display | more...

This effect is known as the CSRSS Backspace bug, and it affects all versions of Windows NT 4 and Windows 2000. Microsoft has not supplied a fix for this, and, since there will be no further service packs for NT4, it is likely there will never be a fix for that platform.

This crash is caused by a bug in CSRSS.EXE, which provides console I/O and multithreading services, and is one of the vital processes that must be running at all times under NT. The bug is in CSRSS.EXE's handling of backspace characters written using high-level console I/O. Specifically, CSRSS.EXE does not correctly handle the case of a tab character followed by several backspaces in a single high-level write. If this situation occurs at the beginning of a line, the cursor is moved to a point near the end of the previous line. If the cursor is already on the first line, it moves outside of the console's buffer. The next write to the console will begin outside the area allocated for the console's output buffer. Depending on where the erroneous write occurs, this can cause CSRSS.EXE to crash, taking NT along with it. Administrator privileges are not needed to exploit this bug.

Somewhat ironically, programs compiled for Cygwin are apparently not affected by this bug due to some intermediary processing that the environment applies to console I/O.

I have a better way:

  1. Find an NT box (this includes XP)
  2. open a command prompt
  3. Go to a directory with a lot of files (c:\winnt works well)
  4. Do a dir
  5. While the directory listing is scrolling past, hit F7 and enter as fast as you can (alternating, not at the same time!) over and over again
  6. Windows will BSOD every time

I like this method better since you don't need a compiler. This is a bug that a 2 year old could trigger.


Update: yerricde informs me that this bug has been fixed in Windows 2000 SP3. :-/

Log in or register to write something here or to contact authors.