another fatal bug in NT/2000 "Command Prompt" I/O

From: Michael Wojcik (
Date: 10/26/01

Message-ID: <>
From: Michael Wojcik <>
To: BugTraq <>
Subject: another fatal bug in NT/2000 "Command Prompt" I/O
Date: Fri, 26 Oct 2001 11:35:42 -0700

Recent messages on the comp.lang.c and (allegedly) have documented various short programs
which cause Windows NT4 and 2000 to crash and reboot by writing certain
strings to stdout.

The following is one example of such a program:

#include <stdio.h>

int main(void)
   while (1)
   return 0;

Note that several people have reported crashes using variants that do not
output unlimited text. One has crashed a test system using a program that
wrote only the four-character string "\t\b\b " (a tab, two backspaces, and a

I've confirmed that collecting a large amount of output from a program such
as the one above in a file, and then using the "type" command in a
command-prompt window to display the file, will also crash or hang the

My test system:

        IBM Thinkpad 600E
        400MHz Pentium II
        96MB RAM
        Windows NT 4 Workstation
        SP6a plus Q299444i, Q301625i, Q306121

I was logged in with a "Power User"-class user ID; administrative privilege
is not required to exploit the problem. The program was built with
Microsoft Visual C++ 6.0 SP5, from the command line with default options.

When NT crashed it displayed a crash dump message with the following

        stop c000021a in "Windows SubSystem"
        process status c0000005 (5ffb355e 0124faa0)

Note that because this has been discussed on at least two widely-read
newsgroups, it's already well-known.

I've sent a message about this to Microsoft.

Michael Wojcik
Principal Software Systems Developer, Micro Focus
Department of English, Miami University