Invoke Blue Screen of Death using Managed Code

Asked 10/11, 2008 at 14:18 Answered 3/12, 2020 at 22:39

Solved windows-vista windows-xp managed-code bsod

Just curious here: is it possible to invoke a Windows Blue Screen of Death using .net managed code under Windows XP/Vista? And if it is possible, what could the example code be?

Just for the record, this is not for any malicious purpose, I am just wondering what kind of code it would take to actually kill the operating system as specified.

Beedon answered 10/11, 2008 at 14:18 Comment(6)

Is there a blue screen of death in Vista? BTW: What non-malicious purpose could there be? – Impudicity 10/11, 2008 at 14:22

DilbertDave: sometimes when you want a complete dump at a time that you trigger. Useful for low level stuff but not sure about .NET ... – Holm 10/11, 2008 at 14:28

@Alex Angas: You're probably better off using windbg to get a minidump if you want to use this for debugging purposes. – Dibbuk 10/11, 2008 at 14:31

This is an important question. If I deploy a .NET app to a client and later on they get the blue screen of death, I want to know whether I can say "it definitely wasn't caused by my app, since it 's a .NET app". – Rockie 10/11, 2008 at 15:44

@Impudicity Yep, there is a BSOD in Vista. – Omer 10/11, 2008 at 16:26

Protected as this question is attracting spammers. – Hexosan 6/8, 2010 at 13:53

The keyboard thing is probably a good option, but if you need to do it by code, continue reading...

You don't really need anything to barf, per se, all you need to do is find the KeBugCheck(Ex) function and invoke that.

http://msdn.microsoft.com/en-us/library/ms801640.aspx http://msdn.microsoft.com/en-us/library/ms801645.aspx

For manually initiated crashes, you want to used 0xE2 (MANUALLY_INITIATED_CRASH) or 0xDEADDEAD (MANUALLY_INITIATED_CRASH1) as the bug check code. They are reserved explicitly for that use.

However, finding the function may prove to be a bit tricky. The Windows DDK may help (check Ntddk.h) - I don't have it available at the moment, and I can't seem to find decisive info right now - I think it's in ntoskrnl.exe or ntkrnlpa.exe, but I'm not sure, and don't currently have the tools to verify it.

You might find it easier to just write a simple C++ app or something that calls the function, and then just running that.

Mind you, I'm assuming that Windows doesn't block you from accessing the function from user-space (.NET might have some special provisions). I have not tested it myself.

Malacostracan answered 10/11, 2008 at 14:53 Comment(2)

KeBugCheck(Ex) is a kernel function. There does not appear to be a corresponding user-mode wrapper in ntdll.dll. – Sandhog 10/11, 2008 at 15:53

There won't be a user-mode wrapper for KeBugCheck function specifically because usermode programs are not allowed to crash the system. However, this doesn't prevent you from writing your own kernel mode driver to implement this. – Pouliot 20/3, 2009 at 19:48

I do not know if it really works and I am sure you need Admin rights, but you could set the CrashOnCtrlScroll Registry Key and then use a SendKeys to send CTRL+Scroll Lock+Scroll Lock.

But I believe that this HAS to come from the Keyboard Driver, so I guess a simple SendKeys is not good enough and you would either need to somehow hook into the Keyboard Driver (sounds really messy) or check of that CrashDump has an API that can be called with P/Invoke.

http://support.microsoft.com/kb/244139

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters
Name: CrashOnCtrlScroll
Data Type: REG_DWORD
Value: 1
Restart

Cloudy answered 10/11, 2008 at 14:35 Comment(1)

I find this article on Tech Republic slightly easier to follow. It's the same technique, though: articles.techrepublic.com.com/5100-10878_11-5710338.html – Airlike 10/11, 2008 at 15:15

I would have to say no. You'd have to p/invoke and interact with a driver or other code that lives in kernel space. .NET code lives far removed from this area, although there has been some talk about managed drivers in future versions of Windows. Just wait a few more years and you can crash away just like our unmanaged friends.

Hexosan answered 10/11, 2008 at 14:24 Comment(0)

As far as I know a real BSOD requires failure in kernel mode code. Vista still has BSOD's but they're less frequent because the new driver model has less drivers in kernel mode. Any user-mode failures will just result in your application being killed.

You can't run managed code in kernel mode. So if you want to BSOD you need to use PInvoke. But even this is quite difficult. You need to do some really fancy PInvokes to get something in kernel mode to barf.

But among the thousands of SO users there is probably someone who has done this :-)

Dibbuk answered 10/11, 2008 at 14:29 Comment(0)

You could use OSR Online's tool that triggers a kernel crash. I've never tried it myself but I imagine you could just run it via the standard .net Process class:

http://www.osronline.com/article.cfm?article=153

Overture answered 19/11, 2008 at 10:57 Comment(0)

I once managed to generate a BSOD on Windows XP using System.Net.Sockets in .NET 1.1 irresponsibly. I could repeat it fairly regularly, but unfortunately that was a couple of years ago and I don't remember exactly how I triggered it, or have the source code around anymore.

Evita answered 10/11, 2008 at 14:57 Comment(1)

I've seen this as well with .NET 3.5 on Vista, and updating the driver for the onboard network interface fixed the problem. Obviously the .NET program triggered a driver problem that no other program triggered before. – Chromomere 2/12, 2009 at 8:57

Try live videoinput using directshow in directx8 or directx9, most of the calls go to kernel mode video drivers. I succeded in lots of blue screens when running a callback procedure from live videocaptureing source, particulary if your callback takes a long time, can halt the entire Kernel driver.

Zante answered 10/11, 2008 at 15:22 Comment(0)

It's possible for managed code to cause a bugcheck when it has access to faulty kernel drivers. However, it would be the kernel driver that directly causes the BSOD (for example, uffe's DirectShow BSODs, Terence Lewis's socket BSODs, or BSODs seen when using BitTorrent with certain network adapters).

Direct user-mode access to privileged low-level resources may cause a bugcheck (for example, scribbling on Device\PhysicalMemory, if it doesn't corrupt your hard disk first; Vista doesn't allow user-mode access to physical memory).

If you just want a dump file, Mendelt's suggestion of using WinDbg is a much better idea than exploiting a bug in a kernel driver. Unfortunately, the .dump command is not supported for local kernel debugging, so you would need a second PC connected over serial or 1394, or a VM connected over a virtual serial port. LiveKd may be a single-PC option, if you don't need the state of the memory dump to be completely self-consistent.

Sandhog answered 10/11, 2008 at 16:17 Comment(0)

Unfortunately, I know how to do this as a .NET service on our server was causing a blue screen. (Note: Windows Server 2008 R2, not XP/Vista).

I could hardly believe a .NET program was the culprit, but it was. Furthermore, I've just replicated the BSOD in a virtual machine.

The offending code, causes a 0x00000f4:

string name = string.Empty; // This is the cause of the problem, should check for IsNullOrWhiteSpace

foreach (Process process in Process.GetProcesses().Where(p => p.ProcessName.StartsWith(name, StringComparison.OrdinalIgnoreCase)))
{
    Check.Logging.Write("FindAndKillProcess THIS SHOULD BLUE SCREEN " + process.ProcessName);
    process.Kill();
    r = true;
}

If anyone's wondering why I'd want to replicate the blue screen, it's nothing malicious. I've modified our logging class to take an argument telling it to write direct to disk as the actions prior to the BSOD weren't appearing in the log despite .Flush() being called. I replicated the server crash to test the logging change. The VM duly crashed but the logging worked.

EDIT: Killing csrss.exe appears to be what causes the blue screen. As per comments, this is likely happening in kernel code.

Venavenable answered 20/3, 2012 at 19:11 Comment(2)

Like pointed in the above comments, BSOD can be triggered only by kernel code. Your code most likely triggers some driver(s) and that's the reason for the crash. Still, that's an indication that the underlying kernel code isn't robust enough and this is actually a hole that can be exploited until fixed in the kernel code. – Squashy 22/10, 2012 at 7:1

Yes, I think you are correct. Basically my code kills an essential runtime service causing Windows to crash. – Venavenable 2/5, 2013 at 10:45

This one doesn't need any kernel-mode drivers, just a SeDebugPrivilege. You can set your process critical by NtSetInformationProcess, or RtlSetProcessIsCritical and just kill your process. You will see same bugcheck code as you kill csrss.exe, because you set same "critical" flag on your process.

Acadian answered 22/8, 2013 at 7:22 Comment(0)

I found that if you run taskkill /F /IM svchost.exe as an Administrator, it tries to kill just about every service host at once.

Saccharase answered 3/12, 2020 at 22:39 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags