Principles and implementation of Windows quick Shutdown

Open the task manager, press the ctrl key, and then click the "Shut down> close" command in the Task Manager window. The system will be quickly shut down, when you press and hold the "Ctrl" key and select another command (for example, restart), the command can be quickly executed.
　　
At the same time, there are fast shutdown software like superfast shutdown.
　　
Before discussing the principles of the above techniques, let's talk about how Windows shuts down: the Windows Shutdown Process involves multiple Windows Components and multiple processes. Simply put, WINDOWS shutdown is not as simple as most people think. The basic process is as follows:
　　
1. after the user initiates the shutdown command, the program that initiates the shutdown command will notify windows subsystem CSRSS. EXE, CSRSS. after receiving the notification, the EXE will communicate with Winlogon. EXE performs a data exchange, followed by WinLogon. EXE notifies CSRSS. EXE starts to shut down the system.
　　
2. After receiving a notification from Winlogon. EXE, CSRSS. exe will query user processes with top-level windows in sequence to exit these user processes. If a user process does not exit within 5000 milliseconds (you can set the timeout time by modifying the registry key value HKEY_CURRENT_USER/cont rol panel/desktop/hungapptimeout, in Windows, the End Task dialog box is displayed to ask whether the task is terminated. By default, this dialog box is displayed and remains unchanged without being automatically closed. For the console program, the basic situation is similar, but Windows uses the HK ey_current_user/control panel/desktop/waittokillapptimeout value to set the timeout time.
　　
3. The next step is to terminate the system process. System processes include SMSs. EXE, Winlogon. EXE, and LSASS. EXE. When Windows terminates a system process, it does not prompt the user if the process cannot be terminated within the specified time. Instead, it skips the process to terminate the next system process. The time-out period used is the same as that used in step 1.
　　
The above three steps are the most time-consuming part of the Windows Shutdown Process. Most of the reasons for slow shutdown are due to these three steps. After completing the first three steps, the system enters the 4th phase of the shutdown operation, which is also the final phase.
　　
4. Winlogon. EXE calls a native API function ntshutdownsystem () to run the tail scanning work after the command system. In this phase, the Windows execution subsystem completes the final shutdown operation. For example, the device driver completes some special operations on the driver settings in this phase, the configuration management system writes the modified registry data to the disk. After all subsystems except the power management are completed and exited, the power management completes the final operations, such as restart and shutdown.
　　
After learning about the Shutdown Process of windows, we will analyze how the quick shutdown operation was completed. First, let's analyze the principle of superfast shutdown. superfast shutdown is written in Visual Basic and has a small size of 15 kb. After analysis, we can draw a surprising conclusion: superfast shutdown uses rtladjustprivilege () first () upgrade your permissions, and then directly call the ntshutdownsystem () function to complete the shutdown process. Because the first three steps that are most time-consuming are skipped and the first 4th steps are directly entered, the illusion that the server can be shut down quickly is generated.
　　
Let's take a look at how the task manager quickly shuts down: the analysis result is similar to the superfast shutdown principle, and the shutdown speed is accelerated by omitting some steps.

 

So why is the setting lost after the quick shutdown? The reason is that there is a possibility that the process Exits normally in the first three steps. Most software will save some settings in its own private memory space when writing, and write these settings back to a specific place when the software is disabled, such as the registry or a configuration file. Step 1 of the shutdown operation does not provide a way to record these settings, because at this stage, Windows has considered that all the previous steps must be completed, the rest is the exit of Windows core components. In this case, it is also strange to use Quick shutdown to cause loss of settings.
　　
Therefore, for the sake of System Health, shutdown is still in the normal order, data security is often more important than the dozens of seconds saved.

 

The following provides a fast shutdown method, in principle, to enhance permissions and then call the specified port for implementation:

# Include <windows. h> </P> <p> // The following UDF entry <br/> # pragma comment (linker, "/entry: appentry ") </P> <p> // set the segment attribute, and add the write permission to the start address of the segment in the memory <br/>, otherwise, the program cannot run. <br/> // e Indicates execution, r indicates readable, and W indicates writeable. <br/> // # pragma comment (linker, "/section :. text, ERW/align: 0x1000 ") <br/> // merge the following sections, <br/> // # pragma comment (linker,"/merge :. data =. text ") <br/> // # pragma comment (linker,"/merge :. RDATA =. text ") </P> <p> typedef Enum _ sysdbg_command <br/>{< br/> sys Dbgsysreadiospace = 14, <br/> sysdbgsyswriteiospace = 15 <br/>} sysdbg_command, * psysdbg_command; </P> <p> typedef ntstatus (ntapi * pzwsystemdebugcontrol) <br/> (<br/> sysdbg_command controlcode, <br/> pvoid inputbuffer, <br/> ulong inputbufferlength, <br/> pvoid outputbuffer, <br/> ulong outputbufferlength, <br/> Pulong returnlength <br/>); <br/> pzwsystemdebugcontrol zwsystemdebugcontrol = NULL; </P> <p> type Def struct _ io_struct <br/>{< br/> DWORD ioaddr; // In: aligned to numbytes, I/O address <br/> DWORD reserved1; // never accessed by the kernel <br/> pvoid pbuffer; // In (write) or out (read): PTR to buffer <br/> DWORD numbytes; // in: # bytes to read/write. only use 1, 2, or 4. <br/> DWORD reserved4; // must be 1 <br/> DWORD reserved5; // must be 0 <br/> DWORD reserved6; // must be 1 <br/> DWORD Reserved 7; // never accessed by the kernel <br/>}< br/> io_struct, * pio_struct; </P> <p> byte inport (INT port) <br/>{< br/> byte value; <br/> io_struct IO; </P> <p> Io. ioaddr = port; <br/> Io. reserved1 = 0; <br/> Io. pbuffer = (pvoid) (Pulong) & value; <br/> Io. numbytes = sizeof (byte); <br/> Io. reserved4 = 1; <br/> Io. reserved5 = 0; <br/> Io. reserved6 = 1; <br/> Io. reserved7 = 0; </P> <p> zwsystemdebugcontrol (sysdbgsysreadi Ospace, & Io, sizeof (IO), null, 0, null); <br/> return value; <br/>}</P> <p> void outport (INT port, byte value) <br/>{< br/> io_struct IO; </P> <p> Io. ioaddr = port; <br/> Io. reserved1 = 0; <br/> Io. pbuffer = (pvoid) (Pulong) & value; <br/> Io. numbytes = sizeof (byte); <br/> Io. reserved4 = 1; <br/> Io. reserved5 = 0; <br/> Io. reserved6 = 1; <br/> Io. reserved7 = 0; </P> <p> zwsystemdebugcontrol (sysdbgsyswriteiospace, & Io, sizeof (IO), null, 0, null); <br/>}</P> <p> bool enableprivilege (lpctstr name) <br/> {<br/> handle htoken; <br/> bool RV; </P> <p> token_privileges priv = {1, {0, 0, se_privilege_enabled }}; <br/> lookupprivilegevalue (0, name, & priv. privileges [0]. luid); <br/> openprocesstoken (getcurrentprocess (), token_adjust_privileges, & htoken); <br/> adjusttokenprivileges (htoken, false, & priv, sizeof (priv), 0, 0); <br/> r V = getlasterror () = error_success; <br/> closehandle (htoken); <br/> return RV; <br/>}</P> <p> void apientry appentry (void) <br/>{< br/> hmodule hntdll; <br/> uint udata = 0; </P> <p> enableprivilege (se_debug_name); <br/> hntdll = getmodulehandlew (L "NTDLL. DLL "); <br/> If (null = hntdll) <br/>{< br/> // malformed ...... <Br/> goto _ exit; <br/>}</P> <p> zwsystemdebugcontrol = (pzwsystemdebugcontrol) getprocaddress (hntdll, "zwsystemdebugcontrol "); <br/> If (zwsystemdebugcontrol = NULL) <br/> {<br/> // messageboxw (null, text ("load zwsystemdebugcontrol function error! "), L" ", mb_iconerror); <br/> goto _ exit; <br/>}< br/> outport (0x64, 0xfe ); // oxfe shutdown code </P> <p> _ Exit: <br/> exitprocess (0); <br/>}< br/>

 

 

Of course, you can also get ntshutdownsystem in Ntdll. DLL to implement quick shutdown. There is only one ntshutdownsystem parameter, which can be set:

Shutdownnoreboot // Shutdown without restarting
Shutdownreboot // shut down and restart
Shutdownpoweroff // shutdown and power off

 

The values are 0, 1, and 2 respectively.