What file contains Windows' Blue Screen messages?

  • Thread starter Thread starter DarkHand
  • Start date Start date
  • Replies Replies 11
  • Views Views 7K

We may earn a small commission from affiliate links and paid advertisements. Terms

DarkHand

Senior Member
VIP
When a BSOD occurs, where does Windows read the 'Windows has detected a problem and halted the computer blah blah' text from? I've checked the most common suspects like user32.dll and Kernel32.dll, but no luck.

I'd like to fire up a resource editor and replace this:
11110d1244175552-win7bsod_01.jpg




With this:
11111d1244175552-bsod_after.jpg


:D
 

Attachments

  • win7bsod_01.jpg
    win7bsod_01.jpg
    96.5 KB · Views: 3,342
  • BSOD_After.jpg
    BSOD_After.jpg
    57.1 KB · Views: 2,452
In the message table of a file called "ntoskrnl.exe"

and it looks like jumbled shit without a program to read it.


A fun thing to do is get a screen shot of the BSOD, customize it a few different ways, then set it up as a slide show screen saver. It'll make your admin twitch.


Searching around, found a stupid tweak.. But you could make it the RSoD!
In Windows 2000/XP/2003, each time the Windows Kernel crashes, a blue screen appears, giving the administrator some clues and information as to what has caused the error. This screen, because of its blue color and catastrophic nature, was nicknamed BSOD - Blue Screen Of Death.
Why blue - no one knows, but what I do know is the fact that the blue screen can be changed to a different color, thus creating your own YSOD or RSOD or even WSOD...
To do so follow these steps:
  1. Open the SYSTEM.INI file found in the %systemroot% folder (i.e. C:'Windows or other). You can easily open the file by running SYSEDIT from the Run command, or by using Notepad.exe.
  2. Locate the [386enh] section in the file:
    bsod_color.gif
  3. If not already present, create the following new entries:
MessageBackColor= MessageTextColor=

and give it a value according to the following list:
  • 0 = black
  • 1 = blue
  • 2 = green
  • 3 = cyan
  • 4 = red
  • 5 = magenta
  • 6 = yellow/brown
  • 7 = white
  • 8 = gray
  • 9 = bright blue
  • A = bright green
  • B = bright cyan
  • C = bright red
  • D = bright magenta
  • E = bright yellow
  • F = bright white
For example:

MessageBackColor=2MessageTextColor=F

will change the BSOD to Green with bright white text.
Note: Use CAPITAL LETTERS, i.e. F and not f.
  1. Close SYSTEM.INI while saving your changes.
  2. Restart the computer.
Now wait for the system to crash (supposedly it shouldn't be crashing so often...) and behold the horror.
The reason behind this tweak is for people that have certain forms of visual impairment and are only able to use Windows when it is set to high contrast mode. This setting allows the BSOD to be set to high contrast colors as well, making it easier for the visually impaired to read the information in them.
 
Last edited:
In the message table of a file called "ntoskrnl.exe"

and it looks like jumbled shit without a program to read it.

Directly in the kernel? Makes sense being such a low level error, but I wonder how they handle different languages... Is the kernel file itself different for versions in other languages?

Either way, thankya. :) Most messages I've seen that are difficult to mess with are separated with a NUL every other character, I'll just leave those intact and replace the unwanted characters with spaces (yes I'll back up the kernel!). If it works I'll post pictures. :D
 
Last edited:
off topic interjection....


You are all nerds... and by nerd I mean nerd to the topmost degree.

Resume your nerd talk. :)
 
Success!

11119d1244265139-dsc_1143.jpg


:D:D:D

That's in XP, now to do it in Windows 7. Haven't had a blue screen in 7 yet though, and I don't know if the 'Force a bluescreen' registry entry still works in later versions of Windows.

EDIT: It's a bit off center, need to back it up a few characters but I'm too lazy now.
 

Attachments

  • DSC_1143.JPG
    DSC_1143.JPG
    42.6 KB · Views: 2,199
Last edited:
what did you do? lol

Booted into 7, found the message in XPs ntoskrnl.exe (well ntkrnlpa.exe since I seem to have physical address extensions enabled) and replaced it with spaces with a hex editor. :) It wasn't obfuscated with NULs like I thought it would be. Stuck the new message in the middle and booted into XP... Using RDP with my brother's ipod touch has been bluescreening regularly in XP so I tried to run it for a crash, but it was flawless for the first time ever. :P Started shutting down though and got the video drivers to crash. :)
 
Last edited:
Back
Top