Welcome to the Computer Security Wiki! You can help us by expanding stubs, create new articles and improve current articles.
You can also help us by logging-in or creating an account!

Blue Screen of Death

From Malware Wiki
Jump to: navigation, search

Nomalware.png This page is not malware, despite having an article on the Wiki.

Blue Screen of Death
TypeComputer Alert
PlatformMicrosoft Windows (Kernel Panic on Mac and Linux)
This box: view  talk  edit

A Blue Screen of Death (also known as a Blue Screen, BSoD or Death Screen) is an error screen.

It is displayed on a Microsoft Windows computer system after it detects a fatal system error, loss of stability, or when it is filled with malware. It is also known as a system crash. That happens when the operating system reaches a condition where it can no longer operate safely. A related problem to this on console machines though not necessarily on a screen is the Red Ring of Death (RRoD) on Xbox or Blue Light of Death (BLoD) on Playstation. Many versions of Windows have had these screens since the start.

Its Mac counterpart is the Mac Kernel Panic, and the Linux counterpart is the Linux Kernel Panic. Mac and Linux use the Kernel Panic as they are Unix-based.


A Blue Screen of Death is triggered by the Windows kernel whenever the system has entered a state where it is not safe to continue normal operation of the system. This generally means that if the system were to continue on, massive memory corruption or file corruption would ensue. The system restarts to protect any files or memory that may be corrupted.

A BSOD can be deliberately triggered in several ways:

- with the Windows debugger, in a checked build of Windows (debug)

- on Windows Vista, 7, 8, 8.1 or 10, terminating a critical Windows process (earlier versions shut down the system gracefully after a minute)

- modifying the system type (e.g. changing the user's Windows edition to Ultimate without paying for it, which causes the bug check SYSTEM_LICENCE_VIOLATION)

- deleting critical files

- adding the registry key CrashOnCtrlScroll in the keyboard settings on CurrentControlSet and pressing Ctrl+Scroll Lock twice, which will crash the system with the slightly amusing 0xDEADDEAD error, or MANUALLY_INITIATED_CRASH1.

Resolving the Blue Screen of Death

Should one get the Blue Screen of Death, it is advised to enter Safe Mode, which is accessible in the boot menu, or the "Troubleshoot" tab. After a Blue Screen upon reboot, it will tell the user that "Windows has not shut down properly", and then the user can recover their computer or start Windows normally. However it may not always work, and there is a small and very unlikely chance the user could get a Blue Screen during the recovery phase; the computer will then go through the recovery stage again, and then the user should run an antivirus scan or anything else that can possibly fix problems to make sure no malware will cause another Blue Screen.

If the Blue Screen can not be fixed, the user should get help on a tech support website or get it fixed at a tech store.

History and Death Screens


Windows 1.0 and 2.0

The Windows 1x Blue Screen. It is cluttered with some text that appears to be corrupted.

Though the Blue Screen did not officially appear in Windows 1.0 and 2.0, something similar did appear. It was a screen that would appear at startup. It would start with "Incorrect DOS version" below the copyright of the startup logo before printing the content of the WIN100.OVL file, which is several executables merged together (for example KERNEL.EXE, GDI.EXE, and USER.EXE), or whatever is currently being loaded, which is loaded into memory. The symbols are Code Page 437 interpretations of the code located in the file. It also makes multiple beeps while the executable is being typed out. It would either load the OS successfully, return back to DOS, or just load the OS full of white bars, forcing the user to reboot if the latter occurs. It often appears if the startup encounters problems, such as if the OS is installed on a version higher than MS-DOS 5.0 and the SETVER command was not used. A fail of the boot would show the blue screen for the boot and when booted, corrupts the system.

The "Incorrect DOS version" message appears due to a badly written check in the code. Windows is checking for major DOS version 2 or 3, and then only booting if those are detected. Of course, this fails on DOS 4, 5 and 6, but typically a program would simply exit to the DOS prompt with the "Incorrect DOS version" message, however it spews out the code of WIN100.OVL starting at that point.

This is likely due to a bug preventing the OS from correctly printing the "Incorrect DOS version" message (a missing terminator?), and instead of spewing out the contents of whatever file is being loaded (probably WIN100.OVL, which contains the aforementioned KERNEL, GDI, and USER). This is because that at the time these versions were developed, the developers did not expect later versions of DOS to mishandle Windows - in fact at some points during this time period no future versions of DOS were expected at all, with operating systems such as OS/2 being expected to kill DOS and Windows. This did not ultimately pan out, and DOS was used widely until the releases of Windows NT and Windows 95 in the early-to-mid 1990s.

Regular crashes would halt the system. Also, the C:\con\con "trick" does not work here - it would say it could not find "con.exe".

The unofficial Windows 3.1 Blue Screen, as a Ctrl+Alt+Del warning.

Windows 3.x

Windows 3.0 did not feature a Blue Screen; a crash would simply halt and hang the system and show no death screen.

Windows 3.1, however, featured an unofficial Blue Screen, which was the warning message via Ctrl+Alt+Del, which was the Task Manager. It would read that the user tried to end a process when there is none open. It allows any key to continue in Windows and does no damage. If a process was unresponsive and Ctrl+Alt+Del was used, the Blue Screen would read that the process is not responding and allow the user to kill the process or reboot.

Running C:\con\con will crash the system. However, this crash would still hang the system.

Some viruses, for example, the Gollum virus, which would display Hobbit quotes, and some ransomware, use fake Blue Screens of Death to prank or scare the user.

Windows 3.1 White Window

White Window of Death

The White Window of Death, also known as the White Box of Doom, appears on Windows 3.1 and the Windows 9x family. It appears when a critical Windows file is corrupted, as a fallback if the system is extremely low on resources, or if in Windows 3.1, an application performs an illegal action. If a critical system file fails to load on Windows 9x, the operating system gives the cheery message:

Error loading <file>. You must reinstall Windows.

Windows will exit to DOS, although this often fails after OK is clicked.

If the cause of the error is low system resources, the error will tell the user to close programs, and if the cause is a program performing an illegal operation, clicking OK will immediately terminate the program.

Windows 9x

Windows 9x Blue Screen
Windows Millenium Blue Screen when the computer is shutdown without certain drivers.
Blue Screen when shutting down in Safe Mode in Windows Millenium

The Windows 9x (95, 98, and Me) Blue Screen resembles the Task Manager warning screens in Windows 3.1. Windows 95 is the first version of Windows to have an official Blue Screen. This Blue Screen now shows the cause of the error, and either allow a Ctrl+Alt+Del reboot or to continue in Windows with a single keystroke. However, going back into Windows usually rendered the OS unstable until reboot.

A notorious Blue Screen occurrence in Windows 9x occurred when Bill Gates plugged a scanner to a demo Windows 98 PC during a Windows 98 demo, only for the operating system to crash. It can be seen here.

Another way to automatically activate a Blue Screen in Windows 95 and 98 without an update that patches this is to run the following in Run: C:\con\con. The other keys work instead of just "con":

  • AUX
  • PRN
  • CLOCK$
  • NUL
  • A: - Z:
  • COM1 - COM9
  • LPT1 - LPT9
  • DEV (sometimes)

The 'con' issue is not present in Windows Me or sufficiently updated Windows 95/98, although the Windows Update servers for these versions have been offline for years, and for some versions of Windows (e.g. Windows 2000) will throw the computer into a redirect loop.

Many "Windows Codename Millennium" (Windows Me beta) versions had many different issues that caused different Blue Screens. Shutting down in Safe Mode can show a "Windows Protection Error" Blue Screen, which would regularly occur during startup. Sometimes, shutting down would show a "It is now safe to shut down" Blue Screen if it did not support drivers.

Prizm and Smash were some viruses that made fake Blue Screens in this version. The Blue Screen virus also made a fake Blue Screen, though it does not resemble the one in the real Windows 9x.

The "System is Busy" Blue Screen on Windows 98

System is Busy Screen

The System is Busy screen is a Blue Screen that can appear on Windows 9x, that can potentially appear when a user attempts to close an unresponsive program. Generally, if this screen appears, a program is not responding to the OS's calls to terminate it, usually using the TerminateProcess function.

Windows NT 3.1 Blue Screen

Windows 3.5x, NT 3.1x, and 4.0

Windows NT 3.1 - 4.0's Blue Screen features the most descriptive Blue Screen, featuring many files shown, the error, the OS build, addresses, and some instructions about it. Early betas of Windows NT 5.0 and Windows 2000 betas also featured this Blue Screen before undergoing changes in later betas.

On Windows NT versions up to and including Windows XP, there is a program exploit that can terminate "csrss.exe" and cause a Blue Screen. The code below will crash the computer as long as a sufficient service pack is not installed on the computer (this issue always occur on NT 4.0 and under):

#include <stdio.h>

int main (void) {
     while (1)
         printf ("\t\t\b\b\b\b\b\b");

     return 0;

More info can be seen here. This issue is not present in Windows 9x and is patched in Windows Vista and up.

Windows 2000 Blue Screen

Windows 2000

The Blue Screen is now not as descriptive as in previous versions of Windows NT, but much more simple and resembles the Windows XP Blue Screen. It would feature the code, error, and instructions.

On this version onwards, the Ctrl+Scroll twice registry entry can crash the computer if the keyboard is PS/2 if it is manually added.

Any Blue Screen message that is simplified heavily on Windows XP-7 (like STOP c000021a) still keep the instructions on Windows 2000 (the only exception are Hardware Malfunction Blue Screens).

This Blue Screen is also present in early builds of Windows XP.

The Blue Screen Of Death in Windows CE 5.0

Windows CE

Windows Embedded CE featured Blue Screens, which resembled Windows XP's but with a 30-second auto-reboot timer and the absence of instructions. A CTRL+ALT+DEL, on systems with a keyboard, would immediately restart the PC, like in the Windows 3.1 and 9x BSODs.

Versions of Pocket PC, later renamed Microsoft Mobile and Windows Mobile, which was based off of Windows CE, did not have this screen. Windows Phone 7.x, which was also based off of a version of Windows CE, does not have this screen either. Windows Phone 8 and later are variants of the client versions of Windows current at the time, so they are not applicable in this case.

Black Screen of Death

A Black Screen of Death on Windows 3.0

This death screen (also known as BkSoD) appears on Windows during boot-up failures, usually due to missing files. If the user gets this death screen, the computer will not be able to boot up, even in safe mode. However, this screen can be fixed by booting into a different device and decompressing certain files. Beta versions of Windows 8 (for example build 7989) also have this

File:Red screen of death1.png
Red Screen of Death

Red Screen of Death

This death screen appears on Windows 98, beta versions of Windows Vista and PS2. It is not an official death screen, but it appears when there is a critical ACPI error on Windows 98 (usually failure to shutdown) or when critical files fail to load on Windows Vista build 5048. It is in a way resembles the Windows 9x Blue Screen on Windows 98, except red in color, and on Windows Vista, might be an early version of the Windows Boot Manager. On the actual windows vista and 7, it would show a black screen with a little more detail and moved a bit.


On Windows 98, any keystroke restarted Windows.

Windows XP, Vista and 7

A Blue Screen as seen in Windows XP, Vista, 7, and 7.1.

Windows XP makes another change to the Blue Screen. The font is now different, and is larger,, and still resembles the one in Windows 2000, except the error and its code is moved around.

In Windows Vista, 7, if the user opens Task Manager and end the process "csrss.exe" (which is the Client/Server Runtime Subsystem, which the OS runs on top on), it will result in an immediate Blue Screen, however it is not harmful unless all unsaved work was lost or if startup files were corrupted. It is also possible in Windows XP, 8, 8.1 and 10, but cannot be done without software as Task Manager prevents csrss.exe from being killed normally.

ReactOS, an attempt to be a free and open-source version of Windows NT, also has a Blue Screen. It is exactly the same as the one in Windows XP - 7, but the word "Windows" in "A problem has been detected and Windows has been shut down to prevent damage to your computer." is now "ReactOS" for the operating system.

Early Windows 8 builds featured this before making a major change.

Windows 8 Beta Death Screen

Windows 8 pre-Developer Preview

On some pre-release builds of Windows 8, the Blue Screen was black. This one also does not contain the sad emoticon present in the final release for Windows 8, though it still contains the error code/name and collects data before automatically restarting. The last known build to use this variant of the BSOD was the recently leaked build 8032.

Windows 8 build 8056 and later

File:Screenshot 2016-12-17 at 8.18.06 AM.png
The Blue Screen in Windows 8 Build 8056

This is likely the final change to the Blue Screen, and it now features a sad emoticon on the Blue Screen. This one is much easier to read and use, though it is less descriptive than previous BSODs.

The Blue Screen of Death in later betas of Windows 8. Note the text is different than in the final version but includes a sad emoticon.

In later betas of Windows 8, the text said "Your PC ran into a problem it couldn't handle and now it needs to restart" instead of just "Your PC ran into a problem and needs to restart". On Build 8056, the Blue Screen was black instead of blue, but the text is the same as the earlier with a sad emoticon.

In an update for Windows 10, known as The Anniversary Update (build 14393), more was added to it, including a QR code and adding more text saying to visit http://windows.com/stopcode to learn more. Also, the stop error is moved down and the line with it now says "If you call a support person give them this info: Stop code: *stop code*". However, the QR code will always redirect to http://windows.com/stopcode, regardless of the error.

The final Windows 8 Blue Screen. It is also used in Windows 8.1 and older versions of Windows 10.
The current Windows 10 Blue Screen.

On Windows 8.1 and 10, the csrss.exe killing no longer triggered a Blue Screen; it will simply hang the system instead (any playing sound will still loop, but the screen will still stay there with no blue screen). However, killing csrss.exe and getting a Blue Screen will still work on Windows 8. To get a Blue Screen in Windows 8.1 or Windows 10, the DCOM Server Process Launcher system process must be terminated instead. Terminating the DCOM Server Process Launcher may work on Windows 8, but on Windows 7 or below, it does not cause a Blue Screen but reboots the computer after 1 minute.

Green Screen of Death

On Windows Insider builds of Windows 10, the death screen was changed to a green color, thus making it easier to identify an error as present in a preview build rather than a stable, release build of Windows 10.

"Recovery" screen

On Windows 8 and above, this screen appears if an extremely critical Boot-marked driver or file, such as the Boot Configuration Data file in \Boot\BCD, winload.exe, or several others, is corrupted or has a missing or incorrect digital signature. The screen is accompanied by the message

Your PC needs to be repaired

in Windows 8 and 8.1 and

Your PC/Device needs to be repaired

in Windows 10.

This screen recommends the user to go to their computer manufacturer.

There are also several more types of blue and black screens which are rare, often caused by hardware failure. These include the Machine Check Exception-caused BSOD, which is triggered when the CPU detects a hardware failure such as a parity check failure, usually indicating failing RAM. The Windows Hardware Error Architecture, or before Windows Vista the Machine Check Architecture, present in the Windows kernel then triggers an error with BSOD 0x124 if using WHEA (post-Vista) and 0x9C if using MCE (pre-Vista).

Other death screens

Kernel Panic

A kernel panic happens when an operating system is in an unsafe state and is forced to halt the system, this term is mostly used in UNIX and UNIX-like operating systems, the user usually has to do a manual restart, unless the operating system has an auto restart feature.

Linux Kernel Panic
UNIX and *nix Kernel Panic

This kernel panic happens when the operating system goes into an unsafe state and will tell the user to reboot. UNIX and other *nix operating systems (e.g. Linux) had a way of displaying the kernel panic, it mostly consists of locking up the GUI (If the OS had one, otherwise it halts the computer.) and spewing out log information, kernel panics have different logs depending on how it happened.

macOS Kernel Panic

When macOS was rewritten as a UNIX operating system, it had a kernel panic to show that the system has crashed.

Before macOS 10.2, the operating system displayed the kernel panic the same way as other UNIX and *nix operating systems. This can also appear in iDevices, more commonly in jailbroken devices or iPhone 3rd generation.

iPhone 5S Blue Screen

Not much is known about this iOS Blue Screen, but it is presumed to be a kernel panic. It is unknown about how this is obtained on the phone, but it can be fixed with a manual restart.

Chrome OS Blue Screen

Chrome OS Blue Screen

It is found in Cr-48 developer mode by typing "xyzzy" into the boot manager. This was an intended "Easter Egg" and was a mock-up of the Windows NT 4.0 Blue Screen as it was incredibly similar in appearance except in a slightly lighter shade of blue, with random files not present in Chrome OS.

VMWare ESXi Crash Screen

VMWare ESXi Purple Diagnostics

VMWare ESXi is a type 1 hypervisor, therefore when encountering a problem it has to display it in some way, ESXi it displays the crash in the form of the purple diagnostics screen, it can happen usually when the hardware of the host machine encounters an error.

Sad iPod Death Screen

This appears if damage occurs to the hardware or firmware, such as deletion of system files. This death screen will not appear on newer generation iPods.

Red Ring of Death

This is not necessarily a death screen per se, but this appears on the Xbox 360 if it experiences a problem, most notably the "general hardware failure" problem.

Google Malware Screen

Google Malware Screen

On Google Chrome this death screen appears when the user visit a malicious site in which Google blocks them from entering the dangerous site due to malware being detected on said website.

File:380px-Xbox 360 Error codes.svg.png
Chart of the Red Ring of Death

Impersonation by Malware

File:W10 Fake BSOD.png
A fake Windows 10 Blue Screen of Death screen impersonated by scammers. Notice some bad grammar.

A dangerous version of the screen was created under a fake Microsoft Security Essentials installer made by Hicurdismos and appeared in October 2016. Whereas, this scam deceives users into believing that their computers crashed with the error and can call using the phone number to get the error fixed. Calling through the fraudulent phone provided on this screen would risk into losing credit card and/or other damages. <ref>Hicurdismos scam</ref>


<references />