14
4
Is there a way to programmatically cause a BSOD on Windows XP and newer versions? How?
BTW just to clarify, this is not for malicious purposes. The client requested to be able to shut down/reboot a terminal on their LAN this way. When I asked why, they said because it's faster than a normal reboot... :)
(I'm curious which part of "programmatically" do those people not understand who migrated this to Super User. Duh.)
Tamás Szelei
Posted 2011-03-04T14:02:14.660
Reputation: 691
15
The keyboard driver(s) can be told to cause a BSOD:
HKLM\SYSTEM\CurrentControlSet\Services\kbdhid\Parameters
or (for older PS/2 keyboards)
HKLM\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters
And there set a REG_DWORD named CrashOnCtrlScroll to 1.
After the next reboot you can force the blue screen by Ctrl+ScrollLk+ScrollLk. The bug check code will in this case be 0xE2 (MANUALLY_INITIATED_CRASH).
If you really want a programmatic method, you need to find a hole in some driver on that machine or write and install a simplistic driver that calls either KeBugCheck or KeBugCheckEx.
Have fun ;)
Side-note: it can be very useful to deliberately cause a crash like this for driver writers or even when dealing with malware. If you configured your system to create a full memory dump, you will then have an image of the running system which can be further analyzed. Consider cases like a deadlock where a debugger does not necessarily help in all cases.
0xC0000022L
Posted 2011-03-04T14:02:14.660
Reputation: 5 091
I experienced a bsod by typing printscreen or by too much memory in using Ram or internal Hardisk. Maybe exploiting a system too. – Tech-IO – 2016-12-18T15:46:43.477
4Is this true? That's cool if it is! (No, I am not in the mood of testing it on any of my computers.) – Andreas Rejbrand – 2011-03-04T17:43:50.807
3Yes, it's actually not meant as a joke. This is something driver writers have been using for some time, although I didn't remember from the top of my head what the registry location was. Had to look it up in my notes. – 0xC0000022L – 2011-03-04T17:50:15.637
17
Try NotMyFault!
1
Not sure exactly how to cause it, but I believe in Vista and 7, it defaults to shutting down on system failure and not showing the BSOD.
FreeAsInBeer
Posted 2011-03-04T14:02:14.660
Reputation: 165
That's ok, I want that behavior. – Tamás Szelei – 2011-03-04T14:09:54.487
1@FreeAsInBeer: Actually that is because your system settings tell it to reboot after the crash. This can be changed in the Advanced tab of your computer properties. Also, the crash dumps created nowadays are usually mini dumps by default, which is why the reboot happens so fast that you don't get to see the blue screen (literally). But it's there, believe me ;) – 0xC0000022L – 2011-03-04T18:08:55.653
1@STATUS_ACCESS_DENIED: I know, I was simply letting him know that the default for this variable is set to not show BSOD's, so he knew to check that property if he didn't get one as expected. – FreeAsInBeer – 2011-03-04T18:16:38.670
@FreeAsInBeer: fair enough :) – 0xC0000022L – 2011-03-04T19:15:03.647
1
Generally, a BSOD happens when something goes horribly wrong within the operating system or hardware. Getting something to go wrong within either of those from outside of them is, inherently, rather difficult, as operating system authors and hardware vendors alike don't appreciate bad software engineers making their products look bad and ruining their users' experience.
Writing a driver is one of the few ways to get close enough to the operating system and hardware and cause such an error. Of course, installing such a driver is not something you generally do without purposeful knowledge and administrative privileges, so using this for malicious purposes proves rather difficult. With that kind of access, you could do much more harm without a BSOD or such round about means.
Sion Sheevok
Posted 2011-03-04T14:02:14.660
Reputation: 119
1
A BSOD is a kernel panic. It means a part of the kernel, the very core of the operating system did something real bad. It maybe scribbled memory, it maybe executed code that it shouldn't have. Programmatically, you'd need to get code in kernel space, and then somehow trigger it on demand. A bit risky for a prod server.
Normal Windows machines have a lot of state in processes and in the kernel. Whatever cleanup you need to keep the state consistent, well you just short circuited it.
Specifically a BSOD is (usually) a kernel (or driver) bug, the kernel is in a bad state, so bad it feels it can't clean up and would rather reboot, losing whatever good state it has just because it doesn't know what's good and what's bad. Any buffers could not get flushed to disk(s). Then it will try to clean up on reboot, but it lost a lot of context on shutdown/panic so it will be a conservative cleanup, having to pick through both good and bad leftovers from the panic.
So, some of your advantage on shutdown is gone on startup, since now it needs to figure out where it got it's legs chopped out from under itself. It needs to run chkdsk and clean up any disk blocks that were in a partial write state. USB disks cache a lot. You can turn off caching which would make it less likely to lose data on crash, but then not caching takes away some speed. Which files are you willing to lose?
In short, this is a bad idea. Any production machine that has this happen may be in an unstable state even after cleanup. This is bad.
I'd say just to take the hit of shutdown and restart. You'll lose whatever time savings you think you get the first time you need to rebuild the server because it won't boot or your programs can't start.
Rich Homolka
Posted 2011-03-04T14:02:14.660
Reputation: 27 121
You miss the point. There are good reasons to cause a BSOD on demand when debugging a problem with a driver you write. However, I think that this question should never have been migrated from SO to here, because of its nature. – 0xC0000022L – 2012-03-29T02:26:31.177
@STATUS_ACCESS_DENIED I agree with your statement, but if you remember at the original question, it had nothing to do with debugging, but a shortcut to shut down a system. Not a good reason in my opinion. – Rich Homolka – 2012-03-29T17:16:36.580
0
The code snippet from https://www.mpgh.net/forum/showthread.php?t=1100477 works on Windows 10.17134
#include <windows.h>
#pragma comment(lib, "ntdll.lib")
extern "C" NTSTATUS NTAPI RtlAdjustPrivilege(ULONG Privilege, BOOLEAN Enable, BOOLEAN CurrentThread, PBOOLEAN OldValue);
extern "C" NTSTATUS NTAPI NtRaiseHardError(LONG ErrorStatus, ULONG NumberOfParameters, ULONG UnicodeStringParameterMask,
PULONG_PTR Parameters, ULONG ValidResponseOptions, PULONG Response);
void BlueScreen()
{
BOOLEAN bl;
ULONG Response;
RtlAdjustPrivilege(19, TRUE, FALSE, &bl); // Enable SeShutdownPrivilege
NtRaiseHardError(STATUS_ASSERTION_FAILURE, 0, 0, NULL, 6, &Response); // Shutdown
}
There seems to be no trace in the Event Log. There will surely by a trace in the minidump though?
birdwes
Posted 2011-03-04T14:02:14.660
Reputation: 51
0
Have to mention that killing csrss.exe process would make BSOD. But not on newest Windows (8, 8.1).
pbies
Posted 2011-03-04T14:02:14.660
Reputation: 1 633
This is code 0xC000021A (STATUS_SYSTEM_PROCESS_TERMINATED), btw. – 0xC0000022L – 2016-12-19T10:00:30.993
This can be done by an app. Anyone can make such an app in Visual Studio Express (free). – pbies – 2014-05-02T21:17:45.200
18If you find one that doesn't involve writing a driver, notify Microsoft so they can fix it. – Erik – 2011-03-04T14:05:01.643
3
Try this from Mark Russinovich.
– David Heffernan – 2011-03-04T14:10:05.10713Um. It's faster than a normal reboot for a reason - it doesn't necessarily shut down gracefully. If you have a program that shuts down really slowly then it might not be a problem to interrupt it. If you forcibly shut down or abandon anything too close to I/O hardware then you could end up with corrupted filesystems etc. Consider it equivalent to a network-controlled means of cycling the power (which I presume are available for sale, and might solve your problem about as well...) – None – 2011-03-04T14:20:48.653
12Your client needs to be institutionalized and his mental conditions followed by a medical team more closely. – Darin Dimitrov – 2011-03-04T14:21:50.923
9Ambulances are also generally faster than driving your own car to the hospital. That doesn't make it the preferred mode of travel. – FreeAsInBeer – 2011-03-04T14:40:07.897
8Tell your client to press and hold the power button for 6 seconds. Or just jerk the power cord, that's quicker. – Hans Passant – 2011-03-04T15:03:13.583
I told him it's a crazy idea, that it might harm the hardware etc, but he still wants it. He pays for it, I'll do it, if possible. I did everything in my power to make sure he understands the consequences, and I think he does. – Tamás Szelei – 2011-03-04T15:07:12.337
1@Tamás: Why can't he do as Hans Passant suggests? – Andreas Rejbrand – 2011-03-04T17:43:05.020
Is your client happy to install a device driver?! – David Heffernan – 2011-03-04T18:32:31.300
1@Andreas Rejbrand: it's not exactly programmatically. Which implies that you might be able to remotely trigger it. Personally I'd still go for
ExitWindowsEx/InitiateSystemShutdownEx. What you save on the side of the reboot speed should be minimal unless you try to save on the file system checks as well ... – 0xC0000022L – 2011-03-07T14:24:55.233You must be a contractor... ;) You should educate your client, rather than comply to an absurdly stupid request. – MetalMikester – 2011-03-10T11:26:33.707
I absolutely did. Trust, I did everything in my power to make understand how bad this is. At this point I think he does, but won't admit it so still sticking to the idea :). I told him though that I can't do it. – Tamás Szelei – 2011-03-12T14:29:16.443
Step 1. Open case Step 2. Flick RAM card a couple times – Little Helper – 2011-11-12T19:36:22.760