Windows Black Screen Root Cause
Posted by: Jacques Erasmus
We've been working with Microsoft to get to the bottom of the specific black screen issues in our earlier blog. We have made some significant progress in determining specific triggers of the black screen event.
The issue appears to be related to a characteristic of the Windows Registry related to the storage of string data. In parsing the Shell value in the registry, Windows requires a null terminated "REG_SZ" string. However, if malware or indeed any other program modifies the shell entry to not include null terminating characters, the shell will no longer load properly, resulting in the infamous Black Screen with the PC showing only the My Computer folder.
SysInternals was one of the first companies to discover this characteristic of the registry a number of years ago in their utility: RegHide http://technet.microsoft.com/en-us/sysi ... 97446.aspx which modifies registry entries to prevent them from being accessible within the operating system. This technique is frequently used by malware authors which is why it is recommended to first query the length of a registry value, and then read it into a buffer, forcing the null termination of strings whether or not null terminated by their content.
Having narrowed down a specific trigger for this condition we've done quite a bit of testing and re-testing on the recent Windows patches including KB976098 and KB915597 as referred to in our previous blog. Since more specifically narrowing down the cause we have been able to exonerate these patches from being a contributory factor.
Continues at Prevx Blog