On Sun, Apr 1, 2018 at 3:04 PM, Hermès Bélusca-Maïto <hermes.belusca-maito@reactos.org> wrote:

https://git.reactos.org/?p=reactos.git;a=commitdiff;h=f0729b30bb79d6f538cf2b9578ff8ebe7989f8d3

commit f0729b30bb79d6f538cf2b9578ff8ebe7989f8d3
Author:     Hermès Bélusca-Maïto <hermes.belusca-maito@reactos.org>
AuthorDate: Sun Apr 1 14:46:19 2018 +0200
Commit:     Hermès Bélusca-Maïto <hermes.belusca-maito@reactos.org>
CommitDate: Sun Apr 1 22:39:31 2018 +0200

    [NTOSKRNL] Forbid processes without the Tcb prvilege to perform a user-mode hard-error BSOD.
---
 ntoskrnl/ex/harderr.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/ntoskrnl/ex/harderr.c b/ntoskrnl/ex/harderr.c
index 84f409a1bb..a5200e3e74 100644
--- a/ntoskrnl/ex/harderr.c
+++ b/ntoskrnl/ex/harderr.c
@@ -132,8 +132,18 @@ ExpRaiseHardError(IN NTSTATUS ErrorStatus,
     /* Check if this error will shutdown the system */
     if (ValidResponseOptions == OptionShutdownSystem)
     {
-        /* Check for privilege */
-        if (!SeSinglePrivilegeCheck(SeShutdownPrivilege, PreviousMode))
+        /*
+         * Check if we have the privileges.
+         *
+         * NOTE: In addition to the Shutdown privilege we also check whether
+         * the caller has the Tcb privilege. The purpose is to allow only
+         * SYSTEM processes to "shutdown" the system on hard errors (BSOD)
+         * while forbidding regular processes to do so. This behaviour differs
+         * from Windows, where any user-mode process, as soon as it has the
+         * Shutdown privilege, can trigger a hard-error BSOD.
+         */
+        if (!SeSinglePrivilegeCheck(SeTcbPrivilege, PreviousMode) ||
+            !SeSinglePrivilegeCheck(SeShutdownPrivilege, PreviousMode))
         {
             /* No rights */
             *Response = ResponseNotHandled;