how to detect Blue Screen Of Death in my driver

User 8433064

I am programming a driver in kernel mode. I need my driver to detect a BSOD. When BSOD occurs my driver will write a flag out a registry or a file to mark BSOD occurred .In next boot ,My driver will read this flag to know BSOD in previous boot. if the flag is set the driver do something. I found a way to detect BSOD by using KeRegisterBugCheckCallback routine. this routine registers a BugCheckCallback routine, which executes when the operating system issues a bug check. but I don't know how to write file of write Registry in this callback (In this callback , ZwWriteFile or ZwSetValueKey can't do that) Is there any way to do that? or is there any other way to detect BSOD in previous boot ? Thanks.

_Superman_

Not sure if it is even possible. But here is a list of functions that work with the registry -

IoOpenDeviceRegistryKey
IoOpenDeviceInterfaceRegistryKey
RtlDeleteRegistryValue
RtlQueryRegistryValues
RtlWriteRegistryValue
ZwCreateKey
ZwDeleteKey
ZwDeleteValueKey
ZwEnumerateKey
ZwEnumerateValueKey
ZwOpenKey
ZwQueryKey
ZwQueryValueKey
ZwSetValueKey

Another possibility is for you to hook the KeBugCheckEx function. Again not sure if this will actually work. Here is an article on how to hook the kernel APIs - Hooking the kernel directly[^]

«_Superman_»  _I love work. It gives me something to do between weekends.

_Microsoft MVP (Visual C++) (October 2009 - September 2013)

Polymorphism in C

Munchies_Matt

I am going to say either impossible or very complex. Ask at OSR online though, that's where kernel experts hang out, someone else might have a suggestion.

"The whole idea that carbon dioxide is the main cause of the recent global warming is based on a guess that was proved false by empirical evidence during the 1990s." climate-models-go-cold