16

Background information

While Windows XP came out I heard about a testing feature that existed to manually cause a BSOD (Blue Screen Of Death). I also heard this was supposed to be removed in XP Service Pack 2. It didn't get removed. It's also in Vista, Windows 7, and all later Windows versions. To enable the feature, navigate to this Registry location:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters

Add CrashOnCtrlScroll as a REG_DWORD with the value of 1.

Next, reboot. Finally, press Right Ctrl+Scroll Lock+Scroll Lock on any PS/2-compatible keyboard. You'll get a BSOD.

My question

Why is this feature still here?

unforgettableidSupportsMonica
  • 1,573
  • 5
  • 20
  • 31
Kredns
  • 3,007
  • 7
  • 41
  • 55
  • 3
    I think you'll need to ask Microsoft about that one. – DLH Jul 27 '09 at 19:45
  • 19
    Since it requires a mandatory registry hack, I don't think there's a downside to leaving it in the system. Nobody's likely to trigger it by mistake. – sangretu Jul 27 '09 at 19:57
  • Will the key sequence also work if triggered from an RDP session? – Axxmasterr Jul 27 '09 at 20:16
  • @Axxmasterr: I'm pretty sure it would, but I haven't tested it myself. – Kredns Jul 27 '09 at 21:45
  • This is probably how apple did this: http://gizmodo.com/assets/resources/2007/10/171953dc7.jpeg – unlobito Jul 27 '09 at 22:31
  • That is one thing I hate about Apple... not only they use a BSOD screenshot for a (nowadays) pretty stable OS, they even use an outdated one (probably from 98 or ME). (My friend, who is a 100% Linux user, likes Windows 7. That says something.) – u1686_grawity Jul 28 '09 at 06:55
  • 4
    Since it has a legitimate use case that matters to the people who actually write and debug the kernel and device drivers, I wouldn't expect to see it removed. Enabling it requires write access to HKLM, and even if enabled all you get is a BSOD. – RBerteig Jul 28 '09 at 22:52
  • 2
    @Axxmaster: No, it won't since the key sequence is implemented in the device drivers for keyboards. Those aren't needed or even used in an RDP session. – Joey May 03 '10 at 19:24
  • I tried it on Windows XP SP3 with USB keyboard (I added `CrashOnCtrlScroll` value to `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdhid\Parameters` key) and it didn't work. – Piotr Dobrogost Sep 29 '11 at 11:53
  • It didn't work for USB keyboards until Windows 7. – Jamie Hanrahan Feb 18 '16 at 00:02

7 Answers7

35

It's there to allow a break into the Kernel Debugger or generate a kernel-mode dump file. Typically an expert would want to do this when the OS looks locked up and won't even respond to CTRL+ALT+DELETE in order to get the dump file and investigate it for which driver is having trouble.

It's logically equivelent to calling the kernel API KeBugCheck with bugcheck 0xE2 (MANUALLY_INITIATED_CRASH). Also note that the reg values can be set in different reg keys for the USB (kbdhid) keyboard driver versus the ps2 (i8042prt) driver. There is more information on that and customizing which keystoke is used in KB Article 244139.

Since this is implemented in the actual keyboard drivers, I don't expect this would work from and RDP session even if it was enabled.

Ari Pernick
  • 1,468
  • 11
  • 10
  • 1
    It's also there for hardware and driver developers who need to trap into the debugger at a certain point. And I definitely think this should be the accepted answer. – Joey May 03 '10 at 19:25
6

If we're generous, could it perhaps be used as an over-enthusiastic way of forcing a crash dump for manually investigating the system state? (primarily for debugging)

OK - a pretty weird way to do it, but...

Marc Gravell
  • 1,479
  • 3
  • 15
  • 33
  • 7
    That is being very generous indeed. It might be a method that was intended to allow software to crash the system to "stop the bleeding" in case of a serious compromise. Forcing the system to shut down would prevent anyone from stealing data. – Axxmasterr Jul 27 '09 at 20:18
5

Let's call it an easter egg.

Congratulations.....you found it!

DLH
  • 589
  • 4
  • 19
3

This sounds like a fun practical joke, really.

spoulson
  • 1,590
  • 1
  • 16
  • 19
3

I'd imagine Microsoft performs unit testing on their OS before releasing updates etc. Presumably one of the tests would be to see if BSOD still behaves as it should. It also makes sense to run unit tests on the real active code-version for a more reliable test.

Vdex
  • 1,508
  • 1
  • 14
  • 19
3

You should watch Mark Russinovich's videos where he shows how to diagnose system hangs with this "feature". I think it was just set to off in SP2, not removed.

kpierce8
  • 362
  • 3
  • 8
1

It sounds like something that wasn't worth the time and effort to remove from the codebase.

Jeffrey
  • 2,606
  • 4
  • 28
  • 37