Black Screen of Death hits Windows

 

Gallery

Posted on 2 Dec 2009 at 10:51

Windows users have been hit with a problem that renders their PC virtually unusable. The glitch, which is currently affecting all versions of Windows since NT4 (including Windows XP, Vista and 7), occurs when the system is first booted. Users see a plain black screen and the mouse cursor, as well as possibly a Windows Explorer window. Task manager, the Start menu and other toolbars are all unavailable.

The cause of what has been dubbed the 'Black Screen of Death' is currently uncertain. Yesterday security firm PrevX blamed two Microsoft updates for causing the problems, but Microsoft investigated the issue and claimed that "those reports [were] inaccurate and our comprehensive investigation has shown that none of the recently released updates are related to the behaviour described..."

Today PrevX retracted its earlier claim and apologised, posting the following on its website. "Having narrowed down a specific trigger for this condition we've done quite a bit of testing and re-testing on the recent Windows patches including KB976098 and KB915597 as referred to in our previous blog. Since more specifically narrowing down the cause we have been able to exonerate these patches from being a contributory factor..."

"We have always strongly recommended keeping Windows and all other software up-to-date to reduce the window for exploitation by new threats..."

"We apologize to Microsoft for any inconvenience our blog may have caused."

The root cause of the Black Screen of Death appears to be Registry-related and it is likely that the recent spate of problems stem from malware making unauthorised changes to the Registry. PrevX mentions that, "In parsing the Shell value in the registry, Windows requires a null terminated "REG_SZ" string. However, if malware or indeed any other program modifies the shell entry to not include null terminating characters, the shell will no longer load properly, resulting in the infamous Black Screen."

The article makes reference to earlier research conducted by Sysinternals (now part of Microsoft), which wrote a proof of concept called RegHide. This program demonstrates how one can create a special Registry entry that cannot be read by a Registry editor. Malware authors sometimes use this technique to hide traces of their malicious software and it could account for strange system behaviour, such as black screens and other crashes.

Author: Simon Edwards