Black Screen of Death

CrucisCo
2 Dec 2009
0

In the last few days we have seen a huge surge in people experiencing what has become known as the "Black Screen of Death" - a bit of a play on the infamous Blue Screen of Death (both are now being called the BSOD).

The problem affects Windows OS's from XP through to Windows 7. Apparently the condition has arises in recent times because of the November updates to Windows. The culprit patches (according to website Prevx) are noted in the Knowledge Base articles KB915597 and KB976098. Prevx also have a fix which they say may fix the problem under certain circumstances.

I have unfortunately also fallen victim to this twice now, and thought I might blog about it - particularly if I can find a lasting solution.

The first time I got it was two days ago. First the symptoms specific to me: I am using Windows Vista Ultimate Service Pack 2 (and my PC is only a few months old). As far as I know I am up to date on all patches and updates (some would say that is the problem!) because I use the Auto Update feature of Windows. When I power up the PC it boots normally until it gets to the Welcome/Login screen with all the user icons. I click on my icon, enter the password and the screen suddenly goes black with just the mouse cursor visible. The hard drive goes quiet for a few seconds then suddenly springs into action as though it is loading a whole bunch of stuff completely invisible to me. It keeps this up for a good few minutes.

In the meantime I am unable to right-click to get a context menu. I cannot even Ctrl-Alt-Delete: rendering Prevx's solution (in this mode) irrelevant to me. Now, the first time this happened 2 days ago I admit I panicked. Hardware failure, I thought? Then I noticed something: When I logged in with an administrator level account I did not get the BSOD. When I logged in as a 'normal' user I did. That suggested permissions to me. So I upgraded one of my normal users to a 'power user'. That seemed to help that user account. I wasn't keen on making all the users of my PC power users. So I tried something different. I restarted in Windows Safe Mode (without Networking). After logging in, Windows loaded normally (albeit in 'Safe Mode'). I then rebooted and viola! Even the 'normal' user accounts started working again! I thought I had it cracked.

This morning however, things took a turn for the worse. Same symptoms as last time: BSOD and system completely unresponsive. In addition however, I found that even logging in as an administrator did not help things. Before leaving for work I did manage to test Safe Mode and that at least still works. Tonight I guess I'll have to test Safe Mode with Networking. I may be able then to download the Prevx solution and hopefully that will work. Alternatively the fact that Safe Mode works, suggests that the new update has conflicted with some third party software which executes at log in under normal mode. This could be some system monitoring software (from the ASUS motherboard monitoring tools) to the F-prot antivirus to anything else. I'll have to disable these in Safe Mode and see if that makes a difference when I boot into normal mode. I'll keep you posted.

EDIT: 3 Dec 2009 @ 2220h I spent 3 straight hours last night on the BSOD (actually I've now learnt it is a KSOD - blacK Screen Of Death). I found out yesterday afternoon that Prevx was wrong on their finding regarding the Microsoft patches and also that their utility did not fix my particular flavour of KSOD. However I learnt a few things. Firstly, I did not have network capability in Safe Mode with Networking. (Perhaps I did, but didn't realise it - I'll explain in moment.) And I also learnt about a way 'in' to the PC. When the PC starts up, it is basically running normally - it's just that the UI is disabled. Mostly. There is a bug/feature that can be exploited: StickyKeys. This is an accessibility feature of Windows Vista that allows people with mobility issues to work with key combinations that they may otherwise have difficulty with. In this case, pressing Shift 5 times in quick succession activates the StickyKeys feature.

In the blackness of the KSOD up pops the StickyKeys dialog and in it is a hyperlink to another window! I clicked that and hey presto! Once you have another window you can type 'explorer' in the address bar and everything comes back - well, almost everything. The Aero system is not 100% there it seems. The instructions followed suggested I run 'msconfig' first. This was to enable me to identify and disable startup programs that I didn't need or which may have caused conflicts (set the startup to 'selective' rather than 'normal'). There was also an article which attributed the KSOD to Windows Event Log and the Windows Event Communicator services. I disabled these two as well. Still no joy. Then this morning I heard about the UAC (User Access Control) feature of Vista. This is the feature that keeps popping up warnings when a system level change is about to be attempted. Annoying. Anyway, the article suggested disabling it. So this evening I tried that via the StickyKeys route. It had no immediate effect (after rebooting) - I still had the KSOD. However I used StickyKeys to get back into the system and I found then that I had network access (it took a few minutes). I was able to use the system almost normally then, as I could get my email etc.

I downloaded SpyBot and scanned my machine. It found several cookies that it objected to. Nothing particularly sinister. I re-activated UAC and rebooted. This time, I was able to log in and get a desktop! I logged in and out a few times and rebooted a few times as well, using different user accounts each time. In my case what caused the KSOD? I believe it was Chkdsk.exe - the disk diagnostic and repair utility bundled into Windows. I think it messed up my file permissions on the Master File Table. The moral of the story is never to use chkdsk.exe. I am aware of course that my system has been compromised. I could reload Windows Vista or I could just upgrade to Windows 7. Same amount of work I guess. Windows 7 here I come. And I won't be using chkdsk again!