Tuesday, December 30, 2008

The Mysterious Black Screen of Death - Is It Vista?

It goes like this: Your Vista system boots up to a black screen with a mouse cursor. That's it, no rest of the user interface, no nothing to do. This is showing up in sporadic reports since about early November. They call it the blacK Screen Of Death, or KSOD (because BSOD was already taken).

What is causing it? That's unclear for now. But there is a fix, courtesy of Mark from the SBSC & MSP Buzz Blog. He says the problem is related to the RPC service running under the LocalSystem account as opposed to the NT Authority\NetworkService account, and I quote:


  • On the affected machine, boot using the Vista Media and Select "Next" and then in the bottom left you will see "Repair your Computer"; select Next and then Select Command Prompt.

  • At the command prompt, launch regedit.exe and load the SYSTEM hive, follow the below steps.

    • a. Select HKEY_LOCAL_MACHINE

    • b. On the File menu, select Load Hive.

    • c. Browse to %WINDIR%\System32\Config Folder and select "SYSTEM"

    • d. Select Open.

    • e. In the Load Hive dialog box, type in "MySYSTEM" box for the registry hive that you want to edit.

  • After the hive is loaded, modify the following key value per the instructions below: You will need to know what ControlSet the machine is currently running on, this can be determined by going to HKEY_LOCAL_MACHINE\MySYSTEM\Select and find the "Current" value in the Right hand side. (Example: Current value is 1 then the ControlSet will be ControlSet001)

    Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet00X\Services\RpcSs (X is the Number from the Current Key from above)

    Value Name: ObjectName

    Old Value: LocalSystem

    New Value: NT AUTHORITY\NetworkService

  • Unload the SYSTEM hive by selecting the key "MySYSTEM" and then select "File->Unload Hive" menu item.

  • Exit regedit.exe

  • Reboot the system normally

Susan Bradley of the ever-entertaining SBS Diva Blog has some interesting perspective to add to this: we don't know what's causing this, so it may not actually be Vista, or at least not something simple about it. Something is changing the ObjectName key value, but we don't know what. Remote vulnerability? Malware? Stray neutrinos?

Windows doesn't normally log things to this level of detail so post-mortems on KSOD'd systems are not informative. But—and this is your mission, should you choose to accept it—you can turn on Auditing on the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs key to see what did it, should you get the KSOD bug. Susan shows you how to do it here.

Next stop for me: Regedit.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)