PsShutdown is a command-line utility similar to the shutdown utility from the Windows 2000 Resource Kit, but with the ability to do much more. In addition to supporting the same options for shutting down or rebooting the local or a remote computer, PsShutdown can logoff the console user or lock the console (locking requires Windows 2000 or higher). PsShutdown requires no manual installation of client software.
name: Windows.Sysinternals.PSShutdown
description: |
PsShutdown is a command-line utility similar to the shutdown utility from the Windows 2000 Resource Kit, but with the ability to do much more. In addition to supporting the same options for shutting down or rebooting the local or a remote computer, PsShutdown can logoff the console user or lock the console (locking requires Windows 2000 or higher). PsShutdown requires no manual installation of client software.
author: Ian Boje
# Can be CLIENT, CLIENT_EVENT, SERVER, SERVER_EVENT or NOTEBOOK
type: CLIENT
parameters:
- name: Action
default: Reboot
type: choices
choices:
- Abort
- Suspend
- Hybernate
- Poweroff
- Lock
- Logoff console user
- Reboot
- Shutdown without poweroff
- Turn off monitor
- name: time
default: 30
description: -t Can be either seconds, or 24 hour clock
- name: abortable
type: bool
description: -c Allows user to cancel shutdown
default: Y
- name: force
type: bool
description: -f Forces all running applications to exit during the shutdown instead of giving them a chance to gracefully save their data.
- name: message
description: -m This option lets you specify a message to display to logged-on users when a shutdown countdown commences.
- name: msgtime
description: -v Display message for the specified number of seconds before the shutdown. If set to 0, no dialog will be displayed.
tools:
- name: PSShutdown64
url: https://live.sysinternals.com/tools/psshutdown64.exe
serve_locally: true
sources:
- precondition:
SELECT OS From info() where OS = 'windows'
query: |
LET PSShutdown64bin <= select * from Artifact.Generic.Utils.FetchBinary(ToolName="PSShutdown64")
LET ActionArg <= "-r" -- Default if nothing matches
LET ActionArg <= if(condition=Action="Suspend", then="-d", else=ActionArg)
LET ActionArg <= if(condition=Action="Hybernate", then="-h", else=ActionArg)
LET ActionArg <= if(condition=Action="Poweroff", then="-k", else=ActionArg)
LET ActionArg <= if(condition=Action="Logoff console user", then="-o", else=ActionArg)
LET ActionArg <= if(condition=Action="Reboot", then="-r", else=ActionArg)
LET ActionArg <= if(condition=Action="Shutdown without poweroff", then="-s", else=ActionArg)
LET args <= (
PSShutdown64bin[0].OSPath,
"-accepteula",
ActionArg,
"-t",
time,
if(condition=message, then="-m", else=""),
if(condition=message, then=message, else=""),
if(condition=abortable, then="-c", else=""),
if(condition=force, then="-f", else=""),
if(condition=msgtime, then="-v", else=""),
if(condition=msgtime, then=msgtime, else="")
)
-- abort -a deletes all other switches
LET args <= if(condition=Action="Abort", then=(PSShutdown64bin[0].OSPath, "-a"), else=args)
-- so does lock -l
LET args <= if(condition=Action="Lock", then=(PSShutdown64bin[0].OSPath, "-l"), else=args)
-- monitor shutdown too
LET args <= if(condition=Action="Turn off monitor", then=(PSShutdown64bin[0].OSPath, "-x"), else=args)
LET args <= filter(list=args, regex=".+")
SELECT *, args as command FROM execve(argv=args)