{"id":44113,"date":"2014-09-10T07:00:00","date_gmt":"2014-09-10T07:00:00","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/oldnewthing\/2014\/09\/10\/i-wrote-the-original-blue-screen-of-death-sort-of\/"},"modified":"2021-02-08T10:12:18","modified_gmt":"2021-02-08T18:12:18","slug":"20140910-00","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20140910-00\/?p=44113","title":{"rendered":"I wrote the original blue screen of death, sort of"},"content":{"rendered":"

We pick up the story<\/a> with Windows\u00a095. As I noted, the blue Ctrl<\/kbd>+Alt<\/kbd>+Del<\/kbd> dialog was introduced in Windows\u00a03.1, and in Windows\u00a095; it was already gone. In Windows\u00a095, hitting Ctrl<\/kbd>+Alt<\/kbd>+Del<\/kbd> called up a dialog box that looked something like this:<\/p>\n\n\n\n\n\n
Close Program<\/b> \u00d7\u00a0<\/b><\/span> <\/span> <\/span><\/td>\n<\/tr>\n
\n
\n
Explorer<\/div>\n
Contoso Deluxe Composer [not responding]<\/div>\n
Fabrikam Chart 2.0<\/div>\n
LitWare Chess Challenger<\/div>\n
Systray<\/div>\n<\/div>\n
WARNING: Pressing CTRL+ALT+DEL again will restart your computer.
\nYou will lose unsaved information in all programs that are running.<\/div>\n<\/td>\n<\/tr>\n
\n
\n
\n
\n
E<\/u>nd Task<\/div>\n<\/div>\n<\/div>\n<\/div>\n
\n
\n
\n
S<\/u>hut Down<\/div>\n<\/div>\n<\/div>\n<\/div>\n
\n
\n
\n
Cancel<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

(We learned about Systray some time ago<\/a>.)<\/p>\n

Whereas Windows\u00a03.1 responded to fatal errors by crashing out to a black screen, Windows\u00a095 switched to showing severe errors in blue. And I’m the one who wrote it. Or at least modified it last.<\/p>\n

I was responsible for the code that displayed blue screen messages: Asking the kernel-mode video driver to switch into text mode, filling the screen with a blue background, drawing white text, waiting for the user to press a key, restoring the screen to its original contents, and reporting the user’s response back to the component that asked to display the message.\u00b9<\/p>\n

When a device driver crashed, Windows\u00a095 tried its best to limp along despite a catastrophic failure in a kernel-mode component. It wasn’t a blue screen of death so much as a blue screen of lameness. For those fortunate never to have seen one, it looked like this:<\/p>\n\n\n\n
\n\u00a0<\/p>\n
\u00a0Windows\u00a0<\/span><\/div>\n
\u00a0
\n\u00a0<\/div>\n
An exception 0D has occurred at 0028:80014812. This was called from 0028:80014C34. It may be possible to continue normally.<\/div>\n
\u00a0<\/div>\n
* Press any key to attempt to continue.<\/div>\n
* Press CTRL+ALT+DEL to restart your computer. You will<\/div>\n
\u00a0 lose any unsaved information in all applications.<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Note the optimistic message “It may be possible to continue normally.” Everybody forgets that after Windows 95 showed you a blue screen error, it tried its best to ignore the error and keep running anyway<\/i>. I mean, sure your scanner driver crashed, so scanning doesn’t work any more, but the rest of the system seems to be okay.<\/p>\n

(Imagine if you did that today. “Press any key to ignore this kernel panic.”)<\/p>\n

Technically, what happened was that the virtual machine manager abandoned the event<\/i> currently in progress and returned to the event dispatcher. It’s the kernel-mode equivalent to swallowing exceptions in window procedures<\/a> and returning to the message loop. If there was no event in progress, then the current application was terminated.<\/p>\n

Sometimes the problem was global, and abandoning the current event or terminating the application did nothing to solve the problem; all that happened was that the next event or application to run encountered the same problem, and you got another blue screen message a few milliseconds later. After about a half dozen of these messages, you most likely gave up hope and hit Ctrl<\/kbd>+Alt<\/kbd>+Del<\/kbd>.<\/p>\n

Now, that’s what the message looked like originally, but that message had a problem: Since the addresses at which device drivers were loaded into the kernel were not predictable, having the raw address didn’t really tell you much. If you were someone who was told, “This senior executive got this crash message, can you figure out what happened?”, all you had to work with was a bunch of mostly useless numbers.<\/p>\n

That someone might have been me.<\/p>\n

To help with this problem, I tweaked the message to include the name of the driver, the section number, and the offset within the section.<\/p>\n\n\n\n
\n\u00a0<\/p>\n
\u00a0Windows\u00a0<\/span><\/div>\n
\n\u00a0<\/div>\n
An exception 0D has occurred at 0028:80014812 in VxD CONTOSO(03) + 00000152. This was called from 0028:80014C34 in VxD CONTOSO(03) + 00000574. It may be possible to continue normally.<\/div>\n
\u00a0<\/div>\n
* Press any key to attempt to continue.<\/div>\n
* Press CTRL+ALT+DEL to restart your computer. You will<\/div>\n
\u00a0 lose any unsaved information in all applications.<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Now you had the name of the driver that crashed, which might give you a clue of where the problem is, even if you knew nothing else. And somebody with access to a MAP file for the driver could now look up the address and identify which line crashed. Not great, but better than nothing, and before I made this change, nothing is what you had.<\/p>\n

So you could say that I wrote the Windows 95 blue screen of death<\/span> lameness to make my own life easier.<\/p>\n

Bonus chatter<\/b>: Later, someone (I forget whether it was me, so let’s say it was one of my colleagues) added some more code to inspect the crashing address, and if it was inside the kernel heap manager, the message changed slightly:<\/p>\n\n\n\n
\n\u00a0<\/p>\n
\u00a0Windows\u00a0<\/span><\/div>\n
\n\u00a0<\/div>\n
A 32-bit device driver has corrupted critical system memory, resulting in an exception 0D at 0028:80001812 in VxD VMM(01) + 00001812. This was called from 0028:80014C34 in VxD CONTOSO(03) + 00000575.<\/div>\n
\u00a0<\/div>\n
* Press any key to attempt to continue.<\/div>\n
* Press CTRL+ALT+DEL to restart your computer. You will<\/div>\n
\u00a0 lose any unsaved information in all applications.<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

In this case, the sentence “It may be possible to continue normally” disappeared. Because we knew that, odds are, it won’t be.<\/p>\n

Bonus chatter<\/b>: Nice job, Slashdot<\/a>. You considered posting a correction, but your correction was also wrong. At least you realized your mistake.<\/p>\n

\u00b9 Since this code ran in the kernel, it didn’t have access to keyboard layout information. It doesn’t know that if you are using the Chinese-Bopomofo keyboard layout, then the way to type “OK” is to press C<\/kbd>, followed by L<\/kbd>, followed by 3<\/kbd>. Not that it would help, because there is no IME in the kernel anyway. As much as possible, the responses were mapped to language-independent keys like Enter<\/kbd> and ESC<\/kbd><\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

It was blue, but it wasn’t completely deadly.<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[2],"class_list":["post-44113","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-history"],"acf":[],"blog_post_summary":"

It was blue, but it wasn’t completely deadly.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/44113","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=44113"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/44113\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=44113"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=44113"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=44113"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}