Detect Windows 10 blue screen error when opening a certain path

Last week, a Windows security researcher revealed two Windows 10 bugs on Twitter, which can be abused by hackers in various attacks.

The first error allows an unauthorized user or program to enter a single command causing the NTFS drive to be marked as faulty. Although the Chkdsk command solved this problem in many tests, one of the other tests showed that this Check Disk tool caused an error on the hard drive that Windows could not boot. Meanwhile, the second error causes Windows 10 to crash BSOD just by trying to open an abnormal path.

Since October, Windows security researcher Jonas Lykkegaar has tweeted several times about Windows 10 crashing and showing the BSOD instantly when typing a path into the Chrome address bar.

When developers want to interact directly with Windows computers, they can pass the Win32 device namespace path as arguments to various Windows programming functions. For example, this allows the application to interact directly with the physical disk without going through the file system

Lykkegaard found that when opening the following path in a variety of ways, even from low-privileged users, it causes Windows 10 to crash.

.globalrootdevicecondrvkernelconnect

When connecting to this device, developers have to switch the "attach" extension attribute in order to properly communicate with the device.

Lykkegaard said that if you try to connect to the path without transferring properties due to incorrect error checking, it will cause a blue screen of death on Windows 10 (BSOD).

Worse still, low-privilege Windows users can connect to the device using this path, making any program executed on the computer easy to cause Windows 10 to crash.

In the tests that were done, the error confirmed to appear on Windows 10 version 1709 or higher. "Microsoft has pledged to customers to immediately investigate reported security issues and we will provide an update to the affected devices as soon as possible," said a Microsoft spokesperson.

While it is not yet known whether this bug can be exploited for remote code execution, in its current form it can be used as a Denial of Service attack on computer.

Lykkegaard shared a Windows URL file (.url) with an installation pointing to

.globalrootdevicecondrvkernelconnect

Once the file is downloaded, Windows 10 will try to show the icon of the URL file from the problematic path and automatically crash Windows 10.

In the real case, this bug could be abused by threats that have access to the network and want to conceal their traces during an attack.

If they have administrator credentials, they can execute a command to access this path remotely on all Windows 10 devices on the network to cause them to crash. The destruction inflicted on a network can delay investigations or prevent administrator controls from detecting an attack on a particular computer.

In 2017, a similar attack scenario was used by threats in a bank burglary under the Far East International Bank (FEIB) in Taiwan. During that attack, the threats deployed the Hermes ransomware online to delay investigations of the attack.

Marvin Fry

Update 19 January 2021