While this has application in protecting a system from rogue or trojan apps, supposedly a shutdown privilege would be something granted manually by a SYSTEM level process that is trusted, so that if the system is not recoverable a graceful shutdown can be attempted with minimal process switching; which might make things worse. If that can be bypassed so a virus could exploit it, that's the API I'd look to change, not so much at the point of this diff. Also, the code is double calling the ShutdownPrivelege check where only the first appears necessary, unless there's a significant chance of a task switch.

------ Original message------
From: Alex Ionescu
Date: Sun, Apr 1, 2018 10:22 PM
To: ReactOS Development List;Hermès Bélusca-Maïto;
Cc: Linda Wang;
Subject:Re: [ros-dev] [ros-diffs] 02/08: [NTOSKRNL] Forbid processes without the Tcb prvilege to perform a user-mode hard-error BSOD.

Is there a point to this blatant behavior change?

Best regards,
Alex Ionescu

On Sun, Apr 1, 2018 at 3:04 PM, Hermès Bélusca-Maïto <hermes.belusca-maito@reactos.org> wrote:
https://git.reactos.org/?p=reactos.git;a=commitdiff;h=f0729b30bb79d6f538cf2b9578ff8ebe7989f8d3

commit f0729b30bb79d6f538cf2b9578ff8ebe7989f8d3
Author:     Hermès Bélusca-Maïto <hermes.belusca-maito@reactos.org>
AuthorDate: Sun Apr 1 14:46:19 2018 +0200
Commit:     Hermès Bélusca-Maïto <hermes.belusca-maito@reactos.org>
CommitDate: Sun Apr 1 22:39:31 2018 +0200

    [NTOSKRNL] Forbid processes without the Tcb prvilege to perform a user-mode hard-error BSOD.
---
 ntoskrnl/ex/harderr.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/ntoskrnl/ex/harderr.c b/ntoskrnl/ex/harderr.c
index 84f409a1bb..a5200e3e74 100644
--- a/ntoskrnl/ex/harderr.c
+++ b/ntoskrnl/ex/harderr.c
@@ -132,8 +132,18 @@ ExpRaiseHardError(IN NTSTATUS ErrorStatus,
     /* Check if this error will shutdown the system */
     if (ValidResponseOptions == OptionShutdownSystem)
     {
-        /* Check for privilege */
-        if (!SeSinglePrivilegeCheck(SeShutdownPrivilege, PreviousMode))
+        /*
+         * Check if we have the privileges.
+         *
+         * NOTE: In addition to the Shutdown privilege we also check whether
+         * the caller has the Tcb privilege. The purpose is to allow only
+         * SYSTEM processes to "shutdown" the system on hard errors (BSOD)
+         * while forbidding regular processes to do so. This behaviour differs
+         * from Windows, where any user-mode process, as soon as it has the
+         * Shutdown privilege, can trigger a hard-error BSOD.
+         */
+        if (!SeSinglePrivilegeCheck(SeTcbPrivilege, PreviousMode) ||
+            !SeSinglePrivilegeCheck(SeShutdownPrivilege, PreviousMode))
         {
             /* No rights */
             *Response = ResponseNotHandled;