shutdown.exe
- File Path:
C:\Windows\system32\shutdown.exe
- Description: Windows Shutdown and Annotation Tool
Hashes
Type | Hash |
---|---|
MD5 | 9BD3C486D5A6378C92A8BE34EAF3088E |
SHA1 | 072E9A9974BAD1A77702E3B58E67B997EDB107B5 |
SHA256 | 6D262B3CBEDAC276C3EB960DF923167FE0449218721334DCC48A561E981B5790 |
SHA384 | F64BF9FC0A4C98E0616C13628F1E40FF79FA032CF0E87B8431E8C2180C8234C3A7496E9619B45F6F2804E18F017A1CB4 |
SHA512 | 3621131F16DB5B13AE92FE918A9B3D8F8E19F533E00B9107FDE9B6D0E5B1D2EA645F0895E516FBA98696AA4FACCBFFFAC85F44864258E75804EF486F844147E5 |
SSDEEP | 384:tconz+fzZMnkcwk8bCFr5LdXKxOszuLZ1P08ypXdQXWK+SW:7nz+7GnSNbE5LQvzuZ1P/ypXde+ |
IMP | 7381EF144DB2B1CFEA7EEF9BB9B7A530 |
PESHA1 | C86B9CD6F9FCA561ACD23C2887448BA6B4EEF970 |
PE256 | 9CEC60A88625153B3A923319B75140092F707BB9875097564B2DED01F709235B |
Runtime Data
Usage (stdout):
Usage: C:\Windows\system32\shutdown.exe [/i | /l | /s | /sg | /r | /g | /a | /p | /h | /e | /o] [/hybrid] [/soft] [/fw] [/f]
[/m \\computer][/t xxx][/d [p|u:]xx:yy [/c "comment"]]
No args Display help. This is the same as typing /?.
/? Display help. This is the same as not typing any options.
/i Display the graphical user interface (GUI).
This must be the first option.
/l Log off. This cannot be used with /m or /d options.
/s Shutdown the computer.
/sg Shutdown the computer. On the next boot,
restart any registered applications.
/r Full shutdown and restart the computer.
/g Full shutdown and restart the computer. After the system is
rebooted, restart any registered applications.
/a Abort a system shutdown.
This can only be used during the time-out period.
Combine with /fw to clear any pending boots to firmware.
/p Turn off the local computer with no time-out or warning.
Can be used with /d and /f options.
/h Hibernate the local computer.
Can be used with the /f option.
/hybrid Performs a shutdown of the computer and prepares it for fast startup.
Must be used with /s option.
/fw Combine with a shutdown option to cause the next boot to go to the
firmware user interface.
/e Document the reason for an unexpected shutdown of a computer.
/o Go to the advanced boot options menu and restart the computer.
Must be used with /r option.
/m \\computer Specify the target computer.
/t xxx Set the time-out period before shutdown to xxx seconds.
The valid range is 0-315360000 (10 years), with a default of 30.
If the timeout period is greater than 0, the /f parameter is
implied.
/c "comment" Comment on the reason for the restart or shutdown.
Maximum of 512 characters allowed.
/f Force running applications to close without forewarning users.
The /f parameter is implied when a value greater than 0 is
specified for the /t parameter.
/d [p|u:]xx:yy Provide the reason for the restart or shutdown.
p indicates that the restart or shutdown is planned.
u indicates that the reason is user defined.
If neither p nor u is specified the restart or shutdown is
unplanned.
xx is the major reason number (positive integer less than 256).
yy is the minor reason number (positive integer less than 65536).
Reasons on this computer:
(E = Expected U = Unexpected P = planned, C = customer defined)
Type Major Minor Title
U 0 0 Other (Unplanned)
E 0 0 Other (Unplanned)
E P 0 0 Other (Planned)
U 0 5 Other Failure: System Unresponsive
E 1 1 Hardware: Maintenance (Unplanned)
E P 1 1 Hardware: Maintenance (Planned)
E 1 2 Hardware: Installation (Unplanned)
E P 1 2 Hardware: Installation (Planned)
E 2 2 Operating System: Recovery (Unplanned)
E P 2 2 Operating System: Recovery (Planned)
P 2 3 Operating System: Upgrade (Planned)
E 2 4 Operating System: Reconfiguration (Unplanned)
E P 2 4 Operating System: Reconfiguration (Planned)
P 2 16 Operating System: Service pack (Planned)
2 17 Operating System: Hot fix (Unplanned)
P 2 17 Operating System: Hot fix (Planned)
2 18 Operating System: Security fix (Unplanned)
P 2 18 Operating System: Security fix (Planned)
E 4 1 Application: Maintenance (Unplanned)
E P 4 1 Application: Maintenance (Planned)
E P 4 2 Application: Installation (Planned)
E 4 5 Application: Unresponsive
E 4 6 Application: Unstable
U 5 15 System Failure: Stop error
U 5 19 Security issue (Unplanned)
E 5 19 Security issue (Unplanned)
E P 5 19 Security issue (Planned)
E 5 20 Loss of network connectivity (Unplanned)
U 6 11 Power Failure: Cord Unplugged
U 6 12 Power Failure: Environment
P 7 0 Legacy API shutdown
Usage (stderr):
Hibernation is not enabled on this system. You must enable hibernation in order to use the -h option.(126)
Child Processes:
RdpSa.exe
Loaded Modules:
Path |
---|
C:\Windows\System32\advapi32.dll |
C:\Windows\System32\bcryptPrimitives.dll |
C:\Windows\System32\combase.dll |
C:\Windows\System32\GDI32.dll |
C:\Windows\System32\gdi32full.dll |
C:\Windows\System32\IMM32.DLL |
C:\Windows\System32\KERNEL32.DLL |
C:\Windows\System32\KERNELBASE.dll |
C:\Windows\System32\msvcp_win.dll |
C:\Windows\System32\msvcrt.dll |
C:\Windows\SYSTEM32\ntdll.dll |
C:\Windows\System32\ole32.dll |
C:\Windows\System32\RPCRT4.dll |
C:\Windows\System32\sechost.dll |
C:\Windows\system32\shutdown.exe |
C:\Windows\SYSTEM32\shutdownext.dll |
C:\Windows\system32\SspiCli.dll |
C:\Windows\System32\ucrtbase.dll |
C:\Windows\System32\USER32.dll |
C:\Windows\System32\win32u.dll |
Signature
- Status: Signature verified.
- Serial:
33000001C422B2F79B793DACB20000000001C4
- Thumbprint:
AE9C1AE54763822EEC42474983D8B635116C8452
- Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: SHUTDOWN.EXE.MUI
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.17763.1 (WinBuild.160101.0800)
- Product Version: 10.0.17763.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 64-bit
File Scan
- VirusTotal Detections: 0/70
- VirusTotal Link: https://www.virustotal.com/gui/file/6d262b3cbedac276c3eb960df923167fe0449218721334dcc48a561e981b5790/detection/
File Similarity (ssdeep match)
File | Score |
---|---|
C:\WINDOWS\system32\shutdown.exe | 58 |
Possible Misuse
The following table contains possible examples of shutdown.exe
being misused. While shutdown.exe
is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
Additional Info*
*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.
shutdown
Enables you to shut down or restart local or remote computers, one at a time.
Syntax
shutdown [/i | /l | /s | /sg | /r | /g | /a | /p | /h | /e | /o] [/hybrid] [/fw] [/f] [/m \\computer][/t xxx][/d [p|u:]xx:yy [/c "comment"]]
Parameters
Parameter | Description |
---|---|
/i | Displays the Remote Shutdown box. The /i option must be the first parameter following the command. If /i is specified, all other options are ignored. |
/l | Logs off the current user immediately, with no time-out period. You cannot use /l with /m or /t. |
/s | Shuts down the computer. |
/sg | Shuts down the computer. On the next boot, if Automatic Restart Sign-On is enabled, the device automatically signs in and locks based on the last interactive user. After sign in, it restarts any registered applications. |
/r | Restarts the computer after shutdown. |
/g | Shuts down the computer. On the next restart, if Automatic Restart Sign-On is enabled, the device automatically signs in and locks based on the last interactive user. After sign in, it restarts any registered applications. |
/a | Aborts a system shutdown. Effective only during the time-out period. To use /a, you must also use the /m option. |
/p | Turns off the local computer only (not a remote computer)—with no time-out period or warning. You can use /p only with /d or /f. If your computer doesn’t support power-off functionality, it will shut down when you use /p, but the power to the computer will remain on. |
/h | Puts the local computer into hibernation, if hibernation is enabled. You can use /h only with /f. |
hybrid | Shuts down the device and prepares it for fast startup. This option must be used with the /s option. |
/fw | Combining this option with a shutdown option causes the next restart to go to the firmware user interface. |
/e | Enables you to document the reason for the unexpected shutdown on the target computer. |
/o | Goes to the Advanced boot options menu and restarts the device. This option must be used with the /r option. |
/f | Forces running applications to close without warning users. Caution: Using the /f option might result in loss of unsaved data. |
/m \\<computername> |
Specifies the target computer. Can’t be used with the /l option. |
/t <xxx> |
Sets the time-out period before shutdown to xxx seconds. The valid range is 0-315360000 (10 years), with a default of 30. If the timeout period is greater than 0, the /f parameter is implied. |
/d [p | u:]<XX>:<YY> |
Lists the reason for the system restart or shutdown. The supported parameter values are:<ul><li>p - Indicates that the restart or shutdown is planned.</li><li>u - Indicates that the reason is user-defined.<p>NOTE If p or u aren’t specified, the restart or shutdown is unplanned.</li><li>xx - Specifies the major reason number (a positive integer, less than 256).</li><li>yy Specifies the minor reason number (a positive integer, less than 65536).</li></ul> |
/c <comment> |
Enables you to comment in detail about the reason for the shutdown. You must first provide a reason by using the /d option and you must enclose your comments in quotation marks. You can use a maximum of 511 characters. |
/? | Displays help at the command prompt, including a list of the major and minor reasons that are defined on your local computer. |
Remarks
-
Users must be assigned the Shut down the system user right to shut down a local or remotely administered computer that is using the shutdown command.
-
Users must be members of the Administrators group to annotate an unexpected shutdown of a local or remotely administered computer. If the target computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. For more information, see:
-
If you want to shut down more than one computer at a time, you can call shutdown for each computer by using a script, or you can use shutdown /i to display the Remote Shutdown box.
-
If you specify major and minor reason codes, you must first define these reason codes on each computer where you plan to use the reasons. If the reason codes aren’t defined on the target computer, Shutdown Event Tracker can’t log the correct reason text.
-
Remember to indicate that a shutdown is planned by using the p parameter. Not using the p parameter, indicates that the shutdown was unplanned.
-
Using the p parameter, along the reason code for an unplanned shutdown, causes the shutdown to fail.
-
Not using the p parameter, and only providing the reason code for an planned shutdown, also causes the shutdown to fail
-
Examples
To force apps to close and to restart the local computer after a one-minute delay, with the reason Application: Maintenance (Planned) and the comment “Reconfiguring myapp.exe”, type:
shutdown /r /t 60 /c "Reconfiguring myapp.exe" /f /d p:4:1
To restart the remote computer myremoteserver with the same parameters as the previous example, type:
shutdown /r /m \\myremoteserver /t 60 /c "Reconfiguring myapp.exe" /f /d p:4:1
Additional References
MIT License. Copyright (c) 2020-2021 Strontic.