Mark Russinovich’s technical blog covering topics such as Windows troubleshooting, technologies and security.
My last blog post described how to use local kernel debugging to change the colors of the Windows crash screen, also known as the “blue screen of death”. No doubt many of you thought that showing off a green screen of death or red screen of death to your friends and family would be fun, but the steps involved too complicated.
Alex Ionescu, one of my coauthors on Windows Internals, 5th Edition (he’s also coauthoring the 6th edition with me and Dave Solomon, which covers Windows 7 and Windows Server 2008 R2 – scheduled for release this summer), suggested that we make it easy for people to enjoy blue screens of any color. We did so by modifying Notmyfault, a buggy driver demonstration tool that I wrote for the book and my crash dump analysis presentations. Simply make your color section in the new BSOD color picker dialog, press the “Do Bug” button, and enjoy your creation:
Here’s the “blue screen” that results from the above color choice:
It’s as easy as that - there’s no need to tweak large-page settings or perform any other system configuration changes like those described in my last blog post.
How does it work? We extended Notmyfault’s kernel-mode driver (named Myfault.sys, as seen on the crash screen, to highlight the fact that user-mode code cannot directly cause a system crash) to register a “bugcheck callback”. When the system crashes it invokes driver-registered callbacks so that they can add data to the crash dump that can help troubleshooters get information about device or driver state at the time of a crash. The Myfault.sys callback executes just after the blue screen paints and changes the colors to the ones passed to it by Notmyfault by changing the default VGA palette entries used by the Boot Video driver.
Now with no awkward and error-prone fiddling in a kernel debugger, you can impress your friends and family with a blue screen painted in your favorite colors (though they might be even more impressed if you change the colors by fiddling in the kernel debugger)!
To download the latest copy of Notmyfault (both 32-bit and 64-bit versions) click here.
That's awful cool. It seems that you can do anything in Window without any constraint...
Thanks for the gr8 post !
Assuming callback data buffers reside in Small Mem Dump and not KM (not sure ), why the buffers or dump file doesn't contain the driver's KeRegisterBugCheckCallback routines data ?
Very nice stuff! I'm assuming that like the manual method this isn't a persistent change?
Correct, it isn't persistant. The coloring is done by writing to the VGA device, not the registry, etc. The callback to do that is only resident when NotMyFault has caused the BSOD.
very cool stuff from the modest person. You can add colorized bugcheck callback method to your drivers. It's a poc, very nice poc.
Can you have a crash screen with animated ascii art? Thanks.
"Can you have a crash screen with animated ascii art?" That would be very cool :-D
I think nothing is impossible, so it can be done! But some geeks have to work on it ehehehe
By the way, cool tool :-)
I would like to get your utility kicked off by the screen saver timer. That would be a nice prank for somebody who likes to show a screen shot of a BSOD as a screen saver. Imagine the surprise to get a real BSOD in red instead of the fake one. :-)
Very cool. Although it's enlightened me with some great potential windows vulnerabilities. ;)
Sol, if you have debug priviledge, you 'own' the box... there are 1000's of ways to do damage. It's not a vulnerability, it a priviledge right.