ntoskrnl.exeT1529T1485T1106

NtShutdownSystem

Kernel-mode shutdown trigger — powers off, reboots or shuts down the system in one syscall.

Prototype

NTSTATUS NtShutdownSystem(
  SHUTDOWN_ACTION Action  // 0 = ShutdownNoReboot, 1 = ShutdownReboot, 2 = ShutdownPowerOff
);

Arguments

Name	Type	Dir	Description
Action	SHUTDOWN_ACTION	in	0 = ShutdownNoReboot (stop the OS at the 'It is now safe' screen), 1 = ShutdownReboot, 2 = ShutdownPowerOff.

Syscall IDs by Windows version

Windows version	Syscall ID	Build
Win10 1507	0x198	win10-1507
Win10 1607	0x1A1	win10-1607
Win10 1703	0x1A7	win10-1703
Win10 1709	0x1AA	win10-1709
Win10 1803	0x1AC	win10-1803
Win10 1809	0x1AD	win10-1809
Win10 1903	0x1AE	win10-1903
Win10 1909	0x1AE	win10-1909
Win10 2004	0x1B4	win10-2004
Win10 20H2	0x1B4	win10-20h2
Win10 21H1	0x1B4	win10-21h1
Win10 21H2	0x1B6	win10-21h2
Win10 22H2	0x1B6	win10-22h2
Win11 21H2	0x1BF	win11-21h2
Win11 22H2	0x1C3	win11-22h2
Win11 23H2	0x1C3	win11-23h2
Win11 24H2	0x1C6	win11-24h2
Server 2016	0x1A1	winserver-2016
Server 2019	0x1AD	winserver-2019
Server 2022	0x1BC	winserver-2022
Server 2025	0x1C6	winserver-2025

Kernel module

ntoskrnl.exe → NtShutdownSystem

Related APIs

ExitWindowsExInitiateShutdownWInitiateSystemShutdownExWNtRaiseHardErrorNtSetSystemPowerState

Syscall stub

4C 8B D1            mov r10, rcx
B8 C6 01 00 00      mov eax, 0x1C6
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

NtShutdownSystem is the rawest shutdown primitive Windows exposes to user mode. Unlike `ExitWindowsEx` / `InitiateShutdownW` it does *not* notify processes, broadcast `WM_QUERYENDSESSION`, run shutdown scripts, or honour pending file renames — it goes straight to `PoInitiateSystemShutdown` and tears the kernel down with the chosen `SHUTDOWN_ACTION`. The caller token must hold `SeShutdownPrivilege`, which interactive users have by default but service and most malware-controlled tokens do *not* — attackers usually need `AdjustTokenPrivileges` to enable it first. `ShutdownNoReboot` (0) leaves the machine at the legacy 'It is now safe to turn off your computer' screen and is rare in malicious use; `ShutdownReboot` (1) and `ShutdownPowerOff` (2) are the practical choices.

Common malware usage

Two distinct abuse patterns. **Wipers**: HermeticWiper (DEV-0586 / FoxBlade), IsaacWiper, CaddyWiper and WhisperGate all overwrite the MBR/MFT then call a shutdown primitive to force the unbootable state to be visible — NtShutdownSystem is the lowest-level option and bypasses the user-mode shutdown UI. **Post-encryption ransomware**: some Conti, LockBit 3.0 ('Black') and BlackCat (ALPHV) variants reboot the host after the encryptor finishes so the user sees the ransom-note background and the desktop is unrecoverable until reboot. Wipers prefer it when stealth has already been abandoned; ransomware tends to prefer `InitiateShutdownW` with REASON_PLANNED to look more legitimate for the brief window before reboot.

HermeticWiper (DEV-0586 / FoxBlade)IsaacWiper CaddyWiper WhisperGate (DEV-0586)LockBit 3.0 ('Black')Conti (post-encryption reboot variants)

Detection opportunities

`Microsoft-Windows-Kernel-General` Event ID 13 fires on shutdown and includes the initiating process — invaluable when investigating a wiper post-mortem. Event Log 1074 (User32) records `ExitWindowsEx`-style shutdowns *with* their initiator; an NtShutdownSystem-driven shutdown will *not* generate Event 1074 because user32 was never on the path — that absence itself is a useful signal. `Microsoft-Windows-Wininit` Event 1 records the start-of-shutdown phase. EDRs frequently hook `ntdll!NtShutdownSystem` or kernel `NtShutdownSystem` directly because the legitimate-caller baseline is essentially `winlogon.exe`, `csrss.exe`, `wininit.exe` and a handful of management tools — anything else is high signal.

Direct syscall examples

asmx64 direct stub

; Direct syscall stub for NtShutdownSystem (SSN 0x1C6 on Win11 24H2)
NtShutdownSystem PROC
    mov  r10, rcx          ; SHUTDOWN_ACTION
    mov  eax, 1C6h         ; SSN — verify per-build
    syscall
    ret
NtShutdownSystem ENDP

cWiper-style hard reboot

// Final stage of a destructive payload: enable SeShutdownPrivilege and reboot.
#include <windows.h>
#include <winternl.h>

typedef NTSTATUS (NTAPI *pNtShutdownSystem)(int /*SHUTDOWN_ACTION*/);

void HardReboot(void) {
    HANDLE hTok;
    TOKEN_PRIVILEGES tp = {0};
    OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hTok);
    LookupPrivilegeValueW(NULL, L"SeShutdownPrivilege", &tp.Privileges[0].Luid);
    tp.PrivilegeCount = 1;
    tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
    AdjustTokenPrivileges(hTok, FALSE, &tp, 0, NULL, NULL);
    CloseHandle(hTok);

    pNtShutdownSystem fn = (pNtShutdownSystem)GetProcAddress(
        GetModuleHandleA("ntdll.dll"), "NtShutdownSystem");
    fn(1 /* ShutdownReboot */);   // no WM_QUERYENDSESSION, no shutdown scripts
}

rustPower-off path

// Cargo: ntapi = "0.4", windows-sys = "0.59"
use ntapi::ntpoapi::NtShutdownSystem;
use ntapi::ntpoapi::SHUTDOWN_ACTION;

unsafe fn power_off() -> i32 {
    // SeShutdownPrivilege must already be enabled on the calling token.
    NtShutdownSystem(SHUTDOWN_ACTION::ShutdownPowerOff as i32)
}

MITRE ATT&CK mappings

Last verified: 2026-05-20