Creating BSODs?

mvanhorn asks: "This is not a joke, or a troll, but my company is testing a failover solution for NT and we were wondering about simple reliable ways to intentionally cause a BSOD. Please don't say "just fire up an application..." it will be neither useful, or funny. But really humorous answers that solve the problem are welcome."

Put in some flaky hardware?

[TheGreek]

Have you tried putting in some flaky hardware? A great way to get NT/Win2k to break would be to put some bad memory in the box.

Re:Put in some flaky hardware?

[Chris+Hiner]

Funny this should be asked today. I had an NT4 machine BSOD several times today, because it was using a page file on a hard drive that was failing. Then I reboot it, and it tells me I'm out of virtual memory before it finishes booting.
It worked well for causing BSOD's, but took a few hours to work up to doing it.

programs

[crovax]

There should be programs for that.
try:
hackers.com
L0pht.com
hackers.com has a large archive of programs.
-----
If my facts are wrong then tell me. I don't mind.

Goto your local jr college...

[mduell]

and ask the C/C++ teacher for some first year students programs. They do all kinds of things, including BSOD. Seriously though, this happened at the jr college i went to. (I was at the time in the 8th grade and i knew more than most the people in the class...)

Mark Duell

Device drivers are the key.

[X]

NT's BSOD problems lie almost entirely in device drivers these days. My suggestion would be to write some kind of device driver who's sole purpose was to crash the machine. There are lots of ways to do this, but probably the best is to just pass the kernel a bad pointer.

It used to be pretty easy to crash NT by simply stressing IIS, but I haven't had much luck with that of late. My suspicion is that Active Directory Services is the new IIS (in the sense that it's new, delivers lots of functionality that is relied upon by core components). So probably writing a program that recursively adds itself to ADS is probably pretty effective. ;-)

Re:Device drivers are the key.

[Bryan+Andersen]

This was what casme to my mind too. Get one of the "demo" device driver sources for NT, hack it so it starts over writing critical kernel space when it's called. That should do it. You could make it really spiff and have it randomly change data and code.

Re:Device drivers are the key.

[void*]

Disclaimer: I know next to nothing about NT

If you wrote a device driver to do this, shouldn't you be able to jump straight to the BSOD code? If this is possible, it seems like it would be much more straightforward than passing the kernel bad data. If i wanted to do something like this on a linux box, i'd just write a dev driver that would call panic() on some condition (like, say, as a misc char device, and panic when some value is written to the dev node). Maybe something like this is possible within an NT driver.

Re:Device drivers are the key.

[poohbear_honeypot]

KeBugCheckEx() will cause one in a device driver. Buy an off the shelf package to generate a driver skeleton and stick this call in the first driver call back or, even better, an IOCTL handler. You can open the device with a usermode program and call the ioctl to stop the machine. It's possible (though I haven't looked) that BugCheck() (which, for all you zelots out there is the function that causes bsods), is exported into the NT "native call" interface, which I think is int 2e. If it is you don't need a device driver. Get a book on undocumented nt.

---
Joseph Foley
Akamai Technologies

Recursive Calling

[Gr@veRose]

I don't know if this will work in NT, but with '9x if you Start --> Run --> C:\con /con it will cause indefinite BSOD's by recursively calling 'con' within itself.

Re:Recursive Calling

[Tester]

The c:\con\con, which also works with c:\nul\nul, and any other combination of the dos devices will work on NT4, but not in w2k... You will have to call M$ tech support, I'm sure they know hundreds of different ways to gets BSODs...

Re:Recursive Calling

[UnrefinedLayman]

The c:\con\con, which also works with c:\nul\nul, and any other combination of the dos devices will work on NT4, but not in w2k... You will have to call M$ tech support, I'm sure they know hundreds of different ways to gets BSODs

That vulnerability only exists in Windows 95 and 98. It doesn't exist in NT4, or 2000. I assume that it is fixed in Windows ME, as Windows ME was still being developed when the vulnerability was fixed for the 9x platform.

Re:Recursive Calling

[michael.creasy]

Yes it is fixed and a patch is available on www.windowsupdate.com for 98 and 95.

unplug a disk ?

[mirko]

You could open the box while it is swapping and just take the hard disk power ribbon off.
Of course there are lots of derivate ways to cause a major failure, except unpluging the screen as you then wouldn't be able to see if it becomes blue. ;-)
"Good" Luck.
--

Re:unplug a disk ?

[Stonehead]

It looks safer to me to use a diskette or cd-rom for this purpose. Enter a disk, and eject the disk while it is busy. Windows should now ask to re-enter the disk with serial number #12345678. I don't know whether w2k still does this in a BSOD.

Re:unplug a disk ?

[mirko]

If you remove a "non-vital" unit, you can cancel the operation with ESC and thus this is not a BSOD as it does not imply reboot or the failover solution that mvanhorn told us about.
--

HALT!

[Dark+Coder]

mov r0,r0
nop
nop
nop
nop
halt

How much simpler can one get?

BSOD on NT4 ( dunno about W2K )

[Lupulack]

Well, we always used to just start up Task Manager, configure it to minimize to the tray, then kill the explorer.exe process ... Task manager no longer has a tray, BOOM!

BSOD

Re:BSOD on NT4 ( dunno about W2K )

[Remote]

Sure, I had to try this. The tray is gone even as I type, everything gets minimized to a standard issue Windows minimized box right above where there used to be a tray. So, it must have been fixed in some SP.

I'll try to use the computer as long as I can before rebooting, just for the kick.

Re:BSOD on NT4 ( dunno about W2K )

[DarkRyder]

I'm afraid to try this on my 'stable' NT4 box, but in 9x, killing the kernel process has always produced better results, for me. Not only does it guarantee some kind of crash, but the generated mishap can be anything from a simple access violation or GPF to hang or the almighty BSOD.

Winlogon.exe

[nlucent]

Kill winlogon.exe.

Re:Winlogon.exe

[Remote]

Access is denied in my computer, it may have been fixed. I'm not running as Admin.

well, in win2k anyway...

[DavidOgg]

load up an external hp CDRW 7500 (parallel port version)

load the driver...

now just TRY to boot without a STOP ERROR!

(this also works with an internal 9300 w/out updated drivers)

OR use a Realtek chipset NIC and do a Win2k online update and choose to use MS new online realtek drivers. (this works on 50% of the machines)

OR (heh) convert your NTFS directory (in win2k) to HPFS, it SEEMS to support it for a while, and then "decides" not to support it. (did MS really take HPFS support out, or just make it not work?)

Use old reference drivers for windows 98 to install video cards in win2k. works like a charm. if working means stop errors anyway.

Use Fast page and EDO simms mixed together.

or a variation on this, use an old BIOS and an ODD number of simms, or a version of the bios that lets you force the bios into thinking it has more ram than it does.

Use a Western digital mastered to a Seagate Slave drive (if it will boot, HDD errors will happen fo no good reason) This is neither WD's fault nor Seagates...They both use funny ways of determining master/slave

Load Office 95, then load Norton Windoctor and let it "fix" the registry.

I like this one, put your swap file on a zip drive, but dont use Iomega 2000 tools to install the zip, now eject the zip. Be sure the BIOS sees the zip as a 100Mb Hard drive, not a ARMD device.

Install win2k with ACPI support, using a bios that SUPPORTS it, then flash the version that came out before w2k, that doesnt fully support ACPI.

Dont know of any NT specific crashes other than con/con or nul/nul, but it was muck easier to crash NT, win2k seems pretty stable, as far as messing around with it, win2k is much more forgiving than NT was.

Re:here you go

[evil_deceiver]

I was going to suggest this, but then I thought, doesn't that only work on unpatched 95 machines? Even 98 shouldn't ship with port 139 listening, IIRC, because this (or a similar) nuker works *so* well -- a totally debilitating attack carried out in a mere second or two. My coworkers and I used to use this exploit to nuke a box we were using to monitor network status whenever we got bored.

Okay, so this is mostly reminiscing. Anyway, my point is, I doubt the port-139 attack will work on any versions of Windows post-95. If it does, well, Microsoft is even dumber than I gave them credit for.

There's a Dialup Networking patch for Win95 users that will fix this vulnerability, sort of; I'd post a link but I couldn't find it on MS' site. Maybe they're trying to force people to upgrade.

QBASIC

[TheTomcat]

Try this in QBASIC (on windows9x CD)

'causes GPF, but not BSOD
DEF SEG = &H0000
POKE 32, 32
END

Re:QBASIC

[TummyX]

Duh So what? That's not useful at all. GPF is an application error.

Getadmin

[typedef]

Run Getadmin.exe on a (I believe) SP4 machine. You won't get admin, but you will get a nice BSOD.

Re:Getadmin

[technos]

SP5 and 6 BSOD, but not reliably..

SP4, which contained the initial fix for getadmin,
is still vunerable to it!

This should be pretty easy

[SecretAsianMan]

I'm not much of a Windows programmer, but I think you can write NT device drivers that run in kernel mode (meaning privilege level 0). Once you have that going, just use a few instructions in it to cause a processor exception, like maybe a page fault. You could then access the driver from other software. I do think this would be a slight security risk... :)

SysInternals has your answer

[Chelloveck]

SysInternals has a solution for this. One of its products is called BlueSave, which is a utility that will save the text of the BSOD to a file. BlueSave is conveniently packaged along with a companion utility that will cause your PC to crash to the BSOD.

We've provided the source and executable to a program, BSOD, that you can use to intentionally crash your computer in order to test BlueSave. Note that this program uses a device driver component to perform privileged operations and is therefore not exploiting a bug in Windows NT.

C:/CON/CON

[Zonker+Harris]

Just trying to access C:/CON/CON will BSOD any Win95/Win98 box. Doesn't work on NT, though- I've tried. You can try it out HERE.

Use pre-SP3

[technos]

If you can use a pre-SP3 NT box, any of the malformed packet attacks will do it for you. (Teardrop, etc) While the machine won't necessarily blue screen, it will become invisible and unresponsive to the network with a variety of attacks..

Adaptec EZ-CD Creator 3.5

[SmittyTheBold]

Install it (be sure to include DirectCD!)
and watch the machine die a slow horrible painful death...at least it did for me. That's why everyone has to upgrade to EZ-CD v.4...

-Smitty

Re:Adaptec EZ-CD Creator 3.5

[full_tide]

I can verify this one; "works" like a charm, even on win2k ;-)

EZ-CD 4.0 was too bloated for me, so I just switched to Nero Burning Rom, which lets you overburn (something adaptec doesn't)


~tide~
"Linux is only free if your time has no value."

BSOD

[jmaslak]

Kill the hardware...

This might not BSOD, but it will crash the machine for sure. Just leave the cover off the machine. When it is time to crash it, just unplug the power from the hard disk. It will crash very shortly. (besides, I'd hope your product can handle a crashed hard disk in one of the machines!)

OOBD attack on the machine (WinNUKE)

[GlassWalkerTheurge]

Depending on the patch level of your machine you could do a Out of Band Data attack on the machine. I am not exacktly sure which patch level stops the WinNUKE attack.

BSOD answers..

[The_Toddler]

I know there is a registry mod that you can add to allow hitting a key combo to start the system failure procedure. Try calling MS tech support of you are unlucky with your searchs.

Also there is a pretty good procedure outline in the link below. The article is about clustering and testing it.

http://www.microsoft.com/TechNet/winnt/Winntas/t echnote/ImplemntIntegra/depclust.asp

The Toddler

Re:BSOD answers..

[The_Toddler]

Found the reg hack...: Force Windows NT Crash

Perhaps they made it too stable? There is a registry entry that you can use to force a blue stop screen on Windows NT (hopefully this is because you won't ever see one otherwise). First, backup your registry, then make the following change:

Hive: HKEY_LOCAL_MACHINE
Key: System\CurrentControlSet\Services\i8042prt\Paramet ers
Name: CrashOnCtrlScroll
Data Type: REG_DWORD
Value: 1 (0 or nothing will disable the feature)

After a restart, holding down the right-side CTRL key and pressing the Scroll lock key twice will generate the Blue Screen of Death.

Good luck.

hard freeze

[griffjon]

not a true BSOD, but a crash that requires a manual power-cycle, worked like a charm on my box, every time, dunno if it's replicatable.

Have a shortcut on your desktop to a folder on a network drive, rightclick-explore, wait 5 seconds,l try and do anything.

I was running NT4 SP5 with tons of random things. Try and do it without the server service running.

Try typing in "Linux" ...

[Andjam]

... And see if it lets you get away with it.

One of the few anti-competitive (or too competitive?) measures undetected by judge or janitor.

One of the others is that Bill Gates uses hired goons to trash out other companies, thinly fictionalised in "The Simpsons".

Rename the display driver

[Wolfier]

Go to safe mode (Win 2k), and cd to \WINNT\SYSTEM32\.

Get the name of your display driver's main DLL (from the INF file of your display driver) and rename it. Next time you boot you'll get a BSOD.

To change it back just boot to safe mode and rename again.