#requires -version 5.1
# Forced shutdown in 30 seconds with on-screen message.
# Works from 32-bit PowerShell on 64-bit Windows. Run as Administrator.

$Message        = 'Shutdown by Tanium'
$TimeoutSeconds = 30

# Admin check
$principal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())
if (-not $principal.IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)) {
    Write-Error 'Run this script as Administrator.'
    exit 1
}

# Pick correct shutdown.exe (Sysnative when 32-bit PS on 64-bit OS)
function Get-ShutdownExePath {
    $sysnative = Join-Path $env:WINDIR 'Sysnative\shutdown.exe'
    $system32  = Join-Path $env:WINDIR 'System32\shutdown.exe'
    if ([Environment]::Is64BitOperatingSystem -and -not [Environment]::Is64BitProcess -and (Test-Path $sysnative)) { 
        return $sysnative 
    } else { 
        return $system32 
    }
}
$exe = Get-ShutdownExePath

# Optional trace in Event Log
try {
    $src = 'Tanium-Shutdown-PS'
    if (-not [System.Diagnostics.EventLog]::SourceExists($src)) {
        New-EventLog -LogName Application -Source $src -ErrorAction SilentlyContinue
    }
    Write-EventLog -LogName Application -Source $src -EntryType Information -EventId 10011 -Message $Message
} catch {}

# Schedule forced shutdown with 30s countdown and message
& $exe /s /f /t $TimeoutSeconds /c $Message