RSSTracking Vista's elusive 'Black Screen of Death'
By Scott M. Fulton, III | Published June 17, 2009, 11:58 AM
(continued from previous page)
Naturally, we have more than one machine here (the actual number of computers in this office is typically a fractional value), so it was through a working system that I was able to research other cases of the Black Screen of Death online.
Last December, the CEO of an independent IT services provider in Charlotte, N.C. discovered one cause for the KSoD that impacted multiple customer systems. His customers use a managed system support driver called Zenith SAAZ. For reasons he was unable to determine, the use of that driver negatively impacted a System Registry entry. Customers who were able to boot their systems in the WinPE (or WinRE, depending on which end of Microsoft talks about it) recovery environment were able to start RegEdit, replace the offending entry with a correct value, restart their systems, and eliminate the KSoD.
That wasn't our situation -- not being a customer of his, we didn't have the offending Registry entry.
Last month, a Belgian security engineer and Microsoft MVP (non-employee partner) named Mark Gregoire encountered the KSoD, and discovered his solution dealt with disabling event logging. But Gregoire could accomplish this through Safe Mode with Command Prompt; I couldn't even get that far.
Disabling event logging requires me to use a program called MSCONFIG, which Windows veterans have been familiar with since Windows 95. With it, you can set your system for a "diagnostic boot" which disables all or some system services. From there, you can re-engage those services that you no longer suspect to be the culprit.
But in Vista, MSCONFIG requires not only administrator privileges, but to be run from a logged in member of the Administrators group. For that (stupid) reason, you can't run MSCONFIG from the WinPE environment -- that's right, you're restricted from using the one tool you need to recover your computer, since its own security is incompatible with a recovery environment that can't log you onto your Administrators group because your computer needs recovery. (No, Mark Minasi, the RUNAS command won't work here either.)
So I needed to find some way to get into my system with the privileges I needed to run MSCONFIG. Here, Gregoire's second paragraph provided the amazing clue that fetched my system out of its misery: "When you are presented with a KSoD, you can try to press the left Shift button a few times to trigger the sticky keys feature of Windows. This will pop up a window that contains a link. You can then click this link and from there you are able to launch different applications. Of course, if you disabled sticky keys, you are out of luck."
As I mentioned earlier, Windows actually runs while all this blackness is going on. Though none of the usual system keystrokes are functional, the routine deep in the keyboard handler that enables one-poke-at-a-time multiple keystrokes is still operating. When you're logging on, this is evidenced by the fact that you can poke the left Shift key five times in rapid succession and get the initial "Sticky Keys" dialog -- the first indication of life in the darkness.
After you've logged on, you're officially in the Aero environment, whose "Sticky Keys" dialog is different from that of the 2D environment, for undocumented but strangely useful reasons. The Aero version contains a single hyperlink, which reads, "Go to the Ease of Access Center to disable the keyboard layout." That single hyperlink is our ticket home, because Ease of Access Center is part of Control Panel, and Control Panel is part of Windows Explorer.
What's more, the fact that you can see a piece of your desktop wallpaper through the transparency of the Sticky Keys dialog's title bar (though this screenshot was taken later) is a clear indicator that Windows is running perfectly, and the Black Screen is just a very effective façade.
Once you get the Ease of Access Center, you can back out using the Location bar to get a directory of your main system drive. There you'll be reassured to know that everything is fine -- your file system is intact, none of your documents are lost. What you need to do now is locate MSCONFIG from your system directory (usually \Windows\System32), and run that to get to your diagnostic setup.
Believe it or not, you're in a chase at this point, just like the climactic scene of a really bad thriller movie. For some reason, some process will periodically exit any program you've started, returning you to the KSoD...and not even the Sticky Keys trick will work until you reboot. My tests show that period of time to be pretty close to five minutes, which is one more indicator to me that this behavior truly is by design -- that this is the leftover remains of a trap intended to befuddle software pirates. Because what system process creates forced exits of running applications every five minutes, almost on the dot, unless it's programmed to do so?
With your stopwatch started, you have to run MSCONFIG, and from the General tab, set the option for Selective startup. Then go to the Services tab, click the Disable all button, and click on Apply. Then click OK (for some strange reason, click on Apply first). If there's still time remaining, you'll be given a dialog asking you to restart. Click on Restart. Your system might power down and it might not (in our case, it didn't), in which case you may need to power down manually.
But when you restart, you'll be able to fire up an account and get to your desktop at least. Your system will look like Safe Mode for paranoids, or like "Windows 95 Minus." Don't fret, because all is actually quite well. From the Start Menu, start up MSCONFIG again, go to the Services tab, and click on Enable all. Then go through the services list. Disable any third-party service you're not familiar with. You'll see anti-virus services here, and you can leave those enabled.
By all means, however, be sure to disable Windows Event Log. This is the bugger in our situation, and the probable culprit in a great many (though apparently not all) KSoD incidents. After rebooting our Vista system, we were returned to a normal world.
At this point, as computer engineer Mohannad Shaheen suggests in a comment on an IT consultant's blog, the event logs themselves could be corrupt in this instance. Shaheen advised, while the event logging service is disabled, renaming the %systemroot%\System32\winevt\Logs directory to Logs_bad, creating a new Logs directory, and re-enabling the service. Others advised that the event logging service is only useful for certain administrators anyway.
When an operating system does suffer from a perception problem, as Vista clearly does, problems such as the Black Screen of Death only serve to confirm users' worst suspicions. Obviously Vista is flawed, the argument goes, because you can see the evidence for yourself -- and certainly since yesterday, it's more difficult for me to argue otherwise. But if the root cause of this behavior is, as I now strongly suspect, disavowed Microsoft code intended at one time as a warning sign for pirates, then from a technical standpoint, the solution is probably extremely simple: a patch that removes the code. The issuance of such a patch may cause short-term grief for Microsoft, but it might be better for the company to face up to this mistake and undo it. The alternative may be to face a rising tide of disaffected Windows users whose amplified warnings to other legitimate users could be given far greater validity than any black curtain Microsoft might deploy.
Scott sincerely thanks the hard work of the IT professionals linked to in this article, for helping him and the rest of the world obtain a reasonable solution.
Ive just encounter this today.. urg! good thing i found this article.. however.. for me there is no link on that dialog box... im at a lost :(
Score: 0
|Whew, thanks for the article. I thought my 6-month old Dell Inspiron 1525 (Home Premium) was going bad. KSoD first happened after the last MS Update. I believe I allowed it to go into Hibernate while/after the download. Tried F8 on restart and everything else with no luck. Then I somehow got it into Safe Mode and restarted it from there. It's happened a couple times since, mainly on restart from Hibernate after I've walked away.
I do notice now that the desktop "blinks" black twice every time it starts; never saw it do that before. I'll be watching this site for updates.
Score: -1
|i have dual display with an extended desktop and was getting two black screens.
however, i haven't been getting them since i modified the virtual memory.
i took it off automatic and set it to the system drive with the custom amounts according to microsoft:
a) initial size at 300 megs+ (ram amount) &
b) max at 3 x (ram amount)
might be worth a try.
incidentally,
i couldn't max out the size in "b" above.
so basically, i maxed it out at 2.99 times my total ram.
Score: 0
|Scott, I am experiencing this problem as well and using your fix. However, I can't get the MSconfig to open up after navigating to it though the sticky keys link. I just get the mouse cursor with the circular icon. After awhile it just goes to the black screen again. I think the system is trying to open the "permissions" pop-up since this is an admin task, but can't get it open. I don't know what else to do. Any thoughts?
Score: 0
|I have had the black screen 2 time now, I run Laptop HP vista Premium update to service pack 2.
the first time the black screen appear was under service pack 1 and it gave me in the bottom righthand corner a message (Windows Vista (TM) Evaluation copy. Build 6002) while before that there was no message at all. so it must have to do with Piracy of some sort.
Score: 0
|I had this with Vista Home Premium 32bit on a laptop. After typing login pword, black screen. No Task Manager possible. System Restore failed. Even could not reimage the HDD until I discovered it was bad blocks (a hardware problem not software). Chkdsk /r to mark bad blocks, then reload image from my backup. :)
Score: 0
|Here is another take on the matter using Vista Business SP1 http://www.electrictoolb...lack-screen-after-login/
Score: 0
|@Skiman
@Guru
Two ideas that are amazing because they are simple, and yet they do work from time to time. When something really bad happens, people's minds race, and these tricks can easily be overlooked. I've been surprised every once in awhile when an additional account saved the day, as the Guru advises. Therefore, as he suggests, I always run an "emergency" user account with admin priv, and I call it whatever is the main user's name plus "X", such as "Joe X".
Similarly, Skiman's advice about the two monitors: that is in the BIOS somewhere—at least, I seem to recall tweaking it there—but also I read a warning about exactly that when I was setting up my last self-made computer. I don't remember exactly where I saw the warning—too bad—but somewhere along the line, Skiman's point was mentioned as a "be sure you do this right".
Score: 0
|I had a similar experience with Windows 7RC. It took me 3 reinstalls before I finally realized what it was doing. My nVidia video card has two outputs - a DVI and a VGA. At one point in my past I had hooked up BOTH to my monitor, just to see which looked better. I think I ended up using the DVI mode, but I never unplugged the other cord!
Sure enough, Windows 7 saw both video outputs and decided to use the VGA one as my main screen and the DVI as the secondary. It obviously had no idea that both were connected to the same monitor. So the cursor would still work fine, but the start menu, taskbar, and any window I attempted to open, like task manager, opened on the primary screen and I never saw it. I used my monitor to switch modes and there it all was - start menu/etc...
Oddly Vista never did this to me but Win7 must've detected it differently.
Score: 0
|Has this behavior (KSoD) been noted in the 64-bit flavor?
Score: 0
|For heaven's sake, I should have noted this...This was the 64-bit flavor of Vista. I'll add that to the text.
-SF3
Score: 0
|well then, mr fulton.
if you are getting the black screen of death, then are you using a pirated os?
it would not be beyond microsoft to implement covert programming to counter anti piracy.
we all remember the wga tool that was snuck down onto peoples computers under the guise of a critical update.
it was a critical update on behalf of microsoft.
and of course, since the inception of win95, there has always been suspicioun that microsoft was able to sabotage the competition (netscape, wordperfect, lotus) via windows programming.
in anycase, i think the black screen of death is/are the result of the XDDM and WDDM video drivers.
have you tried using non microsoft certified display adapter drivers?
Score: -2
|Here's an idea, DatabaseBen:
RTFA.
Score: -2
|So the solution is "disable all the services and then add them back until you encounter the problem"? so that's what? 14 words vs. all the verbosity above? and you're wondering why or how he didn't figure out the point?
almost no one peruses the internet ...
Score: 0
|@Ben, no; up above, you read: ". . . .am I running non-genuine Microsoft software? No. All of our Microsoft software on production systems here is legitimate. . . ."
Score: 0
|@tenoq,
here's one for you
gfy
Score: -3
|@syliva
i notice when i get a black screen i don't get a mouse pointer. perhaps, because i have an extended desktop across two monitors & two display adapters.
however there is much disk activity like processes are running. so i simply have to reboot.
i have been looking into the page file feature/settings as a possible contributor.
Score: -3
|I have never seen this problem with Vista, as I don't use it that much. I do set up what I call 'heavily-configured' machines, much as Sylvia describes, and have had it happen twice with XP. SP2.
The first time it was remedied by backing up the needed things and wiping the drive. The second time, I was able to boot with another account and found the problem was totally limited to my account. By backing up, and removing that account (mine) then adding myself back as a user, the problem was repaired.
Now I never configure a machine without at least two accounts that show up on the login page (I could not get in using the admin account, so the reason for the second account showing becomes clearer)
Score: 0
|alienware.
Enough said. Horrible, horrible machines.
Score: 0
|I've done a fresh install and right after i got done installing it and was booting into the desktop i had a black screen. If you do ctrl alt del, you can see the mouse pointer change which shows the computer is not locked up. I was able to get my desktop back by removing my monitor from the video card are reattaching it. It gave me my desktop back and I was able to see everything. Sad thing it doesn't fix the problem, the black screen still comes back. I am now using Windows 7, where this black screen doesn't seem to happen. I do still have flashing black screens periodically that is fixed by turning my monitor off then back on, though this was in Vista and 7 both.
Score: 0
|I use Vista since January 2007 and I've never had this issue!
Score: 0
|Nor I, but I've probably had 30+ equally as annoying issues.
Score: 0
|I USE A CAR SINCE 1997 AND I NEVER HAVE ACCIDENT!!1
Score: 0
|I had to chkdsk from a Windows XP setup disc as WinPE (used by both the Recovery Environment and Vista/7 setup) had the same problem. Obviously bad sectors can deactivate your copy of Windows and lock you out.
Score: 0
|Your article is well-written, because I found myself genuinely scared as I read it. No, the glitch has never shown itself to me. What scared me was in knowing that I was simply being told the solution to a horrific problem that would not appear to have a solution if it really happened to most of us.
I don't use System Restore because it doesn't seem to be there when I really need it. Instead I use the freeware ERUNT and NTREGOPT, which needs admin priv, so I run Vista with the safety off—i.e., with UAC off, which defeats a lot of Vista security which I don't need anyway.
(Another excellent workaround is that I use XP, not Vista, for myself. I only use Vista when routinely maintaining it for clients.)
NTREGOPT will restore Windows if you can use a floppy or a USB stick or anything at all to get to a drive prompt. But not if UAC is turned on. Also, NTREGOPT works beautifully on 32-bit systems, but the 2nd registry hive—software—quickly becomes too big for it on 64-bit systems. Even so, ERUNT can still be used to back up the registry more effectively (in my opinion) than Sys Restore does. ERUNT is a backer-upper; NTREGOPT is a zero-based registry rebuilder (not a cleaner) and it is nice—but not necessary—to have both working in tandem.
I can put a clean OS on very quickly. And I never put an OS on either the system partition or the program or data files' partitions. But, even so, my systems are beautiful to look at, fast and very clean. It takes a lot of hours to make them that way, so I hate to have a system crash and burn. Thanks for sharing your info on this pretty ghastly peril. I hope that reading your article is as close as I ever get to actually experiencing it.
Score: 0
|Like all of their efforts, in this area, this only affects legit users and not pirates so it was a complete waste of resources and money.
Score: 0
|Google "casual" piracy. Learn something.
...and then stop posting this drivel every time anything remotely related to WGA comes up. It makes you look like a complete idiot.
WGA was never intended to stop the "Pirate Bay" crowd. It does, however, do quite well at its intended purpose.
...so not so much a waste of resources and money as you seem to so enjoy pretending.
Score: -1
|it's also hit far too many innocent bystanders.
Score: 0
|By who's estimation? People like sjc's? Show me some hard numbers. I'd bet it's *well* below 1%.
Score: -1
|Heh..
Yeah, looks like they should patch that.
I could come up with several logical, practical and reasoned reasons why it might not be a priority for them at the moment, but of course, that would get me labeled as a MSFT apologist.
Wouldn't want that, now would we? ;) (Warning: Heavy sarcasm detected...please use appropriate filter.)
Score: 0
|Call me an idiot, but once you've got task manager open can't you just run whatever process you want directly from there instead of d***ing about with sticky keys? Easy enough to look up the process name you want online. Hell, quit and restart explorer.exe and see what happens.
Also, why does it actually boot (after a while) in your video?
Score: -1
|Is no-one reading this article today? He said he couldn't launch task manager, and shortcut keys like CTRL+ALT+DEL didn't work.
Score: 2
|And if you, you raging twonk, managed to watch the video you'd see he did actually manage to run Task Manager. Hot keys clearly did work, as sticky keys is exactly that.
Score: 0
|Interesting article in that I have, from time to time experience the same thing. What is interesting is I look at it differently. When I decide to format the HD, the 1st thing I do before updates is the following:
1) disable System Restore- I don't like it but that is just a quirk in me.
2) turn off Admin Privilege- I just feel this creates more headaches than it is worth especially since there are some programs installed in the Admin setting that don't automatically flow through to the other accounts (i.e. Spybot). Also, updating can be an issue on some programs.
3) the 3rd thing I do and sometimes forget and this is when I see the above problem is that I turn off "Sleep" and "Hibernation". For me, I do encounter this black screen when these two settings are on and if the computer does go into either mode which essentially is a black screen, it is hard to, sometimes, get out of that mode.
4) I have found in those case a hard reboot a opposed to soft restart takes care of the problem but that obviously presents its own issues.
Obviously, in another setting this approach would not be the best but I am still left with the feeling that the problem is in Admin privilege and the hibernation or sleep mode. But, like you, I can't say for certain.
Score: 0
|