Windows blue screen is often encountered when using Windhawk

[tiantian520tt]

As the problem shows, when I use Windhawk, Windows often encounters a blue screen. After the first installation, I installed the Slick Window Arrangement module. I like this module very much, but after using it for about 30 minutes, Windows encounters a blue screen, and the blue screen code is unexception kernel mode_ trap After rebooting, about 6 seconds after entering the system, Windows encountered a blue screen again, and the blue screen file was displayed as "ntfs. dll". I did not notice the blue screen code, and it was restarted quickly. The third time, when I did not finish loading Windows, it was blue. Finally, I entered the advanced startup command prompt, deleted the windhawk file, and the screen was no longer blue. Why is this? Perhaps this is a very serious loophole. As far as I know, many Windhawk users have encountered similar problems, at least in China. I hope you can solve the problem as soon as possible! I really like this software! (I am not good at English, so I use translation software)

[m417z]

Thanks for the report. I haven't encountered BSODs with Windhawk, but I'd very much like to understand why that happens and fix it.

• Do you encounter the BSODs with Windhawk if the Slick Window Arrangement mod is disabled?
• Can you send me a system dump after a BSOD? It's usually saved to C:\Windows\MEMORY.dmp, but to make sure the path is correct, you can use the BlueScreenView tool. You can send me the dump via email. Thanks.

Finally, I entered the advanced startup command prompt, deleted the windhawk file, and the screen was no longer blue.

As a sidenote, it should be enough to exit Windhawk and mark the checkbox to disable it completely.

[tiantian520tt]

Thank you! I deleted the windhawk files because i can't load the system. I'm true the problem's reason is Windhawk. I used WinDBG to find out why did Windows encounters a blue screen.It told me: nt!KeBugCheckEx: fffff8056f1f88c0 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:fffff289322c6c10=00000000000000ef I can't understand it, because i'm weak in it.......Maybe it can help you! But, after I uninstalled Windhawk, Windows no longer shows blue screen. I think there are some problems with Windhawk.(Maybe mods?) I tried to disabled Slick Window Arrangement mod and enabled another mod(Chrome/Edge scroll tabs with mouse wheel). Windows also shows me blue screen. I don't know why. Thank you for your answer! I really like Windhawk.I hope these problems will fix quickly.

[m417z]

nt!KeBugCheckEx: fffff8056f1f88c0 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:fffff289322c6c10=00000000000000ef

Unfortunately, that's not enough information. Could you send me the dump file? If you can't do that, I'd like to ask you to run a couple of commands with WinDbg with the dump file, but it will be less convenient.

[tiantian520tt]

"File size too big: 25 MB are allowed, 169 MB were attempted to upload." Uhh..........

[m417z]

You can upload it to a service such as Google Drive or https://wetransfer.com/ and send the link.

[tiantian520tt]

https://we.tl/t-6gjB1b0rO3 Thanks!

[m417z]

From a quick glance, it looks like the the reason for the BSOD is that a critical process died.

CRITICAL_PROCESS_DIED (ef) A critical system process died

CRITICAL_PROCESS: services.exe

First I thought that perhaps Windhawk caused the process to crash, but services.exe is a protected process, Windhawk doesn't have permission to inject code into it, and so it's skipped. So it's unclear why it died.

Googling for it, I found this thread with a BSOD which looks very similar to yours: https://www.tenforums.com/bsod-crashes-debugging/175871-bsod-critical-process-died.html

I'm still looking around.

Can you also check the Event Viewer for other reports? Perhaps there's something interesting in there. Open Event Viewer, and check Windows Logs. The Application, System tabs are usually the more interesting ones.

[tiantian520tt]

thank you! The file I sent to you should be the third blue screen, that is, the blue screen on the login interface. But it is true that I have never had a blue screen since I uninstalled Windhawk. I'm browsing through the Windows Event Manager... too bad!!!! My system events are automatically cleared. It's all my fault that I used the auto clear program............

[tiantian520tt]

I want to try to replay this situation in a virtual machine now. If the virtual machine system also shows a blue screen, I will send you all the information in the virtual machine.

[tiantian520tt]

Strange! After running on the virtual machine for several hours, a video was continuously played to simulate user operation, but the blue screen was not displayed. I will continue to observe. This may not be a problem with Windhawk, but it may be caused by the coexistence of an incompatible program and Windhawk. Thank you!

[m417z]

Thanks for trying. If you can reproduce it on your computer and would like to investigate further, we can try the following:

• Exclude processes in Windhawk until we narrow which process injection causes the problem.
• Add logging to Windhawk to see what are the last actions before the BSOD.

Let me know if you're interested.

[m417z]

By the way, something I forgot to mention: Until we understand and fix the issue, you might want to use the portable version. It doesn't require admin rights at all, and shouldn't be able to crash the system even if it wanted.

[tiantian520tt]

Thanks! I am already trying now. If i finish, i'll tell you. I'm looking for the portable version now. I hope it'll be great!

[m417z]

I would still like to understand what caused services.exe to crash, but I've just released Windhawk v1.1 with an improvement in this regard: Windhawk no longer injects code into critical system processes by default. So Windhawk should no longer be able to cause a blue screen.