Crash without CtrlScroll
Forcing Windows to crash on a repeated press of the Ctrl-Scroll keys is a probate way to generate a memory dump. Unfortunately the system has to be configured (and rebooted) prior to an incident to enable this functionality. In a blog post C4RTMAN wonders whether there's another way to make the system crash. Now, here's an answer.
When set up properly the system will crash as soon as the scroll and right control key are pressed twice. Opening the resulting crash dump in a debugger immediately hints at the routine I8xProcessCrashDump of the keyboard controller driver i8042prt.sys:
BugCheck E2, {0, 0, 0, 0}
Probably caused by : i8042prt.sys ( i8042prt!I8xProcessCrashDump+53 )
Looking at the driver's code one finds a lot of fiddling with keyboard scan codes. Then, finally, the controlled crash is initiated by calling the kernel's KeBugCheckEx function with code 0xE2.
.text:000127D6 Prepare_BugCheck_E2: .text:000127D6 or esi, 300h .text:000127DC add eax, 220h .text:000127E1 cmp [eax], esi .text:000127E3 pop esi .text:000127E4 pop ebx .text:000127E5 jnz short done .text:000127E7 xor ecx, ecx .text:000127E9 push ecx ; BugCheckParameter4 .text:000127EA push ecx ; BugCheckParameter3 .text:000127EB push ecx ; BugCheckParameter2 .text:000127EC push ecx ; BugCheckParameter1 .text:000127ED push 0E2h ; BugCheckCode .text:000127F2 mov [eax], ecx .text:000127F4 call ds:__imp__KeBugCheckEx@20
So there's no need to rely on the keyboard driver to force a crash. A few lines of code invoking KeBugCheck or KeBugCheckEx will do the trick. If you don't want to write such a utility on your own you can also use Sysinternals NotMyFault and invoke it with the /crash option. Please note: NotMyFault doesn't call KeBugCheck directly, but accesses unallocated memory to cause the crash.
But does that solve the initial problem? Probably not. The BugCheck routine will draw the fellow blue screen. But it will dump memory only if the system has been configured to do so. And activating this setting still requires a reboot.
