"Privilege not held" error with PowerShell "stop-computer" command and power management methods in the Win32_OperatingSystem class: Workaround after April 2017 security updates from CVE-2017-0160

After you apply the April 2017 security updates described in Microsoft security update guidance CVE-2017-0160, the PowerShell v3.0+ stop-computer command fails. Additionally, if applications use power management methods, such as shutdown or reboot, from the Win32_OperatingSystem class and set the EnablePrivileges attribute to true, they may observe the same failure. A "Privilege not held" error message is returned.

Symptoms for Issue 1

Customers who try to turn off or restart a system, either local or remote, by using the stop-computer command on PowerShell v3.0 and later, will see the following error:

stop-computer : Privilege not held.

At line:1 char:1

+ stop-computer

+ ~~~~~~~~~~~~~

+ CategoryInfo : InvalidOperation: (<COMPUTERNAME>:String) [Stop-Computer], ManagementE

+ FullyQualifiedErrorId : StopComputerException,Microsoft.PowerShell.Commands.StopComputerCommand

Workaround for Issue 1

To work around this issue, run the following “shutdown.exe” command to execute power-down and restart operations on local or remote systems:

shutdown.exe [-r] [-s] [-m \\computer]

For more information and command help, run:

shutdown.exe -?

Symptoms for Issue 2

Customer applications using power management methods, such as shutdown or reboot, from the Win32_OperatingSystem class and set the EnablePrivileges attribute to true, may observe the same “Privilege not held” error.

• Example 1 (PowerShell) returns “Privilege not held” error:
   

  $computername= "."
  $win32OS = get-wmiobject win32_operatingsystem -computername $computername
  $win32OS.psbase.Scope.Options.EnablePrivileges = $true
  $win32OS.reboot() 

  • Example 2 (C# code) returns “Privilege not held” error:
     

    [STAThread]
    static void Main(string[] args)
    {
    	ManagementClass mgmtObject = new ManagementClass("Win32_OperatingSystem");
    	foreach (ManagementObject iterMgmtObject in mgmtObject.GetInstances())
    	{
    		iterMgmtObject.Scope.Options.EnablePrivileges = true;
    		iterMgmtObject.InvokeMethod("Reboot", null, null);
    	}
    }
    
    
    

Workaround for Issue 2

• For Example 1 (PowerShell):
   

  $computername= "."
  $win32OS = get-wmiobject win32_operatingsystem -computername $computername -EnableAllPrivileges
  $win32OS.reboot()

• For Example 2 (C# code):
   

  using System;
  using System.Collections.Generic;
  using System.Linq;
  using System.Management;
  using System.Text;
  using System.Threading.Tasks;
  
  namespace ConsoleApplication
  {
      public class Program
      {
          static void Main(string[] args)
          {
              var mgmtScope = new ManagementScope(
                  ManagementPath.DefaultPath,
                  new ConnectionOptions()
                  {
                      EnablePrivileges = true
                  });
  
              var mgmtClass = new ManagementClass(mgmtScope, new ManagementPath("Win32_OperatingSystem"), null);
  
              foreach (ManagementObject mgmtInst in mgmtClass.GetInstances())
              {
                  var mgmtCallResult = mgmtInst.InvokeMethod("Reboot", null, null);
                  Console.Out.WriteLine("Reboot() Return Value: {0}", mgmtCallResult["ReturnValue"]);
              }
          }
      }
  
  }
  

Resolution for Issue 1

To resolve this problem, install the update in the table below according to your system.

Resolution for Issue 2

To resolve this problem, install the update in the table below according to your system.

This article applies to the following products, as described in the Affected Products section of CVE-2017-0160:

Microsoft .NET Framework 2.0, 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7 on all supported versions of Windows running PowerShell 3.0 and later versions.