question

AndrewStephens-4780 avatar image
0 Votes"
AndrewStephens-4780 asked XingHuang-MSFT commented

ATTEMPTED_WRITE_TO_READONLY_MEMORY What failed: Ntfs.sys

Hi Guys

I've been banging my heag against a wall here.

So have this strange issue that started a few days ago. Where random computers in our computer labs start blue screening with the error

ATTEMPTED_WRITE_TO_READONLY_MEMORY

What failed: Ntfs.sys

System is configured to access a Citrix Virtual Desktop.

OS config

Windows 10 x64 LTSC

Citrix WEM with transformer configuration version 2012.1
Citrix workspace

Windows Enpoint security configured through SCCM

Hardware

Dell Optiplex 3060

BIOS ver 1.9.1

latest drivers running since January 2021 (A12 driver pack)

I've been through the dump file and here is the output

ATTEMPTED_WRITE_TO_READONLY_MEMORY (be)

An attempt was made to write to readonly memory. The guilty driver is on the

stack trace (and is typically the current instruction pointer).

When possible, the guilty driver's name (Unicode string) is printed on

the bugcheck screen and saved in KiBugCheckDriver.

Arguments:

Arg1: fffff8064d2c8eaa, Virtual address for the attempted write.

Arg2: 0900000139eb5021, PTE contents.

Arg3: ffff9a82b241d370, (reserved)

Arg4: 000000000000000b, (reserved)


STACK_COMMAND: .trap 0xffff9a82b241d370 ; kb



SYMBOL_NAME: WdFilter+20e00



MODULE_NAME: WdFilter



IMAGE_NAME: WdFilter.sys



BUCKET_ID_FUNC_OFFSET: 20e00


FAILURE_BUCKET_ID: 0xBE_WdFilter!unknown_function

OS_VERSION: 10.0.17763.1

BUILDLAB_STR: rs5_release

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

FAILURE_ID_HASH: {ea485a3d-e464-9c5e-72a4-e3093d9814be}

From my initial investigation it points to Windows Defender.

if I check the event log is mentions a failed update for defender. If i repair by installing the missing update the issue persist.. I done windows updates, check for driver updates, hardware diagnostic, memory check all clear.

Anyone else had this issue?

windows-10-general
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks Doc-4663

Here is the link to the log and dump files.

https://1drv.ms/u/s!Apin7j04_bStgrpvnYiFZ422qW-Tlw?e=dnDW5h

The livekernelreports folder was empty...

@Reza-Ameri
I'm new to these forums but will figure it out and report as requested

Thank you! Appreciate any feedback you may have!


0 Votes 0 ·
Reza-Ameri avatar image Reza-Ameri AndrewStephens-4780 ·

Glad by sending report the Windows team will be able to investigate.
Did you tried Clean Boot too?

0 Votes 0 ·
Reza-Ameri avatar image
0 Votes"
Reza-Ameri answered

Make sure report this issue through the Feedback Hub app.
Try perform a Clean Boot, take a look at:
https://support.microsoft.com/en-us/topic/how-to-perform-a-clean-boot-in-windows-da2f9573-6eec-00ad-2f8a-a97a1807f3dd
In case problem didn't reproduce, then try enable boot services one by one to identify which one causing the issue.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Docs-4663 avatar image
0 Votes"
Docs-4663 answered

Please post share links for these files:

%systemroot%\minidump or C:\windows\minidump
%systemroot%\memory.dmp or C:\windows\memory.dmp (only if file size is < 1.5 GB)
%systemroot%\livekernelreports or C:\windows\livekernelreports (only if file size is < 1.5 GB)

msinfo32 (saved as NFO)
dxdiag

or run this log collector:
https://www.tenforums.com/bsod-crashes-debugging/2198-bsod-posting-instructions.html

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Docs-4663 avatar image
0 Votes"
Docs-4663 answered Docs-4663 edited

There were five collected mini dump files and one memory dump.

All were bugcheck BE.

They were all from 4/10.

They all occurred during MsMpEng.exe or defender activity.

The logs displayed many BSOD beginning 4/6. Almost all were BE. There was one bugcheck 1A.

There were no misbehaving drivers seen.


The logs had Window Error Reporting (WER) cleaned.
Please make sure that they are not cleaned during the troubleshooting.





Read these links on Windows driver verifier:

Learn how to use the Windows Recovery Environment (RE) commands: reset and bootmode to turn off the tool


https://www.tenforums.com/tutorials/5470-enable-disable-driver-verifier-windows-10-a.html
https://answers.microsoft.com/en-us/windows/forum/windows_10-update/driver-verifier-tracking-down-a-mis-behaving/f5cb4faf-556b-4b6d-95b3-c48669e4c983

Make a new restore point:
https://www.tenforums.com/tutorials/4571-create-system-restore-point-windows-10-a.html


Start with the three customized tests in the TF link.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

XingHuang-MSFT avatar image
0 Votes"
XingHuang-MSFT answered XingHuang-MSFT edited
  1. You can use SFC command to restore the system file and DISM command to fix it. How to use it please see: https://support.microsoft.com/en-us/topic/use-the-system-file-checker-tool-to-repair-missing-or-corrupted-system-files-79aa86cb-ca52-166a-92a3-966e85d4094e.

  2. You can try to disable Windows Defender and Turn Off Real-Time Protection.

  3. You can use following commands in the command prompt.
    sc config WdFilter start = boot
    sc start WdFilter

  4. If the above steps don't work, please find a computer that runs normally and has the same OS builds as your current system version. Export the HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET \ SERVICES \ WINDEFEND registry and then import it into a computer that is not working properly. Tip: It is risky to modify the registry. Please backup the data in advance and operate under the guidance of a professional.

  5. Try to reset your BIOS to default.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndrewStephens-6668 avatar image
0 Votes"
AndrewStephens-6668 answered XingHuang-MSFT commented

I have seen in the dump analyses refer to wdfilter.sys and that disabling Windows defender does stop the BSod.

We are however using Windows Defender provisioned and configured via SCCM. however I need to findout what caused this issue and cannot keep defender disabled for and extended periods so its merely confirming that Windows Defender is reacting to something that it has scanned and flagged as and issue.

I have since rebuild my image and redeployed my labs and the issue seems nolonger to occur. Which then points me to perhaps a buggy definition file which caused the issue.

I have also taken a machine on which this issue is occuring and updated the denfender which failed to install definition version 1.335.434.0 and the machine BSod did not reoccur and has been stable since 10 April 2021

Crazy perhaps, but my issues seem to be something of the past, but will keep monitoring should it reoccur.

Thank you for everyones valued input.
It is sincerely much appreciated

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you for your sharing. If any further help needed, please feel free to post back.

0 Votes 0 ·