I was clicking around via an RDP session on a Windows server and managed to kill the LSASS process (note to myself: next time pause the view of ProcessExplorer before killing processes!). The one minute till reboot screen promptly appeared and my first reflex was to stop the countdown (this is a trick which came in handy back when the lsass-killing worm was making the rounds). So I typed:
My next step was to try to restart Windows (having no Local Security Authority process is not the best situation to be in). However I quickly found that:
- The shutdown command wasn’t working
- ProcessExplorer could not restart the computer because it was trying to aquire the shutdown privilege dynamically, and given that no lsass process existed, it failed
I also tried to start the lsass process, but to no avail.
My option was to wait until somebody shows up on site (which could take a couple of hours) or to do something else. Naturally I decided to do something else :-).
I remembered this source code which uses an undocumented API call to change the IOPL level of the process (meaning that you can read/write from/to the ports from user mode) and then uses the keyboard controller to create a hardware reset. Don’t do this at home 🙂
After compiling it, the first hurdle was to get it on the machine. LSASS not running, file shares were not working, but fortunatly I had access to a FTP server and used the command line FTP client to download the executable.
The second problem was to create a session with SeTcbPrivilege. Doing as described on the page was not really feasible (without LSASS the user management wasn’t really working and even if it were, I’m not sure that I could have logged back in). So I started CMD.EXE with the SYSTEM account, with the method described here, at which point I already had the required privileges.
The final problem was that the program contained code to aquire the privilege and checked for the return code. This call of course failed, not because I didn’t have the privilege, but because LSASS was not running. So I removed the error checking code, and voila!
The connection went silent, and I waited and waited and waited wondering if I did the right thing. After about four minutes the machine came back up. W00t! But as I said earlier: don’t try this at home!