notified of each new filename created in pretty much realtime and you can take whatever action. (like turning off the attackers computer :)

MisterSmith

Posted 2019-04-10T19:07:39.847

Reputation: 407

I think adding a new PATH variable is the best way. Removing the permisssion to shutdown isnt helpful the victim shuts his own machine down. Its not the attacker (at least not directly). Atm the people arnt smart enough to use other ways like own code or the absolute path. :) – BDevGW – 2019-04-11T05:44:28.477

Changing the path will resolve your described problem, but just to clarify - i mean revoke shutdown permission for all your students - doesnt matter if they are the "attacker" or "victim" - neither type of student actually needs the shutdown permission. Based on past experaince, this is a much more robust solution that hoping students dont learn new tricks. – MisterSmith – 2019-04-11T17:45:06.837

But they need to shutdown their system because the computers arnt running until 18 o clock (then a script shuts all remaining computers off), they have to turn it off after the work is done. If there will be any new tricks we coiuld change but for now its the best solution. Most of the students have their "tricks" from YouTube and dont have detailed information about absolute paths and such things :) – BDevGW – 2019-04-11T20:27:59.967

0

I agree with Doug Deden's comment that this sounds like an XY problem and changing some access permissions is probably a better way. Since this may still have some value regardless, here is a possible alternative.

The path to shutdown.exe is not set in the registry, but in your PATH variable. shutdown.exe is located in C:\Windows\System32, which is listed in your PATH variable. In order to find this for yourself, you can run where shutdown.

One option is to name your program shutdown.exe or shutdown.bat in whatever location you prefer and then add that location to the front of the PATH variable.

When you then run where shutdown, you will see something like:

C:\my\path\shutdown.exe
C:\Windows\System32\shutdown.exe

This list is in order of priority, so Windows will run the first item in the list unless otherwise specified. This would work to stop anyone who simply runs shutdown -s -t 0, but not anyone running C:\Windows\system32\shutdown -s -t 0.

Further Reading

Worthwelle

Posted 2019-04-10T19:07:39.847

Reputation: 3 556

-1

Your best option is to actually replace the shutdown.exe in c:\windows\system32\shutdown.exe with your newly created .bat compiled into an .exe. To do so, you can follow the post here to convert your bat to exe. Assuming your bat just says shutdown /s /t 60 this should be fairly simple.

How can I convert a Windows batch script to a .exe?

Also, another way to abort the shutdown is just to bring up cmd while the timer is counting down and type shutdown /a

Narzard

Posted 2019-04-10T19:07:39.847

Reputation: 2 276

Thats ot what i mean. I mean stutent X writes his script but to prevent him from harmin others students I want that his "shutdown.exe -s -t 0 -f" runs my app instead of the real shutdown.My app will change the commandline to "-s -t 60 -f" so his victim can cancel the process which wont be possible with "-t 0" :) also i dont want to replace the real .exe becouse i still need it touse other programs and windows own shutdown... I think there is a reason why Microsoft wrote the shutdown.exe :) – BDevGW – 2019-04-10T19:56:18.430

So, the other method is to change the environmental variable, but, you would still have to change it back to use the native shutdown. So, just renaming the old shutdown and compiling a new one, then changing it back another time would be fine. Same result, same number of changes. – Narzard – 2019-04-10T21:05:32.697

Asked: 2019-04-10T19:07:39.847

Viewed: 357 times

Active: 2019-04-11T00:02:51.837