Shutting down Windows from kernel mode?

Question

Shutting down Windows from kernel mode?

I am trying to create a driver that intercepts a specific key sequence and reboots from kernel mode on Windows, similar to the REISUB sequence on Linux.

I created a keyboard hook like Ctrl2Cap and I tried calling NtShutdownSystemto reboot the system.

The handler detects a keystroke, but the problem is that when it actually calls NtShutdownSystem, I get a BSOD with an error code ATTEMPTED_SWITCH_FROM_DPC.

I assume this is because I cannot shut down the system from the executable DPC , so I probably need to execute my code from another place. But I do not know where.

So the question is:

How to disable the system after detecting a key sequence in kernel mode?

+5

winapi kernel

Mehrdad Aug 20 '11 at 22:12

source share

1 answer

Mehrdad · Accepted Answer · 2011-08-21T04:50:38+0000

Ah, I understood the answer ...

It seems to ExQueueWorkItemdo the trick:

VOID NTAPI MyShutdownSystem(PVOID) { NtShutdownSystem(1); }

// ... [code] ...

PWORK_QUEUE_ITEM pWorkItem =
    (PWORK_QUEUE_ITEM)ExAllocatePool(NonPagedPool, sizeof(WORK_QUEUE_ITEM));

if (pWorkItem != NULL) {
    ExInitializeWorkItem(pWorkItem, &MyShutdownSystem, NULL);
    ExQueueWorkItem(pWorkItem, DelayedWorkQueue);
}

Shutting down Windows from kernel mode?

How to disable the system after detecting a key sequence in kernel mode?

More articles: