ATTEMPTED_WRITE_TO_READONLY_MEMORY What failed: Ntfs.sys

Question

Hi Guys

I've been banging my heag against a wall here.

So have this strange issue that started a few days ago. Where random computers in our computer labs start blue screening with the error

ATTEMPTED_WRITE_TO_READONLY_MEMORY

What failed: Ntfs.sys

System is configured to access a Citrix Virtual Desktop.

OS config

Windows 10 x64 LTSC

Citrix WEM with transformer configuration version 2012.1
Citrix workspace

Windows Enpoint security configured through SCCM

Hardware

Dell Optiplex 3060

BIOS ver 1.9.1

latest drivers running since January 2021 (A12 driver pack)

I've been through the dump file and here is the output

ATTEMPTED_WRITE_TO_READONLY_MEMORY (be)

An attempt was made to write to readonly memory. The guilty driver is on the

stack trace (and is typically the current instruction pointer).

When possible, the guilty driver's name (Unicode string) is printed on

the bugcheck screen and saved in KiBugCheckDriver.

Arguments:

Arg1: fffff8064d2c8eaa, Virtual address for the attempted write.

Arg2: 0900000139eb5021, PTE contents.

Arg3: ffff9a82b241d370, (reserved)

Arg4: 000000000000000b, (reserved)

STACK_COMMAND: .trap 0xffff9a82b241d370 ; kb

SYMBOL_NAME: WdFilter+20e00

MODULE_NAME: WdFilter

IMAGE_NAME: WdFilter.sys

BUCKET_ID_FUNC_OFFSET: 20e00

FAILURE_BUCKET_ID: 0xBE_WdFilter!unknown_function

OS_VERSION: 10.0.17763.1

BUILDLAB_STR: rs5_release

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

FAILURE_ID_HASH: {ea485a3d-e464-9c5e-72a4-e3093d9814be}

From my initial investigation it points to Windows Defender.

if I check the event log is mentions a failed update for defender. If i repair by installing the missing update the issue persist.. I done windows updates, check for driver updates, hardware diagnostic, memory check all clear.

Anyone else had this issue?

Answer 1

Make sure report this issue through the Feedback Hub app.
Try perform a Clean Boot, take a look at:
https://support.microsoft.com/en-us/topic/how-to-perform-a-clean-boot-in-windows-da2f9573-6eec-00ad-2f8a-a97a1807f3dd
In case problem didn't reproduce, then try enable boot services one by one to identify which one causing the issue.

Answer 2

Please post share links for these files:

%systemroot%\minidump or C:\windows\minidump
%systemroot%\memory.dmp or C:\windows\memory.dmp (only if file size is < 1.5 GB)
%systemroot%\livekernelreports or C:\windows\livekernelreports (only if file size is < 1.5 GB)

msinfo32 (saved as NFO)
dxdiag

or run this log collector:
https://www.tenforums.com/bsod-crashes-debugging/2198-bsod-posting-instructions.html

Answer 3

There were five collected mini dump files and one memory dump.

All were bugcheck BE.

They were all from 4/10.

They all occurred during MsMpEng.exe or defender activity.

The logs displayed many BSOD beginning 4/6. Almost all were BE. There was one bugcheck 1A.

There were no misbehaving drivers seen.

The logs had Window Error Reporting (WER) cleaned.
Please make sure that they are not cleaned during the troubleshooting.

Read these links on Windows driver verifier:

Learn how to use the Windows Recovery Environment (RE) commands: reset and bootmode to turn off the tool

https://www.tenforums.com/tutorials/5470-enable-disable-driver-verifier-windows-10-a.html
https://answers.microsoft.com/en-us/windows/forum/windows_10-update/driver-verifier-tracking-down-a-mis-behaving/f5cb4faf-556b-4b6d-95b3-c48669e4c983

Make a new restore point:
https://www.tenforums.com/tutorials/4571-create-system-restore-point-windows-10-a.html

Start with the three customized tests in the TF link.

Answer 4

1. You can use SFC command to restore the system file and DISM command to fix it. How to use it please see: https://support.microsoft.com/en-us/topic/use-the-system-file-checker-tool-to-repair-missing-or-corrupted-system-files-79aa86cb-ca52-166a-92a3-966e85d4094e.
2. You can try to disable Windows Defender and Turn Off Real-Time Protection.
3. You can use following commands in the command prompt.
   sc config WdFilter start = boot
   sc start WdFilter
4. If the above steps don't work, please find a computer that runs normally and has the same OS builds as your current system version. Export the HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET \ SERVICES \ WINDEFEND registry and then import it into a computer that is not working properly. Tip: It is risky to modify the registry. Please backup the data in advance and operate under the guidance of a professional.
5. Try to reset your BIOS to default.

Answer 5

I have seen in the dump analyses refer to wdfilter.sys and that disabling Windows defender does stop the BSod.

We are however using Windows Defender provisioned and configured via SCCM. however I need to findout what caused this issue and cannot keep defender disabled for and extended periods so its merely confirming that Windows Defender is reacting to something that it has scanned and flagged as and issue.

I have since rebuild my image and redeployed my labs and the issue seems nolonger to occur. Which then points me to perhaps a buggy definition file which caused the issue.

I have also taken a machine on which this issue is occuring and updated the denfender which failed to install definition version 1.335.434.0 and the machine BSod did not reoccur and has been stable since 10 April 2021

Crazy perhaps, but my issues seem to be something of the past, but will keep monitoring should it reoccur.

Thank you for everyones valued input.
It is sincerely much appreciated