LesserGeek

I have worked with various different scripting languages and came across a script I had worked on about 6 years ago while working on an NTDebugging blog at Microsoft. Honestly I became nostalgic remembering the kind of work me and my team at Microsoft used to do back in the day. While working on the following Blog I had played around with a PowerShell script that could make any Windows process critical. I would highly appreciate if you could read the following link to get more details about what I am talking about before proceeding with this article.

“Bugchecking a Computer on A Usermode Application Crash” still available at https://docs.microsoft.com/en-us/archive/blogs/ntdebugging/bugchecking-a-computer-on-a-usermode-application-crash

Microsoft operating system marks some usermode processes critical and the users cannot stop or close these processes. There are ways to force killing those processes but it would lead to a system crash or a bugcheck. We used this feature of Windows to debug usermode application crashes and hangs where kernel stacks were needed.

This article demonstrates the true power of PowerShell with its ability to easily make calls to Win32 API. You can easily integrate with other .net code. There are unlimited possibilities with PowerShell.

Warning:
The code referred in this article is written to demonstrate the power of Powershell as a scripting language. Please use this wisely, only for education purposes or for collecting a memory dump on application crash is needed with usermode along with kernel stacks or a complete memory dump. This code can make any running user mode application/service/process a critical process. Closing the application would lead to a system crash. Please ensure you save any unsaved data. The system crash will not cause any other issues but I will not be responsible for any losses while running this application on production systems. I cannot be held responsible for any issues caused by this application. If you do not have good knowledge of Powershell, Windows, Debugging or IT systems I would highly advise you engage a responsible and experienced IT professional before trying this code. Run this in a test isolated environment only.

If you continue reading the article and choose to follow through I am considering you suitably warned. The code is available on my public Github repository here. I love to put the code in the blog however due to the warning I would request you to visit the github link. Please note that I have used an existing code to add Dynamic values for PowerShell function parameter which is available here.

Ensure you run calc.exe and for demonstration we will use this as a sample application to cause the computer system to crash. Run the code with administrative PowerShell instance. When you run the code you will see that it reads all the running processes and present them as a parameter value for selection. See screenshot below

After choosing calculator and running the command you will be notified that the process has been marked critical as shown below

At this time you have the last chance to save any work you may have not saved.

Proceed to close calculator or the process you chose to mark critical and you should see the system crash. Windows will write a memory dump and restart. You should see a bugcheck screen similar to the one below

Upon restarting the system you should have a memory.dmp file created that would have user mode as well as kernel stacks depending upon the debug level set on the system.

You can use the Microsoft debugger to investigate the memory dump.

Conclusion

I hope you agree PowerShell is a pretty powerful tool and scripting language.

I hope you are liking my blog posts. I would love to get your feedback and comments. Write to me at gsjutla@lessergeek.com