Why does Windows still have the BSOD on Ctrl+Scroll+Scroll "feature"?

windows windows-registry freeze bsod crash

6,409

Solution 1

It's there to allow a break into the Kernel Debugger or generate a kernel-mode dump file. Typically an expert would want to do this when the OS looks locked up and won't even respond to CTRL+ALT+DELETE in order to get the dump file and investigate it for which driver is having trouble.

It's logically equivelent to calling the kernel API KeBugCheck with bugcheck 0xE2 (MANUALLY_INITIATED_CRASH). Also note that the reg values can be set in different reg keys for the USB (kbdhid) keyboard driver versus the ps2 (i8042prt) driver. There is more information on that and customizing which keystoke is used in KB Article 244139.

Since this is implemented in the actual keyboard drivers, I don't expect this would work from and RDP session even if it was enabled.

Solution 2

If we're generous, could it perhaps be used as an over-enthusiastic way of forcing a crash dump for manually investigating the system state? (primarily for debugging)

OK - a pretty weird way to do it, but...

Solution 3

Let's call it an easter egg.

Congratulations.....you found it!

Solution 4

This sounds like a fun practical joke, really.

Solution 5

You should watch Mark Russinovich's videos where he shows how to diagnose system hangs with this "feature". I think it was just set to off in SP2, not removed.

View more solutions

6,409

arxpoetica

Bad programming is easy. Idiots can learn it in 21 days, even if they are dummies. --Teach Yourself Programming In Ten Years

Updated on September 17, 2022

Comments

arxpoetica over 1 year
Background information

While Windows XP came out I heard about a testing feature that existed to manually cause a BSOD (Blue Screen Of Death). I also heard this was supposed to be removed in XP Service Pack 2. It didn't get removed. It's also in Vista, Windows 7, and all later Windows versions. To enable the feature, navigate to this Registry location:
```
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters
```
Add CrashOnCtrlScroll as a REG_DWORD with the value of 1.

Next, reboot. Finally, press Right Ctrl+Scroll Lock+Scroll Lock on any PS/2-compatible keyboard. You'll get a BSOD.

My question

Why is this feature still here?
- DLH almost 15 years
  
  I think you'll need to ask Microsoft about that one.
- sangretu almost 15 years
  
  Since it requires a mandatory registry hack, I don't think there's a downside to leaving it in the system. Nobody's likely to trigger it by mistake.
- Axxmasterr almost 15 years
  
  Will the key sequence also work if triggered from an RDP session?
- arxpoetica almost 15 years
  
  @Axxmasterr: I'm pretty sure it would, but I haven't tested it myself.
- Harley Watson almost 15 years
  
  This is probably how apple did this: gizmodo.com/assets/resources/2007/10/171953dc7.jpeg
- user1686 almost 15 years
  
  That is one thing I hate about Apple... not only they use a BSOD screenshot for a (nowadays) pretty stable OS, they even use an outdated one (probably from 98 or ME). (My friend, who is a 100% Linux user, likes Windows 7. That says something.)
- RBerteig almost 15 years
  
  Since it has a legitimate use case that matters to the people who actually write and debug the kernel and device drivers, I wouldn't expect to see it removed. Enabling it requires write access to HKLM, and even if enabled all you get is a BSOD.
- Joey about 14 years
  
  @Axxmaster: No, it won't since the key sequence is implemented in the device drivers for keyboards. Those aren't needed or even used in an RDP session.
- Piotr Dobrogost over 12 years
  
  I tried it on Windows XP SP3 with USB keyboard (I added CrashOnCtrlScroll value to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdhid\‌Parameters key) and it didn't work.
- Jamie Hanrahan about 8 years
  
  It didn't work for USB keyboards until Windows 7.
Axxmasterr almost 15 years

That is being very generous indeed. It might be a method that was intended to allow software to crash the system to "stop the bleeding" in case of a serious compromise. Forcing the system to shut down would prevent anyone from stealing data.
arxpoetica almost 15 years

I used to use it a school when my teacher was coming and I was playing a fullsceen game.
Joey about 14 years

It's also there for hardware and driver developers who need to trap into the debugger at a certain point. And I definitely think this should be the accepted answer.
Joey about 14 years

@Lucas: Wait, you have administrator access in a place where you're a student? :O
arxpoetica about 14 years

@Johannes: Yes. It was very lax.
Synetech over 8 years

No, it was kept because it is an invaluable diagnostic function.
Synetech over 8 years

spoulson, obviously you are not a programmer, or at least not a low-level debugger.
Synetech over 8 years

This has use for users (well, programmers).