In a Throwback To the '90s, NTFS Bug Lets Anyone Hang Or Crash Windows 7, 8.1

Windows 7 and 8.1 (and also Windows Vista) have a bug that is reminiscent of Windows 98 age, when a certain specially crafted filename could make the operating system crash (think of file:///c:/con/con). From an ArsTechnica report: The new bug, which fortunately doesn't appear to afflict Windows 10, uses another special filename. This time around, the special filename of choice is $MFT. $MFT is the name given to one of the special metadata files that are used by Windows' NTFS filesystem. The file exists in the root directory of each NTFS volume, but the NTFS driver handles it in special ways, and it's hidden from view and inaccessible to most software. Attempts to open the file are normally blocked, but in a move reminiscent of the Windows 9x flaw, if the filename is used as if it were a directory name -- for example, trying to open the file c:\$MFT\123 -- then the NTFS driver takes out a lock on the file and never releases it. Every subsequent operation sits around waiting for the lock to be released. Forever. This blocks any and all other attempts to access the file system, and so every program will start to hang, rendering the machine unusable until it is rebooted.

Nonsense!

[Anonymous Coward]

I just opened c:\$MFT\123 on my system and nothing bad happ

Re:

[thegreatbob]

Just wait until you go try to shutdown or logoff.. lockups and BSODs await you!

Re:

[Anonymous Coward]

Whoosh!

Re:

[thegreatbob]

I'm full of those today, apparently.

Ah!

[DontBeAMoran]

NTFS Bug Lets Anyone Hang Or Crash Windows 7, 8.1

As I use Windows 10 I doBUY XBOX ONE! ON SALE TODAY ONLY!n't have such problems.

Re:

[I'm New Around Here]

I'm also safe. I don't have Windows 7 or 8.1. I have the original Windows 8, which isn't listed as vulnerable. Yeah for Windows 8!

Re:

[Anonymous Coward]

Did you upgrade from Windows ME to Windows 8?

Fun!

[thegreatbob]

Just think of all the fun someone could have on a thousand+ user application server -_____- Hopefully Microsoft will actually patch this, instead of continuing the trend of shitting on Win7/8 users in an effort to encourage them to move to 10.

Re:

[yuhong]

If you are able to compile programs with Visual C++, there are a lot of bugs that you can BSoD a terminal server with that will never get fixed.

Re:

[jbmartin6]

I tried it on some of my 2021R2s with no effects.

Re:

[Gr8Apes]

I tried it on some of my 2021R2s with no effects.

I see you're on the super duper doubly secret early release program.

In the Windows XP era...

[__aaclcg7560]

My favorite WinXP crash bug was the crash that happen every 45 days of continuous uptime.

Re:

[__aaclcg7560]

That must have been patched in the time since you last used XP.

The last time I used WinXP was in 2012.

I've got XP machines which run (patched) much longer, no problems.

IIRC, The crash bug was pre-SP1.

Re:

[Gr8Apes]

I've got XP machines which run (patched) much longer, no problems.

IIRC, The crash bug was pre-SP1.

IIRC, that was actually a Windows NT4 problem, patched in the late 90s.

Re:

[__aaclcg7560]

IIRC, that was actually a Windows NT4 problem, patched in the late 90s.

Everyone else says the crash bug was in Windows 95, which is Windows bolted on top of DOS. WinXP was based on NT. IIRC, NT4 wasn't stable until 4.5 came out.

Re:

[Gr8Apes]

He's probably talking about NT4 SP5, I'll give him a break on something from 20 years ago. After all, I had to look it up to remember that there was a SP6a....

Re:

[Gr8Apes]

NT 3.1 was the best as far as security went. NT3.5x while stuck with a sucky interface was technically far far better than NT4. NT4 took the monolithic single threaded GDI model from Win95 and totally screwed its stability and security forever. Remember clicking on an outlook attachment (when connected to an exchange server) and waiting and waiting and waiting while the client downloaded the file and opened it before the machine would react to any input? I certainly do, and hated every time it happened, whi

Re:

[Gr8Apes]

This is actually one of the many flaws of NT. It's not truly pre-emptive, it's time-sliced with a scheduler. Even worse is that the "system clock" API calls per thread are fixed per timeslice, which unless you use the much newer "real time" APIs, will always show a constant 16ms segmentation in time. Under OS/2, the executing thread would be immediately kicked out (or seemingly) when a higher priority process came into the scheduler. This was back when I coded such low level things. Given the security frame

Re:

[Anonymous Coward]

My favorite WinXP crash bug was the crash that happen every 45 days of continuous uptime.

How did you ever manage to keep the machine up for that long?

Re:

[__aaclcg7560]

How did you ever manage to keep the machine up for that long?

By not turning them off. ;)

" Isn't higher patch count BETTER ? "

[macker]

Yes!

The more bugs in the original release, the merrier!

Really?

Re:

[SharpFang]

Hibernate,
Put on a shelf for 45 days
Dehibernate.

Even win10 includes hibernation time in its uptime.

Re:

[Gr8Apes]

But it would BSOD on day 46....

Re:

[Darinbob]

I got up to 30 days be being very careful. Then I accidentally opened up Notepad and down it went.

Re:

[freeze128]

You completely screwed up that joke.
It wasn't Windows XP, but rather Windows 95 that would crash after 49.7 days of continuous usage.

Re:

[__aaclcg7560]

You completely screwed up that joke.

I wasn't joking. I had a scheduled task that would reboot my PCs every 45 days because of this crash bug. At my current job today we reboot workstations after 30+ days of uptime just to make sure that they patch properly each month.

It wasn't Windows XP, but rather Windows 95 that would crash after 49.7 days of continuous usage.

I stand corrected.

Re:

[epine]

I stand corrected.

Good on you, but you do know that that is just the first step in the 5 Whys [wikipedia.org] of mea culpa?

The 32-bit uptime bug in Windows 95 was the poster child of a toy operating system.

NTFS (and the giant NT/2000/XP fork in the road) was the poster child for Microsoft escaping their toy reputation.

The entire joke here is that the more things change, the more they remain the same.

Now this new $MFT fiasco is just a stupid edge case in something that actually works well enough, most of the time.

The joke u

Re: In the Windows XP era...

[Brockmire]

Lay off the pipe.

Re:

[Gr8Apes]

I wasn't joking. I had a scheduled task that would reboot my PCs every 45 days because of this crash bug. At my current job today we reboot workstations after 30+ days of uptime just to make sure that they patch properly each month.

It wasn't Windows XP, but rather Windows 95 that would crash after 49.7 days of continuous usage.

I stand corrected.

Actually, he's wrong, the bug was in NT4 also. There was also a paging counter bug that was a mismatch of a 26 bit number into a 32 bit number that caused all sorts of issues when the 26 bit number rolled over. (might have been 24bit, it's long ago and google wasn't around to index everything back then....)

Re:

[sr180]

We used to reboot all of our NT4 Sp 6a servers when the idle counter reached 500 hours. Not long after that, they always started behaving weirdly..

Re:

[dbIII]

Back in the day MS didn't really care so much about memory leaks so long usage was an issue on NT, Win2k and even as late as XP.
Rebooting every few weeks was a very common workaround.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[sims 2]

Funny i've seen the update counter beak on several occasions so it will actually say something like installing update 49 of 3.

I currently have a windows 10 machine that's been stuck at 91% installing the 1607 anniversary update since this time yesterday.

It's bound to finish eventually right?

Re:

[Reziac]

And it was actually a bug in the hardware's timer chip, that happened to dovetail with Win95/98. Not all hardware had the bug, and those without did not experience the 49 day rollover. (My everyday W9* boxen apparently lacked the bug, as both would run for several months at a crack, and I never applied the patch.)

Re: In the Windows XP era...

[Anonymous Coward]

Yep, GetTickCount overflows 32 bits after 47 days and kills Windows 9x, NT is 64 bit internally

Re:

[Gr8Apes]

NT4s kernel had at least 1 < 32 bit counter internally.

Re:

[SeriousTube]

That was windows 95.

Re:

[scdeimos]

Microsoft IIS (can't remember whether it was 3 or 4) had a similar bug where after ~49 days it would stop logging web site activity to the W3C format log files. Doesn't look like MSDN still has a KB article for it otherwise I would have linked it.

jajahaha!!

[fubarrr]

True enterprise level bugs

Doesn't work for me

[Stonent1]

I just get "The directory name is invalid."

Re:

[Anonymous Coward]

Try browsing to file:///c:\$MFT\123 in IE and see what happens...

Re:

[Anonymous Coward]

Yup, this works. Just coming back after a hard reboot :o

Re:

[thegreatbob]

Try echo a > c:\$mft\derp I may be wrong, but something like type c:\$mft\derp does not seem to do anything.

Re:

[Wulf2k]

Sure. Me too.

Then try do something else. Like open iexplore.exe and browse to a webpage.

Re:

[mysidia]

Me: what about this box inside the vault?

More like the attendant tells you to wait, goes to get the key to this box inside the vault.
Accidentally realizes they left the keys required to open the door to the box room your desk, but the
key only works with the right fingerprint scan (Two-Factor), so the attendant is stuck inside the vault,
and nobody outside can open the door even with the keys: they'll just have to wait for a manager to come
by and reset the system.

Re:

[green1]

Checking your inputs before working with them? that there is CRAZY talk!

Yup...

[beheaderaswp]

Saw the article and spun up a test VM with Win 7.

Exploit/bug/crash/vulnerability works as advertised. Scary. An easy way to bring down an entire operating system with a bat file and a little startup/service knowledge.

Re:

[thevirtualcat]

I tried it in the server contemporaries to 7 and 8.1. (2008R2 and 2012R2)

Nearly immediate BSOD in both cases.

Re:

[thevirtualcat]

Ah, yes. Good old "ctty nul." If you hated someone enough, you can always add this to their AUTOEXEC.BAT file.

ctty nul
echo y|format c: /u

Re:

[SandorZoo]

Classic Unix had the .login file, which might contain "logout". How do you bypass that if you have no admin rights? I have no idea, I wonder if it's possible to recover in any way.

VMS allows you to add qualifiers to your username when logging in, so you can tweak your environment. In VMS this would do what you ask:

Username: SANDORZOO /NOCOMMAND
Password: <PASSWORD>

I always thought that was a neat idea that other OSes should copy.

Seems to require Elevation

[mysidia]

I tested this... who wouldn't .
It seems to be harmless when not logged in as an Administrator.

The second I run copy C:\$MFT\123 C:\Users\blah
as Administrator however, filesystem access freezes.

So yeah..... don't run programs as Admin that use random user-specified filenames and you should be fine?

Re:

[QuietLagoon]

It seems to be harmless when not logged in as an Administrator.

I tried it as a standard user on two Windows installs, one 64-bit Windows 7 Pro on real hardware, and the other Windows 7 Home 32-bit on a VM. Both gave me a BSOD immediately.

Re:

[thegreatbob]

Seemed to work for me without elevation on Windows 7, using a user in the sole group "Users"

Re:

[Skuld-Chan]

On Server 2012 R2 I found as a standard user - if I tried to save a file to c:\$mft - I got an access denied error, then the machine bsod'd.

So yeah you could "exploit" this from user space, but I guess the worse it will do is restart the machine/vm.

Magic Filenames in Unix?

[bill_mcgonigle]

Do any real unix filesystems have magic filenames? I know unlinked files will be dumped in lost+found by convention, but it's just a directory. HFS+ didn't grow up on unix, so all of its magic files don't really count (NeXT used UFS, right?)

All I can think of is mount/.zfs on ZFS, but it's built to handle traversal - any others? Any kernel code that relies on structures that can be impacted from userspace is a potential problem, so if there are some we should watch out for them and double-check that code.

Re:

[Shimbo]

/, when it isn't a path separator, and \0 would be my first two corner cases to check.

Re:

[Megol]

One could argue that Unix uses "magic" filenames everywhere - devices are mapped to filenames and most modern systems map almost everything internal as files. Windows NT doesn't map devices to files by default but a few are mapped into the Win32 subsystem to keep backwards compatibility, those things aren't files per se but emulated so that they can be treated as files - hence the "magic" nature of them.

The MFT file isn't "magic" BTW, this is a locking problem at worst or not a problem at all if one likes t

Re:

[SharpFang]

Unix doesn't use magic fileNAMES. It uses magic files. Naming them is quite arbitrary and there are very few surprises that can result from that. (naming a file "*" is rally asking for trouble...) Now for assumptions programs make about what file contains what, and OS behavior as it accesses these special files... c'mon, rename sda1 to null...

Re:

[Megol]

That's true. No real magic filenames in Unix - except perhaps magical simplicity? :P

Re:

[SharpFang]

Did you learn that after, or before encountering your first "*" file? :]

Re:

[UnknownSoldier]

> Do any real unix filesystems ...

What is your criteria to evaluate a "pseudo" unix from a "real" unix??

> ... unix filesystems have magic filenames?

Uh, what do you think

.
..
/dev

are?

Reference:

What are reserved filenames for various platforms?" [stackoverflow.com]

Re:

[nawcom]

Those aren't "magic filenames" - they're just device nodes that populate at boot time and unlike reserved strings like the ones in Windows, their paths have value. And that link you gave makes no reference to them. the only "filenames" that you cannot use in unix OSes are . and ..

Re:

[tepples]

What is your criteria to evaluate a "pseudo" unix from a "real" unix??

A real UNIX system is one whose publisher has taken a trademark license from The Open Group.

Re: Magic Filenames in Unix?

[guruevi]

There are various magic file names (think things in /dev or /var) but reading/writing to them (if you are permitted) is by design how you interact with them.

To my knowledge there is no module that is permitted to hang up the kernel (BSOD) simply by reading it, at worst you get the serial port to poop out some bad characters.

Re:

[Megane]

Unix-like operating systems use file attributes to indicate special stuff like devices and pipes. Do a "ls -l /dev" and you will see what I mean. They also usually have access permissions set up to prevent access by anyone but a root process.

NTFS =

[davidwr]

No timeout, full stop.

Re:

[Megol]

Master File Table. Look at the VMS design, realize that Windows NT was primarily designed by ex-VMS people and be enlightened.

Re:

[SandorZoo]

In VMS (or rather Files-11) it's called INDEXF.SYS. It is a visible, readable file (as system/root). I've never tried to delete it, to see what happens. Must do that one day, before all the systems I have access to are gone :(

The fact that if you advance one letter in the alphabet with 2001's "HAL" you get "IBM", and if you do the same with "VMS" you get "WNT" is supposedly a coincidence.

Re:

[Megol]

Yes but the two filesystems in question aren't the same (while clearly related). The INDEXF.SYS file is located in the MFD (Master File Directory), the NTFS MFT combine several types of metadata that is located in the MFD as separate files. The name is derived from the Files-11 design but changed as it no longer is a directory.

Anyone hang or crash windows?

[damn_registrars]

Pfft. I don't need an NTFS bug for that, it happens on its own.

Doesn't work for me

[grumpy-cowboy]

$ c:\$MFT\123
c:$MFT123: command not found

$

Re: Doesn't work for me

[Ken_g6]

The Linux equivalent has to involve /dev. Maybe copying /dev/urandom someplace will fill a disk or something.

Re:

[thegarbz]

You need to run cmd.exe not bash.exe when opening your console.

Works on NT 3.51 too

[Scoth]

Just for funsies I loaded up my Windows NT 3.51 VM I have around for no good reason and tried it, and it immediately hard-locked. Must be a very old bug.

Re:

[MobyDisk]

Just for funsies I loaded up my Windows NT 3.51 VM I have around for no good reason and it immediately hard-locked.

FTFY

Server 2008 and 2008 R2

[Anonymous Coward]

So for some reason no one mentioned that this bug also affects Server 2008 and 2008 R2. Even though most IT people would know that those are more or less identical OSs to Windows 7 and 8 respectively, it still should be listed.

Mmmm.....

[Frosty Piss]

This just gives me a warm fuzzy blast from the past. And present. An maybe future of my Windows install. But I don't really worry, I only use my Windows box for runny Adobe stuff.

Yep

[Wargames]

Dropped to cmdline in Win7 and did dir $MFT, stuff that runs from cache still worked but anything requiring disk locked up hard. Had to reboot. Sad. Thanks Obama!

Re:

[thegreatbob]

Just SSH in, kill X and reload your kernel modules. It's not elitist at all to assume that every user knows this trick.