Wanted, dead or alive - Black Screens

Filed Under: Malware, Spam

Depending on whom you believe, the web is alive with reports of a whole new sort of potential disaster for Windows users: the Black Screen of Death. According to one security company, it is so common that it "could affect millions", has "many causes" and is "very troublesome".

Despite being so common, however, no-one seems to have been able to capture a truly reliable screen shot – even in a window inside a virtual machine. From the name, you might imagine that it looks like a screen that is switched off (and perhaps that is one of the causes?), but then a Blue Screen of Death isn't pure blue. It contains a whole load of tell-tale text, too. Perhaps a Black Screen of Death is similar?

So I'm afraid that I can't tell you exactly what a Black Screen of Death is, or even what it looks like. All I can tell you is that it sounds to be nothing more than an enormous hyperbole for what happens if the registry entry:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

gets messed up. Usually, this value is set to Explorer.exe – the process which kicks off when you log on to present your desktop, wallpaper, task bar, system tray and the Start menu. Without Explorer.exe, or some suitable replacement for it, you don't get the regular Windows user interface.

A missing Windows desktop is hardly a "screen of death", whether black, brown, blue or beige. The term "screen of death" is inextricably interlinked with some sort of unrecoverable error deep inside the operating system kernel itself, as a result of which the entire operating system is frozen and the computer locked up until rebooted. To associate this term with a messed-up Winlogon shell is absurd.

If you are brave (or foolish, or have a disposable virtual machine handy), you can simulate a possibly-black screen of not-death-but-something-else by using REGEDIT to mess up the Winlogon\Shell entry yourself. Rename the real registry value to Shell.Previous and create a new one called Shell. It's supposed to be a string value. Make it a DWORD instead, and pick some value. I chose "42".

Now logoff and log back on. Egad! Your computer is ruined! No desktop, no icons, no task bar and no Start menu!

Don't panic. Do a three-fingered salute (Ctrl-Alt-Del) and choose Task Manager. Click the Application tab and choose [New task...]. This is a generally handy way of getting back into your PC if the Explorer.exe process ever dies or won't start – for example, as a result of malware infection, or as a side-effect of ill-advised experiments after reading up about black screens of death.

Run the program Explorer.exe. This gets you back into your desktop, icons, menus and so forth. (If you launch a second or subsequent copy of Explorer.exe, you will get the Windows Explorer file manager rather than a second copy of your desktop.)

Now you're back into your "dead" PC, run REGEDIT again. Delete your bogus Winlogon\Shell entry and rename the old one back. You may stand down from Black Alert.

Unless playing around with REGEDIT has now messed up your PC properly. If so, sorry about that!

, , ,

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog