Anti-cheat software causing big problems for Windows 10 previews

By Peter Bright

Preview releases of Windows have a green screen of death instead of a blue one so they can be easily distinguished.
Enlarge / Preview releases of Windows have a green screen of death instead of a blue one so they can be easily distinguished.

The Windows 10 Insider Preview Slow Ring—the beta track that's meant to receive only those builds that are free from any known serious problems—hasn't received an update for months. While the fast ring is currently testing previews of the April 2019 release, codenamed 19H1, and the even-faster skip-ahead ring is testing previews not of the October 2019 release, 19H2, but of the April 2020 release, 20H1, the Slow Ring is yet to receive a single 19H1 build.

This has prompted some concern among insiders that perhaps the ring has been forgotten about, and it has even caused a few complaints from companies that are using the Windows Insider for Business program to validate new Windows releases before their launch. Without Slow Ring builds to test, there's nothing to validate, meaning that they'll have to delay deployment of 19H1 once it ships.

Microsoft's Dona Sarkar, chief of the Windows Insider program, explained yesterday what the problem is, and in many ways it's a throwback to Windows' past, before the days of DEP and ASLR and PatchGuard and all the other measures Microsoft has implemented to harden Windows against malicious software: the build is crashing when some unspecified common anti-cheat software is used. Sarkar's tweet says that the software causes a GSOD, for Green Screen of Death; the traditional and disappointingly familiar Blue Screen of Death, denoting that Windows has suffered a fatal error, is colored green for preview releases so they can be distinguished at a glance from crashes of stable builds.

Fast ring builds have the same GSOD issue, and indeed, it has been listed on their known issues list for many months.

Sarkar says that the fix must come from the third-party company that developed the anti-cheat software. Often when compatibility issues arise, Microsoft will modify either Windows or the errant application to ensure that it continues to run, but the anti-cheat drivers are a different story entirely. They run in kernel mode (hence the GSOD when they crash) and routinely tamper with pieces of the operating system that they're not supposed to tamper with. It's possible that this particular driver is doing nothing forbidden and using only officially permitted hooks within the kernel to do its business; it's also very likely that it's messing with things it shouldn't mess with and damaging kernel data structures or code.

Either way, there seems to be something of an impasse. Microsoft hasn't reverted whatever change is causing the crashes in the first place, but it has been a problem for months and is having a significant impact on the company's Windows 10 testing infrastructure. The entire testing pipeline has seized up because of this GSOD problem. Amid concerns that Windows 10's testing already has too many gaps and leaves too many bugs unresolved, the April 2019 update is off to a rocky start, and it isn't even finished yet.

Update: While the GSOD of death issue remains, Microsoft has at last pushed a build to the Slow Ring, number 18342.8. To avoid crashing machines, the build won't be offered to any system that has the offending anti-cheat software installed. It's not clear why this approach could not have been used months ago.