From: Hermès Bélusca-Maïto <hermes.belusca-maito@reactos.org>
Date: Sun, 1 Apr 2018 12:46:19 +0000 (+0200)
Subject: [NTOSKRNL] Forbid processes without the Tcb prvilege to perform a user-mode hard... 
X-Git-Tag: 0.4.9-RC~320
X-Git-Url: https://git.reactos.org/?p=reactos.git;a=commitdiff_plain;h=f0729b30bb79d6f538cf2b9578ff8ebe7989f8d3

[NTOSKRNL] Forbid processes without the Tcb prvilege to perform a user-mode hard-error BSOD.
---

diff --git a/ntoskrnl/ex/harderr.c b/ntoskrnl/ex/harderr.c
index 84f409a1bbb..a5200e3e74a 100644
--- a/ntoskrnl/ex/harderr.c
+++ b/ntoskrnl/ex/harderr.c
@@ -132,8 +132,18 @@ ExpRaiseHardError(IN NTSTATUS ErrorStatus,
     /* Check if this error will shutdown the system */
     if (ValidResponseOptions == OptionShutdownSystem)
     {
-        /* Check for privilege */
-        if (!SeSinglePrivilegeCheck(SeShutdownPrivilege, PreviousMode))
+        /*
+         * Check if we have the privileges.
+         *
+         * NOTE: In addition to the Shutdown privilege we also check whether
+         * the caller has the Tcb privilege. The purpose is to allow only
+         * SYSTEM processes to "shutdown" the system on hard errors (BSOD)
+         * while forbidding regular processes to do so. This behaviour differs
+         * from Windows, where any user-mode process, as soon as it has the
+         * Shutdown privilege, can trigger a hard-error BSOD.
+         */
+        if (!SeSinglePrivilegeCheck(SeTcbPrivilege, PreviousMode) ||
+            !SeSinglePrivilegeCheck(SeShutdownPrivilege, PreviousMode))
         {
             /* No rights */
             *Response = ResponseNotHandled;