Recovering from Windows XP's Blue Screen Of Death

Blue Screen Of Death
Lets face it, all PC's are configured differently with different hardware and software customized to each users taste. This can sometimes create problems with software updates and Micrsoft's Windows XP is no exception. While they write patches and test them out, the real test occurs once the patch is released into the wild. Additionally, 3rd party drivers may also cause this problem. So one might say, "I updated my PC with the latest security patches, and upon rebooting, I get the dreaded Blue Screen Of Death! Now what do I do?"

All is not lost. The system most likely can be recovered using the Recovery Console. However, Microsoft recommends this method of system recovery for advanced users only. We recommend that you ONLY use the Recovery Console after Safe mode and any other startup options do not work. The Recovery Console is recommended only if you are an advanced user and know how to use basic commands to identify and locate problem drivers and files. Additionally, you must be an administrator to use the Recovery Console. Here are additional details of the Recovery Console.

If you need to use the Recovery Console to repair a problem follow these steps:

  1. Boot from your Windows XP CD or DVD and start the recovery console.
  2. At the repair screen, type this command: CHDIR $NtUninstallKB977165 $\spuninst

(NOTE: We used the update which was labeled as KB977165 for our example as this was a problem at the time of this writing. The particular update label can be changed for the individual problem.)

  1. Type this command: BATCH spuninst.txt
  2. Type this command: systemroot
  3. When complete, type this command: exit
  4. Reboot the machine.

Provided this was the problem, your machine should reboot back to normal.

For users with Netbooks, most will allow you to boot from a USB port if you have an external USB CD or DVD drive with an XP disk. You may however need to change the boot order in the BIOS settings or at the system startup screen.

Keep in mind that uninstalling a security patch will reverse the process thus leaving the system open to that particular vulnerability. Not all systems will be affected with the Blue Screen Of Death when patching security issues. If you are affected and need to uninstall the patch, we recommend contacting Microsoft Support to let them know.

For home users, no-charge support is available by calling 1-866-PCSAFETY (and/or 1-866-234-6020 and/or 1-800-936-5700) in the United States and in Canada or by contacting your local Microsoft subsidiary. There is no-charge for support calls that are associated with security updates. When you call, clearly state that your problem is related to a Security Update and cite the update's KB number (e.g., KB999999).

Or you can...

Start a free Windows Update support incident request:
https://support.microsoft.com/oas/default.aspx?gprid=6527

Consumer Security Support home page & Microsoft Update Solution Center also offer support options:
https://consumersecuritysupport.microsoft.com/ or
http://support.microsoft.com/ph/6527#tab3

For more information about how to contact your local Microsoft subsidiary for security update support issues, visit the International Support Web site:
http://support.microsoft.com/common/international.aspx

For enterprise customers, support for security updates is available through your usual support contacts.

Update (02-16-10)

The Microsoft patch KB977165 that touched off a series of BSOD problems were actually caused by a rootkit called Tidserv. Symantec reports that Tidserv infects low level kernel drivers, such as the IDE driver atapi.sys thereby concealing itself and worming its way into the system. As soon as the rootkit is active, it becomes very hard to detect even by anti-virus software, so most users never know there is anything wrong with their PC.

The BSOD occurs because the rootkit uses relative virtual addresses which have been changed under Windows XP following installation of the KB977165 update. As a result the infected kernel module calls invalid addresses, which causes repeated page faults and reboots. Symantec says that there may well be other kernel drivers which use hard-coded addresses, but that the most common cause at present is Tidserv.

Since atapi.sys is a critical driver for startup, Windows cannot be started in safe mode either. Rather than uninstalling the Microsoft patch, Symantec recommends replacing the infected driver with a non-infected copy from a source such as a backup. In addition to atapi.sys, Tidserv can also infect other drivers including iastor.sys, idechndr.sys, ndis.sys, nvata.sys and vmscsi.sys.

Symantec recommends replacing the files manually, since attempting to remove the files automatically may render the system unbootable. Some have recommended that even after repairing their systems, affected users are advised to consider completely reinstalling Windows. We however disagree. We do however recommend that users always keep their systems up to date not with just security and program patches but with their anti-virus, malware and firewall software as well.