Why does Windows still have the BSOD on Ctrl+Scroll+Scroll "feature"?

While Windows XP came out I heard about a testing feature that existed to manually cause a BSOD (Blue Screen Of Death). I also heard this was supposed to be removed in XP Service Pack 2. It didn't get removed, it's also in Vista and Windows 7. To Enable this navigate to this location in the registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters

and add CrashOnCtrlScroll as a REG_DWORD with the value of 1.

Now reboot and Press Ctrl+Scroll Lock+Scroll Lock, and you get a BSOD.

Why is this feature still here?

Kredns

Posted 2009-07-27T19:42:07.573

Reputation: 2 857

3I think you'll need to ask Microsoft about that one. – DLH – 2009-07-27T19:45:06.070

19Since it requires a mandatory registry hack, I don't think there's a downside to leaving it in the system. Nobody's likely to trigger it by mistake. – sangretu – 2009-07-27T19:57:08.213

Will the key sequence also work if triggered from an RDP session? – Axxmasterr – 2009-07-27T20:16:14.010

@Axxmasterr: I'm pretty sure it would, but I haven't tested it myself. – Kredns – 2009-07-27T21:45:11.850

This is probably how apple did this: http://gizmodo.com/assets/resources/2007/10/171953dc7.jpeg

– Harley Watson – 2009-07-27T22:31:23.207

That is one thing I hate about Apple... not only they use a BSOD screenshot for a (nowadays) pretty stable OS, they even use an outdated one (probably from 98 or ME). (My friend, who is a 100% Linux user, likes Windows 7. That says something.) – user1686 – 2009-07-28T06:55:08.787

4Since it has a legitimate use case that matters to the people who actually write and debug the kernel and device drivers, I wouldn't expect to see it removed. Enabling it requires write access to HKLM, and even if enabled all you get is a BSOD. – RBerteig – 2009-07-28T22:52:37.847

2@Axxmaster: No, it won't since the key sequence is implemented in the device drivers for keyboards. Those aren't needed or even used in an RDP session. – Joey – 2010-05-03T19:24:30.023

It didn't work for USB keyboards until Windows 7. – Jamie Hanrahan – 2016-02-18T00:02:44.320

I tried it on Windows XP SP3 with USB keyboard (I added CrashOnCtrlScroll value to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdhid\Parameters key) and it didn't work. – Piotr Dobrogost – 2011-09-29T11:53:56.900

Answers

It's there to allow a break into the Kernel Debugger or generate a kernel-mode dump file. Typically an expert would want to do this when the OS looks locked up and won't even respond to CTRL+ALT+DELETE in order to get the dump file and investigate it for which driver is having trouble.

It's logically equivelent to calling the kernel API KeBugCheck with bugcheck 0xE2 (MANUALLY_INITIATED_CRASH). Also note that the reg values can be set in different reg keys for the USB (kbdhid) keyboard driver versus the ps2 (i8042prt) driver. There is more information on that and customizing which keystoke is used in KB Article 244139.

Since this is implemented in the actual keyboard drivers, I don't expect this would work from and RDP session even if it was enabled.

Ari Pernick

Posted 2009-07-27T19:42:07.573

Reputation: 1 458

1It's also there for hardware and driver developers who need to trap into the debugger at a certain point. And I definitely think this should be the accepted answer. – Joey – 2010-05-03T19:25:10.117

If we're generous, could it perhaps be used as an over-enthusiastic way of forcing a crash dump for manually investigating the system state? (primarily for debugging)

OK - a pretty weird way to do it, but...

Marc Gravell

Posted 2009-07-27T19:42:07.573

Reputation: 1 419

7That is being very generous indeed. It might be a method that was intended to allow software to crash the system to "stop the bleeding" in case of a serious compromise. Forcing the system to shut down would prevent anyone from stealing data. – Axxmasterr – 2009-07-27T20:18:05.927

Let's call it an easter egg.

Congratulations.....you found it!

DLH

Posted 2009-07-27T19:42:07.573

Reputation: 579

It sounds like something that wasn't worth the time and effort to remove from the codebase.

Jeffrey

Posted 2009-07-27T19:42:07.573

Reputation: 2 600

No, it was kept because it is an invaluable diagnostic function. – Synetech – 2016-02-05T23:00:07.283

This sounds like a fun practical joke, really.

spoulson

Posted 2009-07-27T19:42:07.573

Reputation: 1 420

5I used to use it a school when my teacher was coming and I was playing a fullsceen game. – Kredns – 2009-07-27T21:44:23.083

@Lucas: Wait, you have administrator access in a place where you're a student? :O – Joey – 2010-05-03T19:25:44.093

@Johannes: Yes. It was very lax. – Kredns – 2010-05-03T21:11:16.293

spoulson, obviously you are not a programmer, or at least not a low-level debugger. – Synetech – 2016-02-05T23:01:02.933

I'd imagine Microsoft performs unit testing on their OS before releasing updates etc. Presumably one of the tests would be to see if BSOD still behaves as it should. It also makes sense to run unit tests on the real active code-version for a more reliable test.

Vdex

Posted 2009-07-27T19:42:07.573

Reputation: 1 468

This has use for users (well, programmers). – Synetech – 2016-02-05T23:01:37.307

You should watch Mark Russinovich's videos where he shows how to diagnose system hangs with this "feature". I think it was just set to off in SP2, not removed.

kpierce8

Posted 2009-07-27T19:42:07.573

Reputation: 342