A Bluescreen By Any Other Color
Note: for an easier way to customize the blue screen’s colors, see my next blog post, “Blue Screens in Designer Colors with One Click”.
Seeing a bluescreen that’s not blue is disconcerting, even for me, and based on the reaction of the TechEd audiences, I bet you’ll have fun generating ones of a color you pick and showing them off to your techy friends. I first saw Dan Pearson do this in a crash dump troubleshooting talk he delivered with Dave Solomon a couple of years ago and now close my Case of the Unexplained presentations with a bluescreen of the color the audience choses (you can hear the audience’s response at the end of this recording, for example). Note that the steps I’m gong to share for changing the color of the bluescreen are manual and only survive a boot session, so are suitable for demonstrations, not for general bluescreen customization. Be sure to check out the special holiday bluescreen I’ve prepared for you at the end of the post.
Preparing the System
Because you’re going to modify kernel code, the first step is to enable the ability to edit kernel code in memory if it’s not already enabled. Windows systems with less than 2 GB of RAM uses 4KB pages to store kernel code, so can protect pages with the protection most suitable for the contents they contain. For instance, kernel data pages should allow both read and write access while kernel code should only allow read and execute access. As an optimization that helps improve the speed of virtual address translations, Windows uses large pages (4 MB on x86 and x64) on larger systems. That means that if there’s both code and data stored in a page, the page must allow read, write and execute accesses, so to ensure that you can edit a page, you have to encourage Windows to use large pages. If your system is Windows XP or Server 2003 and has less than 256 MB, or is Windows Vista or higher and has 2 GB or less of RAM, create a REG_DWORD value called LargePageMinimum that’s set to 1 under HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management:
So that you don’t have to rush to show off your handiwork before Windows automatically reboots after the crash, change the auto-reboot setting. On Windows XP and Server 2003, right-click on My Computer, select the Advanced Tab, and press the Settings button in the “Startup and Recovery” section. On Windows Vista and higher, right-click on Computer in the Start Menu, select properties to open the Properties dialog, click Advanced System Settings, select the Advanced tab and press the Settings button in the “Startup and Recovery” section. Finally, uncheck the “Automatically restart” checkbox:
If you’re running 64-bit Windows Vista or higher, you need to boot the system in Debug mode so that you can run the kernel debugger in “local” mode. You can do that either by selecting F8 during the system boot and choosing the Debug boot or by checking the Debug checkbox in the System Configuration (Msconfig) utility:
Next, reboot the system and start the debugger with administrator rights (if UAC is on, run it as administrator). Point the debugger at the Microsoft symbol server by opening the Symbol Search Path dialog under the File menu and enter this string: srv*c:\symbols*https://msdl.microsoft.com/download/symbols (replace c:\symbols with whatever local directory in which you want the debugger to store cached symbols). Next, open the Kernel Debugging dialog from the File menu, click the Local page, and press OK:
The subsequent steps vary depending on whether you’re running 32-bit or 64-bit Windows and whether it’s Windows Vista or newer.
32-bit Windows XP and Windows Server 2003
The function that displays the bluescreen on these operating systems is KeBugCheck2. You’re looking for the place where the function passes the color value to the function that fills the screen background, InbvSolidColorFill. Enter the command “u kebugcheck2” to list the start of the function, then enter the “u” command to dump additional pages of the function’s code until you see the reference to InbvSolidColorFill (after entering “u” once, you can just press enter to repeat the command). You’ll need to dump 30-40 pages before you come across the one with the call:
Preceding the call, you’ll see an instruction that has the number 4 as its argument (“push 4”), as you can see above. Copy the code address of that instruction by selecting it from the address column on the left and typing Ctrl+C. Then in the debugger command window, type “eb “, then Ctrl+V to paste the address, then “+1”, then enter. The debugger will go into memory editing mode, starting with the address of the color value. Now you can choose the color you want. 1 is red, 2 is green, and you can experiment if you want a different color. Simply enter the number and press enter twice to commit it and exit editing mode. Here’s what the screen should look like after you’re done:
64-bit Versions of Windows and 32-bit Windows Vista and Higher
On these versions of Windows, the core bluescreen drawing function is KiDisplayBlueScreen. Type “u kidisplaybluescreen” and then continue entering “u” commands to dump pages of the function until you see the call to InbvSolidColorFill. On 32-bit versions of Windows, continue by following the instructions given in the Windows XP/Server 2003 section to find and edit the color value. On 64-bit versions of these operating systems, the instruction preceding the call to InvbSolidColorFill is the one that passes the color, so copy its address (the number in the left column) and enter this command to edit it: “eb <address>+4”. The debugger will go into memory editing mode and you can change the value (e.g. 1 for red, 2 for green):
Viewing the Result
You’re now ready to crash the system. If you’re running 64-bit Windows, you might get a crash without doing anything additionally. That’s because Kernel Patch Protection will notice the modification and crash the system as a deterrent to ISVs that might consider modifying the kernel’s code to change its behavior. There might be a delay of up to several minutes before that happens, though. To generate a crash on demand, run the Notmyfault tool (you can download it from the Windows Internals book page) and press the “Do Bug” button (to avoid data loss, make sure you’ve saved any work and closed all other applications):
You’ll now get a bluescreen in the color you picked, in this case the red screen of death:
The Holiday Bluescreen
In the spirit of the holiday season, I took things one step further to generate a holiday-themed bluescreen: not only did I modify the background color, but the text color as well. To do this on 64-bit versions of Windows Vista or higher, note the call to InvbSetTextColor immediately following the one to InvbSolidColorFill and the address of the instruction that passes the text color to the function, “move ecx, 0Fh”:
The 0Fh parameter represents white, but you can change it using the same editing technique. Use the “eb” command, passing the address of the instruction plus 1. Here I set the color to red (which is a value of 1):
And here’s the festive bluescreen I produced:
Happy holidays! And remember, if you have any troubleshooting cases you want to share, please send me screenshots (.PNG preferred) and log files.
Comments
Anonymous
January 01, 2003
Dan: Yes there is, and works in all versions of Windows. It needs to be set at boot to be effective. Forcing a System Crash from the Keyboard msdn.microsoft.com/.../ff545499.aspx You can also do it using the NMI button... How to generate a complete crash dump file or a kernel crash dump file by using an NMI on a Windows-based system support.microsoft.com/.../927069Anonymous
December 15, 2010
Great post! :-) For the people who want some other colors, here you are: Hexadecimal code for which color 0 black 1 blue 2 green 3 cyan 4 red 5 magenta 6 yellow/brown 7 white 8 gray 9 bright blue A bright green B bright cyan C bright red D bright magenta E bright yellow F whiteAnonymous
December 15, 2010
Woah! I used one of your BSOD screen saver some time back?Ever had a thought of providing customizations to that? After I started using Windows 7 BSOD have been a thing of the past ;)Anonymous
December 15, 2010
Very nice. For me is very stressful to get a bsod (at least looks less hazardous as a rsod/gsod). OT: Playing with your tool, process explorer, I noticed if (even without admin rights) you suspend the windows compositor (dwm) process, the whole OS (vista or greater running aero non-basic) becomes unusable, because even to close the user session, you apparently need the dwm. But I made a little workaround :-) http://goo.gl/FL3NSAnonymous
December 15, 2010
I love the information and idea of moving from Blue to Green is great at my age reading Blue is a task. Just a smal note I went fully through the links of information provided at Learning MSpress they have 4th edition listed for the book and at Windows DDK site for patch protection they still list the 4th edition. You may want to get the web masters to update to current book. :)Anonymous
December 15, 2010
The comment has been removedAnonymous
December 15, 2010
There's no need to edit kernel files; The feature is already built into Windows. Two entries in legacy (text) file SYS.INI are all that's required. Google turned the following up, which has a nice description of it: www.petri.co.il/change_bsod_color.htmAnonymous
December 15, 2010
Here's a picture I made of Mark showing the Red Screen Of Death at TechEd Europe 2010. http://twitpic.com/36tbrvAnonymous
December 15, 2010
Have fun!-) www.youtube.com/watchAnonymous
December 15, 2010
During my internship I installed your BSOD screen-saver. Few weeks later I was experiencing boot problems with my laptop, I took it to the tech support and they asked me how many times did I've BSOD. I said none. He told me it crashed 20 times last week and he had crash reports in system folder. Then I realized I confused the screen saver with real BSOD. It was embarrassing explaining it to the tech support guy.Anonymous
December 16, 2010
Nice trick:) How about turning BSOD upside down?Anonymous
December 16, 2010
Isn't there a hotkey to trigger a bluescreen, once you turn it on in the registry? right ctrl + tap scroll lock or pause twice or something? Or is that only in XP? PS: Your JavaScript-disabled form for comments is broken in Google ChromeAnonymous
December 17, 2010
If you use WinDbg you can issue ".CRASH" command instead of using 3rd party app.Anonymous
December 17, 2010
Good one Mark ! Way to go ...! Thanks for this wonderful article !Anonymous
December 23, 2010
waw a GSOD ?? Greenscreen of Death hah Lol x)Anonymous
December 26, 2010
The comment has been removedAnonymous
December 27, 2010
Hi Mark could you please change the Windows start logo for next Xmas :)Anonymous
December 29, 2010
The comment has been removedAnonymous
January 12, 2011
The comment has been removedAnonymous
January 15, 2011
@SE: Exit with grace? Which OS does that? BSOD/Kernel panicks/guru meditation are all in situation where kernelmode is beyond repair - no OS can at that point gracefully exit. It is last emergency stop. What is gracefull about that situation?