How am I able to shutdown the system when I don't have SeShutdownPrivilege



Users in Windows can be granted various privileges

Privileges determine the type of system operations that a user account can perform. An administrator assigns privileges to user and group accounts. Each user's privileges include those granted to the user and to the groups to which the user belongs.

There are currently 35 privileges. Some of the more interesting ones are:

  • SeSystemtimePrivilege: Required to modify the system time.
  • SeTimeZonePrivilege: Required to adjust the time zone associated with the computer's internal clock
  • SeBackupPrivilege: This privilege causes the system to grant all read access control to any file, regardless of the access control list (ACL) specified for the file.
  • SeCreatePagefilePrivilege: Required to create a paging file.
  • SeRemoteShutdownPrivilege: Required to shut down a system using a network request.
  • SeDebugPrivilege: Required to debug and adjust the memory of a process owned by another account.

But the one I'm interested in is:

  • SeShutdownPrivilege: Required to shut down a local system.

I noticed that I don't actually have this privilege. From an elevated command prompt:

>whoami /priv


Privilege Name                  Description                               State
=============================== ========================================= ========
SeIncreaseQuotaPrivilege        Adjust memory quotas for a process        Disabled
SeSecurityPrivilege             Manage auditing and security log          Disabled
SeTakeOwnershipPrivilege        Take ownership of files or other objects  Disabled
SeShutdownPrivilege             Shut down the system                      Disabled

This is confirmed when using Process Explorer to examine the security token of an elevated process running as me:

enter image description here

And yet I can shut down the system. Why?

The Group Policy says I should have it

If you use the Local Security Policy editor snapin (secpol.msc), you can see that I should have the privilege:

  • secpol.msc

    • Security Settings
    • Local Policies
    • User Rights Assignment
    • Shut down the system

      enter image description here

The Explaination of the privilege:

Shut down the system

This security setting determines which users who are logged on locally to the computer can shut down the operating system using the Shut Down command. Misuse of this user right can result in a denial of service.

Default on Workstations: Administrators, Backup Operators, Users.

Default on Servers: Administrators, Backup Operators.

Default on Domain controllers: Administrators, Backup Operators, Server Operators, Print Operators.

I'm a User. Sometimes I'm an Administrator, and other times I'm a NotAdministrator.

Perhaps the question should be why don't I have the privilege.

But the reality is that I don't have the privilege; and yet when locally logged in I can shut down the local system.


@Mehrdad had a good answer, that he deleted, which i think deserves attention and answers the question nicely and succinctly:

You have the privilege. It's merely disabled by default. If you didn't have the privilege then it wouldn't be listed at all.

Your group policy handled by the domain will override your local group policy. Adjust the domain permissions instead of the local permissions. When you ran, "whoami /priv:, what user group were you in? If I have completely not understood what you are asking, edit your question, because I am only taking a wild guess what you are asking. – Ramhound – 2017-09-27T20:18:12.477

I am asking why i am able to shutdown the system when my security token does not have the privilege. Whether the privilege comes from the local machine or the domain controller: either way i don't have it. – Ian Boyd – 2017-09-27T21:01:50.733

You have the permission, but it is disabled. That's what PowerShell is telling you.

To shutdown system you use the Win32API function called InitiateSystemShutdown or ExitWindowsEx:

ExitWindowsEx(EWX_POWEROFF, 0);

These functions note:

To shut down the local computer, the calling thread must have the SE_SHUTDOWN_NAME privilege. By default, users can enable the SE_SHUTDOWN_NAME privilege on the computer they are logged onto, and administrators can enable the SE_REMOTE_SHUTDOWN_NAME privilege on remote computers.

As you can see, Windows checks thread privileges (any thread has token with privileges). If you call ExitWindowsEx without the SE_SHUTDOWN_NAME privilege, the function will fail with the error:

Error code: 1314
A required privilege is not held by the client

Threads that you create by default inherit your privileges; but a program can enable a disabled privilege that it has been granted using AdjustTokenPrivileges:

tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = LookupPrivilegeValue(NULL, "SeShutdownPrivilege");
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

HANDLE processToken = OpenProcessToken(GetCurrentProcess, TOKEN_ADJUST_PRIVILEGES);
AdjustTokenPrivileges(processToken, false, tp, 0, NULL, NULL);

Changing Privileges in a Token says:

AdjustTokenPrivileges cannot add or remove privileges from the token. It can only enable existing privileges that are currently disabled or disable existing privileges that are currently enabled

So, why is this privilege disabled by default? To make sure that no program can shut down Windows by accident. Applications should ask for this explicitly.

There is an ancient but very good book: about all that stuff.


I actually bought that book a couple of years ago; i'll have to give it a re-read. – Ian Boyd – 2017-09-28T19:18:48.280

If you know C you can download VS community (which is free) and try to shut down PC programmatically with out of priv. Then, enable this priv programatically and try again). It is the best way to study anything about Windows:) – user996142 – 2017-09-28T19:35:43.310

@user996142 - what, by shutting it down? Guess you're right. :) – Jules – 2017-09-29T00:12:54.033


It's because your user belongs to a group that has that privilege enabled.

To see for yourself which group(s):

  • Open a PowerShell (or Command) prompt as Admin.
  • Run secedit /export /areas USER_RIGHTS /cfg OUTFILE.CFG.
  • View the contents of OutFile.cfg in Notepad or alike, and look for the SeShutdownPrivilege entry. You will (should) see a couple/few SIDs for users and/or groups that have that privilege enabled.

So I have three short SIDs listed. Short SIDs are usually computer-level accounts/groups. For example, one of them is S-1-5-32-545.

Using PowerShell we can determine which account/group that SID represents:

$objSID = New-Object System.Security.Principal.SecurityIdentifier ("S-1-5-32-545")
$objUser = $objSID.Translate([System.Security.Principal.NTAccount])

This returns BUILTIN\Users.

Since you're a user on that computer, you're automatically a member of that group, meaning you can shut down the computer.

The other two I have are S-1-5-32-544, and S-1-5-32-551. These are the standard BUILTIN\Administrators group, and the BUILTIN\Backup Operators group. Which line up with the groups you're seeing in the secpol.msc dialog.


