问题

Can a user mode fault cause a Blue Screen of Death (BSOD)? Is it possible that a memory access violation like double freeing memory can cause a blue screen or only a kernel mode exception (like a driver exception) cause Windows to crash?

回答1:

Not directly.

Direct fault will cause an exception and program crash. To cause a BSOD, the user mode application must communicate either directly or indirectly with a kernel mode driver that is possible not robust enough to protect itself from invalid user mode input.

回答2:

Most of the time, no, but there is an exception.

A Blue Screen (known also as a bug check) only occurs when something goes wrong in kernel mode (for example, a driver page faults at DISPATCH_LEVEL) or a hardware error.

User mode code usually cannot bring down the entire system (usually doing something that is not allowed will result in the program crashing or generating an error of some sort).

However, bug check 0xED can be caused directly by a user mode process. If the csrss.exe process is killed (and also wininit.exe in Windows Vista and higher), it will blue screen the computer.

It is possible to kill winlogon.exe without causing bug check 0xC000021A by first killing smss.exe as Mark Russinovich explains in the 2005 article Running Windows with No Services:

The reason we start [killing processes] with Smss.exe is that Smss.exe watches the back of Winlogon, the process it creates during the boot, so if you terminate Winlogon first Smss.exe gets upset and blue screens the machine with an error indicating that the Windows logon process terminated unexpectedly.