"Privilege not held" error with PowerShell "stop-computer" command and power management methods in the Win32_OperatingSystem class: Workaround after April 2017 security updates from CVE-2017-0160


Summary


After you apply the April 2017 security updates described in Microsoft security update guidance CVE-2017-0160, the PowerShell v3.0+ stop-computer command fails. Additionally, if applications use power management methods, such as shutdown or reboot, from the Win32_OperatingSystem class and set the EnablePrivileges attribute to true, they may observe the same failure. A "Privilege not held" error message is returned.

More information


Symptoms for Issue 1

Customers who try to turn off or restart a system, either local or remote, by using the stop-computer command on PowerShell v3.0 and later, will see the following error:

stop-computer : Privilege not held.

At line:1 char:1

+ stop-computer

+ ~~~~~~~~~~~~~

+ CategoryInfo : InvalidOperation: (<COMPUTERNAME>:String) [Stop-Computer], ManagementE

+ FullyQualifiedErrorId : StopComputerException,Microsoft.PowerShell.Commands.StopComputerCommand

Workaround for Issue 1

To work around this issue, run the following “shutdown.exe” command to execute power-down and restart operations on local or remote systems:

shutdown.exe [-r] [-s] [-m \\computer]

For more information and command help, run:

shutdown.exe -?

Symptoms for Issue 2

Customer applications using power management methods, such as shutdown or reboot, from the Win32_OperatingSystem class and set the EnablePrivileges attribute to true, may observe the same “Privilege not held” error.

  • Example 1 (PowerShell) returns “Privilege not held” error:
     
    $computername= "."$win32OS = get-wmiobject win32_operatingsystem -computername $computername$win32OS.psbase.Scope.Options.EnablePrivileges = $true$win32OS.reboot() 
    • Example 2 (C# code) returns “Privilege not held” error:
       
      [STAThread]static void Main(string[] args){	ManagementClass mgmtObject = new ManagementClass("Win32_OperatingSystem");	foreach (ManagementObject iterMgmtObject in mgmtObject.GetInstances())	{		iterMgmtObject.Scope.Options.EnablePrivileges = true;		iterMgmtObject.InvokeMethod("Reboot", null, null);	}}

Workaround for Issue 2

  • For Example 1 (PowerShell):
     
    $computername= "."$win32OS = get-wmiobject win32_operatingsystem -computername $computername -EnableAllPrivileges$win32OS.reboot()
  • For Example 2 (C# code):
     
    using System;using System.Collections.Generic;using System.Linq;using System.Management;using System.Text;using System.Threading.Tasks;namespace ConsoleApplication{    public class Program    {        static void Main(string[] args)        {            var mgmtScope = new ManagementScope(                ManagementPath.DefaultPath,                new ConnectionOptions()                {                    EnablePrivileges = true                });            var mgmtClass = new ManagementClass(mgmtScope, new ManagementPath("Win32_OperatingSystem"), null);            foreach (ManagementObject mgmtInst in mgmtClass.GetInstances())            {                var mgmtCallResult = mgmtInst.InvokeMethod("Reboot", null, null);                Console.Out.WriteLine("Reboot() Return Value: {0}", mgmtCallResult["ReturnValue"]);            }        }    }}

Resolution


Resolution for Issue 1

To resolve this problem, install the update in the table below according to your system.

Operating System

Update

Windows Server 2008

For the .NET Framework 2.0, install update 4020511

For the .NET Framework 4.5.2, install update 4020507

For the .NET Framework 4.6, install update 4020503

Windows 7 and Windows Server 2008 R2

For the .NET Framework 3.5.1, install update 4020513

For the .NET Framework 4.5.2, install update 4020507

For the .NET Framework 4.6 or 4.6.1, install update 4020503

For the .NET Framework 4.6.2, install update 4020500

Windows Server 2012

For the .NET Framework 3.5, install update 4020512

For the .NET Framework 4.5.2, install update 4020506

For the .NET Framework 4.6 or 4.6.1, install update 4020501

For the .NET Framework 4.6.2, install update 4020498

Windows 8.1 and Windows Server 2012 R2

For the .NET Framework 3.5, install update 4020514

For the .NET Framework 4.5.2, install update 4020505

For the .NET Framework 4.6 or 4.6.1, install update 4020502

For the .NET Framework 4.6.2, install update 4020499

Windows 10 RTM

Install update 4019474

Windows 10 version 1511

Install update 4019473

Windows 10 version 1607, and Windows Server 2016

Install update 4019472

Windows 10 version 1703

Install update 4016871

Resolution for Issue 2

To resolve this problem, install the update in the table below according to your system.

Product Version

Preview of Quality Rollup KB

Windows 10 Update 1703 (RS2)
Windows Server 2016
Catalog
4034674
.NET Framework 3.5 Catalog
4038788
.NET Framework 4.7 4034674

Windows 10 Update 1607
Windows Server 2016


 

.NET Framework 3.5

Catalog
4034661

.NET Framework 4.6.2 and 4.7

Catalog
4034658

Windows 8.1
Windows RT 8.1
Windows Server 2012 R2

Catalog
4035038

.NET Framework 3.5

4033997

.NET Framework 4.5.2

4033991

.NET Framework 4.6, 4.6.1, 4.6.2, 4.7

4033989

Windows Server 2012

Catalog
4035037

.NET Framework 3.5

4033995

.NET Framework 4.5.2

4033992

.NET Framework 4.6, 4.6.1, 4.6.2, 4.7

4033988

Windows 7
Windows Server 2008 R2

Catalog
4035036

.NET Framework 3.5.1

4033996

.NET Framework 4.5.2

4033993

.NET Framework 4.6, 4.6.1, 4.6.2, 4.7

4033990

Windows Server 2008

Catalog
4035039

.NET Framework 2.0

4033994

.NET Framework 4.5.2

4033993

.NET Framework 4.6

4033990

Applies to


This article applies to the following products, as described in the Affected Products section of CVE-2017-0160:

Microsoft .NET Framework 2.0, 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7 on all supported versions of Windows running PowerShell 3.0 and later versions.