Security firm: Windows patches not responsible for 'Black Screen of Death'

When Betanews reported last June about occurrences of the infamous "Black Screen of Death" (KSoD) in Windows Vista, a reader wrote to suggest to us that we might have only considered the matter so important this late in the game because suddenly it happened to us. A similar opinion may be appropriate for British security firm Prevx, which now says it has "exonerated" last month's set of Patch Tuesday updates from Microsoft as the cause of what it called last night a "crop" of KSoD incidents.

Early Tuesday evening, Prevx director of malware research Jacques Erasmus reported on his company's blog that he and his team have made "significant progress in determining specific triggers of the black screen event." Specifically, it determined that a side-effect accidentally discovered over three years ago by none other than SysInternals' Mark Russinovich (now with Microsoft), led to instances where Windows' product activation inadvertently triggered the black screen. When a System Registry entry of String type is supposed to be terminated by a null character (0) but isn't, the result is that the entry itself may disappear from REGEDIT, Windows' well-known Registry Editor. Such an entry may also trigger KSoD conditions.

But that much has been public knowledge for as long as Russinovich has been distributing his "cool" registry key hider tool. Nevertheless, Prevx now has come around to believing that non-terminated Registry entries to be the cause of KSoD problems, not some strange and allegedly unpublicized change in the "rules" for Access Control Lists that a patch may not have followed.

Erasmus may have had some help in reaching this conclusion from Microsoft. In a statement to Betanews late this afternoon, security response communications lead Christopher Budd told us, "Our comprehensive investigation has shown that none of the recently released updates are related to the behavior described in the reports. While we were not contacted by the organization who originally made these reports, we have proactively contacted them with our findings."

So if Prevx wasn't really sure that ACLs were at the root of the KSoD problem, exactly what does its free fix tool, released yesterday, do? This evening, Erasmus suggested that at the very least, it does nothing bad. "We apologize to Microsoft for any inconvenience our blog may have caused," he wrote. "This has been a challenging issue to identify. Users who have the black screen issue referred to can still safely use our free fix tool to restore their desktop icons and task bar."

Prevx's earlier story led to the BBC reporting a rash of KSoD incidents afflicting specifically Windows 7. The evidence of such a rash may have just disappeared, which doesn't exactly mean the problem has gone away. It does mean we can reset the panic button now.