u/nir9

This remained the behavior until Windows Vista introduced the 3D window switcher which was triggered by this combination.

The specific key is Software\Microsoft\Windows\CurrentVersion\Explorer\Tips in HKLM.

Discovered using strings: strings welcome.exe | more

(there is a single tip that is built-in to the welcome.exe executable and is the only one shown if non are found in the registry)

This is one of the original golden disks that were used to image all the Windows 95 CDs

I took the screenshot from Windows 1.01 (running command.com from Windows).

The NT project was originally planned as a successor for OS/2 until Microsoft saw the success of Windows and decided to shift focus.

ref: https://github.com/tongzx/nt5src/blob/daad8a087a4e75422ec96b7911f1df4669989611/Source/XPSP1/NT/ds/nw/rdr/makefile#L4 (warning: digging into the XP leaked src can impose some contribution restrictions on projects such as WINE or ReactOS)

I triggered this by pressing Ctrl+Alt+Del and then End Task on Explorer.

This is the behavior on all Win9x versions in contrast to WinNT4 and above which just kill the shell.

On Windows some startup processes like winlogon for example are marked as critical and killing them crashes the system.

If you try killing these critical processes with Task Manager or taskkill they will not allow you to do so.

The command I used is based on a built-in debugger called ntsd to which I specify to attach to winlogon using the -pn flag (process name) and pass the q command (quit) as the debugger command which causes the debugger to immediately kill winlogon.

Read this one a couple of years ago, this is the original "Windows Internals" and documented the design decisions made by the NT team in a relatively high level way and is a very interesting read to understand the historical context.

IRQL = Interrupt Request Level.

Interrupt = Hardware/software requesting the CPU to stop what it's doing and run a specific routine.

(Raising the) Request Level = The ability of kernel code/drivers to temporarily disable lower priority interrupts when doing certain operations that could get interfered if interrupted. The higher the current request level, the more interrupts are masked.

This BSOD code is commonly caused by accessing invalid memory in a raised IRQL since the invalid memory access triggers an interrupt which is masked when the IRQL is higher.

The screenshot is an IRQL_NOT_LESS_OR_EQUAL that occurs when booting WinXP Pro 2002 Edition with 15 megs of RAM (I simulated this with QEMU).

ref (note that blue screen is internally called bug check): https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-0xa--irql-not-less-or-equal?source=recommendations and Windows Internals book.

The Flash Player used for the tour can be found in C:\Windows\Help\Tours\mmTour\tour.exe.

Fun fact: XP default installation also comes with the Macromedia Flash Player ActiveX control which adds Flash support for Internet Explorer. The control can be found in C:\Windows\System32\Macromed\Flash\swflash.ocx

For example appwiz.cpl starts the add/remove programs applet.

You can see all the available applets by searching for *.cpl files in C:\Windows\System32.

This works also on Windows 11.

The DOS program prints "This program cannot be run in DOS mode." and can be recognized by the magic "MZ" characters you see at the beginning. After the DOS program you will find the "PE" (Portable Executable) characters marking the actual start of the executable.

Fun fact: early Windows versions used the "NE" (New Executable) format and their DOS program printed "This progam requires Microsoft Windows."