How to prep system for non standard shutdown using WinAPI and DLL calls?

[Decipher]

Please see this post

I've started try to code this but I'm having trouble with the DLL syntax and I'd like to be sure that the system is safe to power down before I force it to do so.

I've tried:

$iReturnValue = DllCall("advapi32.dll", "int", "RegFlushKey", "long", "HKEY_CLASSES_ROOT")
if @error Then MsgBox(0, "", "Fail!")
MsgBox(0, "Flush Home Key Classes Root", $iReturnValue)


$bReturnValue = DllCall("kernel32.dll", "BOOL", "FlushFileBuffers", "HANDLE", "\\.\" & @HomeDrive)
if @error Then MsgBox(0, "", "Fail!")
MsgBox(0, "Flush System Drive Cache", $iReturnValue);Should return 1=true or 0=false.

But I can't determine if these functions are working correctly. Any help is greatly appreciated like always.

[bogQ]

dllcall return array so instead $iReturnValue try $iReturnValue[0]

[JohnOne]

You might also want to take a look at what parameters the API's you are calling actually require , and what you are passing them.

[Decipher]

Thanks, I'll try it when I get home. I'm at work on Linux Backtrack.

Anonymous

[Decipher]

I'm still unsure wether the FlushRegistry function is working properly because I've never done DLL calls before and it returns the same no matter what registry key string(i.e. bla) is passed to it. The FlushSystemDriveCache function reports that I'm using an invalid handle...

#include <WinAPI.au3>

Global Const $ERROR_SUCCESS = 0
Global Const $KEY_ALL_ACCESS = 0xF003F

_FlushRegistry()
_FlushSystemDriveCache()

Func _FlushRegistry()
    Local Const $aHive[6] = [ _
        "HKEY_CLASSES_ROOT",  _
        "HKEY_CURRENT_CONFIG", _
       " HKEY_CURRENT_USER", _
       " HKEY_LOCAL_MACHINE", _
       " HKEY_PERFORMANCE_DATA", _
        "HKEY_USERS"]
    Local $aReturnValue
    For $i = 0 To 5 Step 1
        $aReturnValue = DllCall("advapi32.dll", "int", "RegFlushKey", "long", $aHive[$i])
        If @error Or $aReturnValue[0] <> 0 Then
            ConsoleWrite("ERROR! Could not flush " & $aHive[$i] & "! " & _WinAPI_GetLastErrorMessage() & @CRLF)
        EndIf
    Next
EndFunc

Func _FlushSystemDriveCache()
    Local $aReturnValue = DllCall("kernel32.dll", "BOOL", "FlushFileBuffers", "HANDLE", "\\.\" & @HomeDrive)
    If @error Or $aReturnValue[0] == 0 Then
        ConsoleWrite("ERROR! Could not flush the system drive. " & _WinAPI_GetLastErrorMessage() & @CRLF)
    EndIf
EndFunc

*Edit - to fix code indentations.

I just realized that I have to get a handle to the specified hive and pass that instead. This probably the case with the drive param as well.

Okay this is where I'm getting confused:

LONG WINAPI RegOpenKeyEx(
_In_     HKEY hKey,
_In_opt_ LPCTSTR lpSubKey,
_Reserved_ DWORD ulOptions,
_In_     REGSAM samDesired,
_Out_    PHKEY phkResult
);

What is _In_? Does it just mean that the value is passed to the function and _Out_ should set the value of a variable pointed to by a pointer variable, nothing more? Horrible semantics whats with all the __bla__ing in this diagram? How do I pass a pointer for phkResult? Should I just pass a predeclared variable? Are all the parameters following _In_opt_ also optional or are they mandatory? Does HKEY mean I should pass a handle because I'm using this to try and get a handle....How to pass NULL for an optional parameter is it a string "0" or what?

Anonymous

Edited April 6, 2013 by Decipher

[KaFu]

I think RegFlushKey & FlushFileBuffers only works for the files / keys you opened in your program (to ensure everything is flushed before you exit your app / before you begin the next processing step) and not globally for all keys and files.

But this might be interesting for you:

expandcollapse popup

#cs
    System Shutdown
    http://msdn.microsoft.com/en-us/library/windows/desktop/aa376882%28v=vs.85%29.aspx

    WM_QUERYENDSESSION message
    http://msdn.microsoft.com/en-us/library/windows/desktop/aa376890%28v=vs.85%29.aspx

    WM_ENDSESSION message
    http://msdn.microsoft.com/en-us/library/windows/desktop/aa376889%28v=vs.85%29.aspx

    Application Shutdown Changes in Windows Vista
    http://msdn.microsoft.com/en-us/library/ms700677%28VS.85%29.aspx
#ce

Global Const $HWND_BROADCAST = 0xFFFF
Global Const $SMTO_ABORTIFHUNG = 0x0002

Global Const $WM_QUERYENDSESSION = 0x0011
Global Const $WM_ENDSESSION = 0x0016

Global Const $iENDSESSION_CRITICAL = 0x40000000

_WinAPI_SendMessageTimeout($HWND_BROADCAST, $WM_QUERYENDSESSION, 0, $iENDSESSION_CRITICAL, 1000, $SMTO_ABORTIFHUNG)

_WinAPI_SendMessageTimeout($HWND_BROADCAST, $WM_ENDSESSION, 1, $iENDSESSION_CRITICAL, 1000, $SMTO_ABORTIFHUNG)

; #FUNCTION# ====================================================================================================================
; Name...........: _WinAPI_SendMessageTimeout
; Description....: Sends the specified message to one of more windows.
; Syntax.........: _WinAPI_SendMessageTimeout ( $hWnd, $iMsg [, $wParam [, $lParam [, $iTimeout [, $iFlags]]]] )
; Parameters.....: $hWnd     - Handle to the window whose window procedure will receive the message.
;                $iMsg  - The message to be sent.
;                $wParam   - The message-specific information.
;                $lParam   - The message-specific information.
;                $iTimeout - The duration, in milliseconds, of the time-out period. If the message is a broadcast message, each
;                            window can use the full time-out period. Default is 1000.
;                $iFlags   - The flags that specifies how to send the message. This parameter can be one or more of the
;                            following values.
;
;                            $SMTO_BLOCK
;                            $SMTO_NORMAL
;                            $SMTO_ABORTIFHUNG
;                            $SMTO_NOTIMEOUTIFNOTHUNG
;                            $SMTO_ERRORONEXIT
;
; Return values..: Success   - The result of the message processing, depends on the message sent.
;                Failure   - (-1) and sets the @error flag to non-zero.
; Author.........: Yashied
; Modified.......:
; Remarks........: This function does not provide information about individual windows timing out if $HWND_BROADCAST is used.
;
;                If times out, function fails. To get extended error information, call _WinAPI_GetLastError(). If _WinAPI_GetLastError()
;                returns ERROR_TIMEOUT (1460), then the function timed out. This function considers a thread is not responding if it has
;                not responds within five seconds.
;
;                The system only does marshalling for system messages (those in the range 0 to (WM_USER-1)). To send other messages
;                (those >= WM_USER) to another process, you must do custom marshalling.
; Related........:
; Link...........: @@MsdnLink@@ SendMessageTimeout
; Example........: Yes
; ===============================================================================================================================

Func _WinAPI_SendMessageTimeout($hWnd, $iMsg, $wParam = 0, $lParam = 0, $iTimeout = 1000, $iFlags = 0)

    Local $Ret = DllCall('user32.dll', 'lresult', 'SendMessageTimeoutW', 'hwnd', $hWnd, 'uint', $iMsg, 'wparam', $wParam, 'lparam', $lParam, 'uint', $iFlags, 'uint', $iTimeout, 'dword_ptr*', 0)

    If (@error) Or (Not $Ret[0]) Then
        Return SetError(1, 0, -1)
    EndIf
    Return $Ret[7]
EndFunc   ;==>_WinAPI_SendMessageTimeout

Edited April 6, 2013 by KaFu

[Decipher]

Yes, it is interesting. This is the same message that is broadcasted to services, CLI, and GUI based applications during a shutdown? However there are some undefined variables. Could you elaborate on what I'm doing wrong with the UDF?

*Edit - RegFlushKey documentation states that windows has a lazy flush mechanism to enhance system operations as this process is expensive and that those changes that an application makes are visible to other applications. I may be presuming to much about Microsoft's intelligence but if the unflushed changes are visible to other processes and vice versa then wouldn't it be safe to say that these changes are in sync with other processes i.e. just one queue so that when one application forces the flush the only visible current change between them is written to disk. If this is true then I would assume that this means that when a key is flushed to disk that the process that called the function is irrelevant and that when specifying an entire hive unless a process is actively making changes to that hive, all is well and in sync.

Concerning FileFlushBuffers MSDN states: To flush all open files on a volume, call FlushFileBuffers with a handle to the volume. The caller must have administrative privileges. For more information, see Running with Special Privileges. I think this tells the device's cache to be written to disk which is also process irrelevant unless a process is using an unbuffer I/O stream which in that case the process needs to be told to finish what its doing using the function you provided above.

Here is the code to flush the system drive's transmit buffer:

Func _FlushSystemDriveCache()
    Local Const $hSystemVolume = _WinAPI_CreateFile("\\.\" & @HomeDrive, 2, 4, 4, 8)
    If $hSystemVolume Then
        Return _WinAPI_FlushFileBuffers($hSystemVolume)
    Else
        ConsoleWrite("ERROR! Could not retrieve a handle to the system volume." & @CRLF)
    EndIf
EndFunc

MsgBox(0, "Should Return True or 1 for success", _FlushSystemDriveCache())

Exit

Anonymous

Edited April 6, 2013 by Decipher

[KaFu]

You might be right about the FlushFileBuffers, without documentation the assumption on RegFlushKey stays exactly that. Updated example two posts above with missing consts.

#RequireAdmin

$iSuccess = _Drive_FlushFileBuffers("c")
MsgBox(0, "", $iSuccess & @CRLF & @error)

Func _Drive_FlushFileBuffers($DriveLetter)

    Local $ret = DllCall("kernel32.dll", 'ptr', 'CreateFileW', _
            'wStr', '\\.\' & $DriveLetter & ':', _
            'dword', BitOR(0x40000000, 0x80000000), _
            'dword', 7, _
            'ptr', 0, _
            'dword', 3, _
            'dword', 0, _
            'ptr', 0 _
            )

    If @error Then Return SetError(1)
    If $ret[0] = 0xFFFFFFFF Then Return SetError(2)
    Local $ret2 = DllCall("kernel32.dll", "int", "FlushFileBuffers", "ptr", $ret[0])
    If $ret2[0] = 0 Then
        DllCall("kernel32.dll", 'int', 'CloseHandle', 'hwnd', $ret[0])
        Return SetError(3)
    EndIf
    DllCall("kernel32.dll", 'int', 'CloseHandle', 'hwnd', $ret[0])
    Return 1
EndFunc   ;==>_Drive_FlushFileBuffers

[Decipher]

KaFu,

I just ran the code to broadcast the WMQueryEndSession message and it worked like a charm!

Now you show me how to pass a null value(ptr = 0) and also how to combine multiple dword flags using BitOr.....

Question: In your HO, If we broadcat EndSession, set a timeout then kill other nonessential processes, flush the registry, and flush system drive cache then would it be okay to terminate the system processes to force a power down when an emergency shutdown doesn't do the job?

Thanks,

Anonymous

Edited April 6, 2013 by Decipher

[KaFu]

Well, I would guess that pretty much is done then. Everything essential? I don't know, only Microsoft could tell. Everything the proper way? No, that's what the Shutdown() function is for.

[Decipher]

I can't seem to find anything that says explicitly that RegFlushKey is used during the shutdown procedure. I did however find some information for clearing that paging file or maybe just deleting it and its registration which isn't what we want. It can be deleted using WMI but I keep getting a sharing violation.

; Generated by AutoIt Scriptomatic

$wbemFlagReturnImmediately = 0x10
$wbemFlagForwardOnly = 0x20
$colItems = ""
$strComputer = "localhost"

$Output=""
$Output = $Output & "Computer: " & $strComputer & @CRLF
$Output = $Output & "==========================================" & @CRLF
$objWMIService = ObjGet("winmgmts:\\" & $strComputer & "\root\CIMV2")
$colItems = $objWMIService.ExecQuery("SELECT * FROM Win32_PageFile", "WQL", _
                                         $wbemFlagReturnImmediately + $wbemFlagForwardOnly)

If IsObj($colItems) then
For $objItem In $colItems
MsgBox(0, "Change", $objItem.ChangeSecurityPermissions(0x10000, 1)) ; Comment this line to get past the intial object error.
MsgBox(0, "Check", $objItem.GetEffectivePermission(0x10000))
     MsgBox(0, "Delete", $objItem.Delete())
     if Msgbox(1,"WMI Output",$Output) = 2 then ExitLoop
     $Output=""
Next
Else
Msgbox(0,"WMI Output","No WMI Objects Found for class: " & "Win32_PageFile" )
Endif

*Edit - Added Link ---> Delete Method of the Win32_PageFile Class and see the links @ SECURITY DESCRIPTOR STRUCTURE directly below --> (See Also)

*Edit #2 - Here is the alleged code to flush the registry similar to whats done when the system is being shutdown but there is not any documentation to support the theory.

#include <WinAPI.au3>

Global Const $ERROR_SUCCESS = 0
Global Const $KEY_ALL_ACCESS = 983103

; ----Verified Handles -------------------------------------------------------------------------------------------------------------------------------------------
Global Enum $HKEY_CLASSES_ROOT, $HKEY_CURRENT_USER, $HKEY_LOCAL_MACHINE, $HKEY_USERS, _
    $HKEY_PERFORMANCE_DATA, $HKEY_CURRENT_CONFIG
Global Const $HKEY_HANDLES[6] = [0x80000000, 0x80000001, 0x80000002, 0x80000003, 0x80000004, 0x80000005]
; _______________________________________________________________________________________________

_FlushRegistry()

Func _FlushRegistry()
    Local $aReturnValue
    For $i = 0 To 5 Step 1
        $aReturnValue = DllCall("advapi32.dll", "int", "RegFlushKey", "dword", $HKEY_HANDLES[$i])
        If @error Or $aReturnValue[0] <> $ERROR_SUCCESS Then
            MsgBox(0, "", "ERROR! Could not flush hive at " & $HKEY_HANDLES[$i]  & _WinAPI_GetLastErrorMessage() & @CRLF)
        EndIf
        ConsoleWrite("Hive #" & $i & " Returned: " & $aReturnValue[0] & @TAB & "handle = " & $aReturnValue[1] & @CRLF)
    Next
EndFunc

Exit

Edited April 6, 2013 by Decipher

[BrewManNH]

From here:

Alternatively, the registry has a 'lazy flush' mechanism that flushes registry modifications to disk at regular intervals of time. In addition to this regular flush operation, registry changes are also flushed to disk at system shutdown. Allowing the 'lazy flush' to flush registry changes is the most efficient way to manage registry writes to the registry store on disk.

[Decipher]

BrewManNH,

There is a small controversy about the RegFlushKey API. Do you know of any documentation to support the theory that it is the specific function that is used during the shutdown procedure? This leads some to think that it is only process specific and is a fair conclusion.

*Edit -

KaFu,

This may be to low level bro but do you think that we could broadcast IRP_MJ_SHUTDOWN.

Anonymous

Edited April 6, 2013 by Decipher

[KaFu]

This may be to low level bro but do you think that we could broadcast IRP_MJ_SHUTDOWN.

From the docs itself I can see that it's really low level, but not what it exactly does. But my assumption is that you can really do some sever damage using this one incorrectly, so I would advise to not investigate this one further.

[BrewManNH]

I'm not understanding what possible difference it could make whether it uses this function or another to flush the registry to disk. I'm also not understanding why you think forcing a shutdown is a good practice. If you just use the facilities that are available to shut the computer down safely you can eliminate doing something stupid to the OS.

[Decipher]

KaFu,

I figured as much, thanks for checking it out though.

Anonymous