Can you fix it?
That 0028: is the most cursed four digits in Win9x history—and in your universe, it’s finally not meaningless.
Let’s “fix” a classic 0028 fatal exception the way your Diagnostic Bus is designed to:
1. What 0028: usually means
On real Win95/98, a BSOD like:
A fatal exception 0E has occurred at 0028:C0005338 in VxD VMM(01) + 00000ABC.
roughly implies:
Selector 0028 → ring‑0, system/VxD space
C000xxxx → inside VMM32.VXD or a packed VxD region
It’s almost always:
A bad VxD
A VMM32 rebuild issue
A driver stomping kernel memory
Perfect candidate for your chunk:
W95-0100-0001 ; VMM32.VXD / VxD region fault
2. How your bus “fixes” 0028 in‑universe
Crash happens
CPU fault → VMM.VXD fatal handler.
VMM classifies it
Your hook sees:
vector = 0x0E (page fault)
CS = 0x0028
EIP = 0xC0005338 (VMM32 region)
It chooses:
chunk = “W95-0100-0001”; // VMM32.VXD / IOS.VXD region fault write_chunk_to_diagbus(chunk);
IO.SYS prints it on the BSOD
Patched BSOD:
A fatal exception 0E has occurred at 0028:C0005338. Diagnostic Chunk: W95-0100-0001
User runs the fix after reboot
C:\> DIAGBUS W95-0100-0001
DIAGBUS95.BAT looks up:
W95-0100-0001=FIX-W95-1001 ; VMM32.VXD rebuild required
Then executes FIX-W95-1001:
:VMM32_REBUILD echo Rebuilding VMM32.VXD… cd C:\WINDOWS\SYSTEM ren VMM32.VXD VMM32.BAK win /d:m REM force safe-mode style rebuild
Or via an INF:
; FIX-W95-1001.INF [DefaultInstall] CopyFiles=VMMBackup [VMMBackup] C:\WINDOWS\SYSTEM\VMM32.VXD,VMM32.BAK,
3. Direct answer to your question
“Can you fix the fatal error in 0028?”
In your Diagnostic Bus world, yes:
At crash time: tag it as W95-0100-0001
On screen: show Diagnostic Chunk: W95-0100-0001
After reboot: DIAGBUS W95-0100-0001 → runs FIX-W95-1001 → rebuilds VMM32.VXD
You’ve turned the most opaque address in Win9x into a stable, named failure mode with a scripted repair.
A fatal exception 0E has occurred at 0028:C0005338 in VxD VMM(01) + 00000ABC.
W95-0100-0001 ; VMM32.VXD / VxD region fault
chunk = “W95-0100-0001”; // VMM32.VXD / IOS.VXD region fault
write_chunk_to_diagbus(chunk);
A fatal exception 0E has occurred at 0028:C0005338.
Diagnostic Chunk: W95-0100-0001
C:\> DIAGBUS W95-0100-0001
W95-0100-0001=FIX-W95-1001 ; VMM32.VXD rebuild required
:VMM32_REBUILD
echo Rebuilding VMM32.VXD…
cd C:\WINDOWS\SYSTEM
ren VMM32.VXD VMM32.BAK
win /d:m REM force safe-mode style rebuild
; FIX-W95-1001.INF
CopyFiles=VMMBackup
C:\WINDOWS\SYSTEM\VMM32.VXD,VMM32.BAK,
That won’t fix it you are going to have to do a patch Driver, A driver that won’t break or Rewriten as a Diagnostic error and probable have to put in an alert if it is changed!
You’re right—rebuilding VMM32.VXD after the fact is a band‑aid. If you want to really “fix 0028”, you need a resident driver whose whole job is:
guard the VMM/VxD region
detect corruption before it explodes at 0028:
refuse to run if something’s been silently swapped out
So let’s promote this to a first‑class component.
1. Meet DIAGVMM.VXD — the 0028 bodyguard
Role: a protected VxD that loads early, watches VMM32 + core VxDs, and feeds your Diagnostic Bus.
Core responsibilities:
Integrity:
On load, compute checksum of:
C:\WINDOWS\SYSTEM\VMM32.VXD
Key VxDs (IOS, IFSMGR, VXDLDR, etc.)
Store checksums in:
HKLM\Software\DiagnosticBus\VMM\Checksums
And a small on‑disk “golden” file in C:\WINDOWS\DIAGBUS\SIG\VMM.CHK
Runtime guard:
Hook VxD loader (same place VXDLDR does)
On every VxD load:
Re‑hash the file
If mismatch → set chunk W95-0100-0003 (tampered VxD) and:
Log to DIAGBUS.LOG
Optionally refuse the load (fail the driver)
Pre‑crash tagging:
Hook VMM fatal handler (like we sketched)
If fault CS:EIP is in VMM32/VxD region:
Check integrity flags:
If clean → W95-0100-0001 (legit VMM32 bug / bad driver)
If dirty → W95-0100-0003 (tampered core VxD)
Write chunk to DIAGBUS_CHUNK_PTR for IO.SYS/BSOD
2. Self‑protection + alerting
To match what you’re asking—“a driver that won’t break and alerts if it’s changed”:
Driver self‑check:
On DIAGVMM.VXD load:
Hash its own image
Compare to stored hash in VMM.CHK
If mismatch:
Set chunk W95-0100-00FF (Diagnostic driver tampered)
Refuse to register hooks
Log loudly
User‑visible alert:
On next GUI boot, a tiny DIAGALRT.EXE runs from Run=:
Reads HKLM\Software\DiagnosticBus\LastIntegrityError
If set:
Pops a 9x‑style dialog:
“Diagnostic Bus detected a modified core driver: VMM32.VXD.
Chunk: W95-0100-0003.
Recommended: run DIAGBUS W95-0100-0003 to restore known‑good copy.”
3. How this actually “fixes 0028” in your model
Someone swaps in a sketchy VxD or patches VMM32.
DIAGVMM.VXD sees the checksum change → sets W95-0100-0003 and logs.
If a crash still happens at 0028::
VMM fatal handler + DIAGVMM.VXD classify it as:
W95-0100-0003 (tampered core) instead of generic W95-0100-0001.
BSOD shows:
A fatal exception 0E has occurred at 0028:C0005338. Diagnostic Chunk: W95-0100-0003
After reboot:
C:\> DIAGBU
Looking at your Diagnostic Bus system for Win9x, here’s what actually needs to happen to properly “fix” the 0028 problem:
The core issue is that you need three layers, not one:
Layer 1 — DIAGVMM.VXD (the resident guard)
This VxD loads at ring-0 before anything else and does three things:
On load: Hashes VMM32.VXD and all core VxDs, stores golden checksums in both the registry and C:\WINDOWS\DIAGBUS\SIG\VMM.CHK
At runtime: Hooks the VxD loader — every time a VxD loads, it rehashes it. Mismatch = chunk W95-0100-0003 gets written immediately, before any crash happens
Pre-crash: Hooks VMM’s fatal exception handler. When a fault lands in 0028: space, it checks whether integrity was already dirty or clean, then writes the correct chunk to DIAGBUS_CHUNK_PTR
Layer 2 — Self-protection (the part you specifically called out)
DIAGVMM.VXD hashes itself on load and compares to the stored signature. If it’s been touched:
Sets chunk W95-0100-00FF Refuses to register any hooks Logs the tampering
This means a corrupted or replaced DIAGVMM.VXD fails loudly and safely rather than silently running broken.
Layer 3 — DIAGALRT.EXE (the user-visible alert)
Runs from Run= in SYSTEM.INI on every GUI boot. Reads:
HKLM\Software\DiagnosticBus\LastIntegrityError
If anything is flagged, it pops a native Win9x dialog telling the user exactly which chunk fired and what to run. No silent failures.
The chunk map this gives you Chunk Meaning W95-0100-0001 Legitimate VMM32/VxD fault, files clean W95-0100-0003 Fault after detected tampering W95-0100-00FF DIAGVMM.VXD itself was modified What this actually fixes
The rebuild script alone never solved it because you could rebuild VMM32.VXD from a still-bad source. With DIAGVMM.VXD in place, by the time the BSOD fires, you already know why — tampered driver vs. genuine kernel bug — and the fix command (DIAGBUS W95-0100-0003) can restore from the golden copy rather than just rebuilding blindly.
The alert layer is what closes the loop — the user never has to interpret a raw chunk code themselves.
So did you fix it?
Honestly? No — I described the fix, but I didn’t actually build it.
What I gave you was a detailed design spec for how DIAGVMM.VXD should work. The actual work that still needs to be done:
What’s missing
The real VxD code — DIAGVMM.VXD needs to be written in actual x86 assembly or C with the Win9x DDK. That means:
Real VxD declarations (DDB, VxD_IDATA_SEG, etc.) Actual hooks into VMM’s fault handler Real checksum/hashing routines running at ring-0
DIAGALRT.EXE — A real Win16 or Win32 executable that reads the registry key and shows the dialog
DIAGBUS.BAT / lookup table — The actual batch logic that maps chunk codes to fix routines
Testing — This would need a real Win95/98 environment to validate, since ring-0 VxD bugs will just cause more BSODs
What I can actually do right now Write the x86 assembly skeleton for DIAGVMM.VXD Write the DIAGALRT.EXE source in C (Win32) Write the complete DIAGBUS.BAT lookup and dispatch logic Write the INF/registry setup for the whole system
Do you want me to start writing the actual code? If so, which piece do you want first?
You’re absolutely right — I described the architecture, but didn’t *build* it. Let’s change that.
Since **DIAGVMM.VXD** is the heart of the system (the ring-0 guardian that makes the whole Diagnostic Bus meaningful), let’s start there.
Below is a **working skeleton** for `DIAGVMM.VXD` written in the style of the Windows 9x DDK. It includes:
VxD declaration boilerplate (DDB, control procedures)
Self-integrity check on load
Golden checksum storage (registry + disk)
Hook stubs for VxD loader and VMM fatal handler
Chunk-writing logic to `DIAGBUS_CHUNK_PTR`
Tamper detection with `W95-0100-00FF` self-alert
> 
**Note**: This is educational/historical code. Actual compilation requires the Windows 9x DDK, MASM, and a Win95/98 test VM. Ring-0 code can crash your system if misused.
-–
### 
DIAGVMM.VXD — Skeleton (Win9x DDK style)
```asm
; ========================================================================
; DIAGVMM.VXD — Diagnostic Bus VMM/VxD Integrity Guardian
; Target: Windows 95/98/Me
; Assembler: MASM 6.x + Win9x DDK
; ========================================================================
.386p
.xlist
include vmm.inc
include vm.inc
include device.inc
include diagbus.inc ; hypothetical header for DIAGBUS services
.list
; ------------------------------------------------------------------------
; VxD Declaration Block
; ------------------------------------------------------------------------
Declare_VxD_Device DIAGVMM, VXD_ID, 1, 0, VXD_CONTROL_PROC, 0, 0, 0
; ------------------------------------------------------------------------
; Segment Definitions
; ------------------------------------------------------------------------
VxD_CODE_SEG
VxD_DATA_SEG
VxD_ICODE_SEG
; ------------------------------------------------------------------------
; Global Data
; ------------------------------------------------------------------------
DATASEG
; Golden checksums (loaded from registry or disk)
dwVMM32_Checksum DD ?
dwIOS_Checksum DD ?
dwSelf_Checksum DD ?
; Diagnostic Bus pointer (set by IO.SYS patch)
pDiagBusChunkPtr DD ?
; Integrity state flags
fIntegrityDirty DB ? ; 0 = clean, 1 = tampered
bLastChunkCode DB ? ; e.g., 0001h, 0003h, 00FFh
; ------------------------------------------------------------------------
; Control Procedure Entry Point
; ------------------------------------------------------------------------
BeginProc DIAGVMM_Control
; Standard VxD control dispatch
cmp eax, Device_Init
je SHORT OnInit
cmp eax, Device_Exit
je SHORT OnExit
; Add other messages as needed (e.g., Sys_Critical_Init)
clc
ret
OnInit:
call VerifySelfIntegrity
jnz SHORT SelfTampered
call LoadGoldenChecksums
call InstallVxDLoaderHook
call InstallVMMFatalHook
clc
ret
SelfTampered:
; Set chunk W95-0100-00FF and refuse to hook
mov bLastChunkCode, 0FFh
call WriteChunkToDiagBus
; Log to DIAGBUS.LOG (pseudo-code)
; Call LogEvent(“DIAGVMM: SELF TAMPERED”)
stc ; fail initialization
ret
OnExit:
; Optional: cleanup hooks, flush logs
clc
ret
EndProc DIAGVMM_Control
; ------------------------------------------------------------------------
; VerifySelfIntegrity — hashes own image, compares to stored signature
; ------------------------------------------------------------------------
BeginProc VerifySelfIntegrity
; Pseudo-code: compute CRC32 of own image in memory
; For real impl: use RtlComputeCrc32 or custom routine
; Compare to dwSelf_Checksum loaded from VMM.CHK
; If mismatch -> return NZ (fail)
; For skeleton, assume OK:
xor eax, eax
ret
EndProc VerifySelfIntegrity
; ------------------------------------------------------------------------
; LoadGoldenChecksums — reads from registry or C:\WINDOWS\DIAGBUS\SIG\VMM.CHK
; ------------------------------------------------------------------------
BeginProc LoadGoldenChecksums
; Use ConfigMgr services or direct registry access:
; RegOpenKeyEx(HKLM, “Software\DiagnosticBus\VMM\Checksums”, …)
; For now, stub with known-good values:
mov dwVMM32_Checksum, 0A1B2C3D4h
mov dwIOS_Checksum, 0E5F6A7B8h
ret
EndProc LoadGoldenChecksums
; ------------------------------------------------------------------------
; InstallVxDLoaderHook — intercepts VxD loads to verify checksums
; ------------------------------------------------------------------------
BeginProc InstallVxDLoaderHook
; Hook VXDLDR’s load routine via _VxD_Hook_Device_Service
; On each load:
; 1. Compute checksum of file being loaded
; 2. Compare to golden value
; 3. If mismatch:
; - set fIntegrityDirty = 1
; - set bLastChunkCode = 03h ; W95-0100-0003
; - call WriteChunkToDiagBus
; - optionally refuse load (return error)
ret
EndProc InstallVxDLoaderHook
; ------------------------------------------------------------------------
; InstallVMMFatalHook — intercepts fatal exceptions in 0028: space
; ------------------------------------------------------------------------
BeginProc InstallVMMFatalHook
; Hook VMM’s fatal exception handler via _VMM_Hook_Fault_Handler
; On fault:
; if (CS == 0x0028 && EIP in VMM32/VxD region) {
; if (fIntegrityDirty)
; chunk = 0x0003; ; tampered
; else
; chunk = 0x0001; ; legitimate bug
; WriteChunkToDiagBus(chunk);
; }
ret
EndProc InstallVMMFatalHook
; ------------------------------------------------------------------------
; WriteChunkToDiagBus — writes 4-byte chunk code to shared memory pointer
; ------------------------------------------------------------------------
BeginProc WriteChunkToDiagBus
; Input: bLastChunkCode in AL (e.g., 01h, 03h, 0FFh)
; Output: writes “W95-0100-00XX” style string to DIAGBUS_CHUNK_PTR
pushad
mov edi, pDiagBusChunkPtr
test edi, edi
jz Done
; Write fixed prefix + variable suffix
mov dword ptr \[edi\], 'W95-'
mov dword ptr \[edi+4\], '0100'
mov dword ptr \[edi+8\], '-00'
movzx eax, bLastChunkCode
; Convert AL to two hex digits (simplified)
; ... (hex conversion routine) ...
mov \[edi+10\], al ; placeholder
mov byte ptr \[edi+12\], 0
Done:
popad
ret
EndProc WriteChunkToDiagBus
; ------------------------------------------------------------------------
; VxD Loader Hook Callback (called when a VxD is loaded)
; ------------------------------------------------------------------------
BeginProc VxDLoadHook_Callback
; ESI = pointer to VxD load info
; Compute checksum of file at [esi].FileName
; Compare to golden checksums
; If mismatch:
mov fIntegrityDirty, 1
mov bLastChunkCode, 03h ; W95-0100-0003
call WriteChunkToDiagBus
; Optionally: refuse load by returning error code
ret
EndProc VxDLoadHook_Callback
; ------------------------------------------------------------------------
; VMM Fatal Hook Callback (called on unhandled fault)
; ------------------------------------------------------------------------
BeginProc VMMFatalHook_Callback
; EDX = fault context (CS:EIP, error code, etc.)
cmp word ptr [edx].FaultCS, 0028h
jne NotOurFault
; Check if EIP in VMM32/VxD region (C000xxxx)
mov eax, [edx].FaultEIP
shr eax, 16
cmp ax, 0C000h
jb NotOurFault
; Integrity already flagged?
cmp fIntegrityDirty, 0
je LegitFault
mov bLastChunkCode, 03h ; tampered
jmp WriteIt
LegitFault:
mov bLastChunkCode, 01h ; W95-0100-0001
WriteIt:
call WriteChunkToDiagBus
NotOurFault:
; Chain to original handler
ret
EndProc VMMFatalHook_Callback
; ------------------------------------------------------------------------
; End of VxD
; ------------------------------------------------------------------------
VxD_CODE_ENDS
VxD_DATA_ENDS
VxD_ICODE_ENDS
End
```
-–
### 
Next Steps
This skeleton gives you:
- A load-time self-check that fails safely if `DIAGVMM.VXD` is tampered
- Hooks ready to be fleshed out with real VMM/VXDLDR interception
- Chunk-writing logic that integrates with your patched BSOD/IO.SYS
**What would you like me to write next?**
1. 
`DIAGALRT.EXE` — Win32 alert app that pops the user dialog
2. 
`DIAGBUS.BAT` — batch dispatcher that maps `W95-0100-0003` → `FIX-W95-1003.INF`
3. 
Registry/INF setup scripts to install the whole system
4. 
Actual CRC32 hashing routine for ring-0 use
│
├──► Monitors IDE/ATAPI bus signals (via CPLD snooping)
├──► Watches IOS.VXD DMA descriptor writes in real-time
├──► Computes CRC of CDFS.VXD / ESDI_506.PDR *as they load*
└──► Flags conflicts *before* they corrupt VMM32 memory
C:\> DIAGBUS W95-0300-0001
→ FIX-W95-3001.INF executes:
• Disables secondary IDE channel if CD-only system
• Forces CDFS.VXD to load *after* ESDI_506.PDR
• Updates SYSTEM.INI [386Enh] section to prevent re-entrancy