[SOLVED] Constant memory-related crashes --- "Attempted_Write_To_Readonly_Memory" ?

Moonshaft

Distinguished
Jun 24, 2014
13
0
18,510
Hey all,

Hoping I can get some insight as to why I keep getting BSOD errors--usually once a day (or every other day) and always while the PC is just idling. Here are the last three results I've gotten from BlueScreenView;

==================================================
Dump File : 052022-6578-01.dmp
Crash Time : 5/20/2022 5:38:06 AM
Bug Check String : ATTEMPTED_WRITE_TO_READONLY_MEMORY
Bug Check Code : 0x000000be
Parameter 1 : ffff986248eead9e Parameter 2 : 01000001884e2021
Parameter 3 : ffffbc874b115490 Parameter 4 : 000000000000000b
Caused By Driver : win32kfull.sys
Caused By Address : win32kfull.sys+ad9e
File Description : Full/Desktop Win32k Kernel Driver
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 10.0.19041.1706 (WinBuild.160101.0800)
Processor : x64
Crash Address : ntoskrnl.exe+3f7d60
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\WINDOWS\Minidump\052022-6578-01.dmp
Processors Count : 6
Major Version : 15
Minor Version : 19041
Dump File Size : 1,335,916
Dump File Time : 5/20/2022 5:38:43 AM
==================================================

==================================================
Dump File : 052222-7078-01.dmp
Crash Time : 5/22/2022 10:36:33 PM
Bug Check String : ATTEMPTED_WRITE_TO_READONLY_MEMORY
Bug Check Code : 0x000000be
Parameter 1 : ffff812c52440069 Parameter 2 : 01000002a8398021
Parameter 3 : ffffd18d514fd440 Parameter 4 : 000000000000000b
Caused By Driver : win32kbase.sys
Caused By Address : win32kbase.sys+40069
File Description : Base Win32k Kernel Driver
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 10.0.19041.1 (WinBuild.160101.0800)
Processor : x64
Crash Address : ntoskrnl.exe+3f7d60
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\WINDOWS\Minidump\052222-7078-01.dmp
Processors Count : 6
Major Version : 15
Minor Version : 19041
Dump File Size : 1,735,308
Dump File Time : 5/22/2022 10:37:13 PM
==================================================

==================================================
Dump File : 052322-6609-01.dmp
Crash Time : 5/23/2022 12:41:45 AM
Bug Check String : ATTEMPTED_WRITE_TO_READONLY_MEMORY
Bug Check Code : 0x000000be
Parameter 1 : fffff6c4cb040069 Parameter 2 : 0100000457012021
Parameter 3 : ffffee84df115440 Parameter 4 : 000000000000000b
Caused By Driver : win32kbase.sys
Caused By Address : win32kbase.sys+40069
File Description : Base Win32k Kernel Driver
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 10.0.19041.1 (WinBuild.160101.0800)
Processor : x64
Crash Address : ntoskrnl.exe+3f7d60
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\WINDOWS\Minidump\052322-6609-01.dmp
Processors Count : 6
Major Version : 15
Minor Version : 19041
Dump File Size : 943,468
Dump File Time : 5/23/2022 12:42:23 AM
==================================================

Here's the PasteBin for my dxdiag info as well: https://pastebin.com/s1PPFxVp

I've run a SFC, DSIM, and the Windows Memory Diagnostic tool. The SFC kicked back some files it was able to repair, but I'm still having this problem.

I'm also having an issue with, after the logging in screen, my desktop will be black with a constantly flashing taskbar. After about an estimated 3-5 seconds the taskbar will stop flashing and my desktop will appear and no longer be black.

Right now I'm suspecting I'll have to do a Windows reinstall (keeping my personal files) since my memory came back clean--but I'm looking for any other input or help before I do a partial nuke.


Thanks!
 
Solution
Well. That didn't last long. Got a crash from desktop about , what, 15 or 20 minutes later? I've noticed that this only happens if I don't have a fullscreen program running (like a game). Only if it's just idling or I'm messing about in a browser/Discord. I'm also still getting the black desktop with flashing taskbar for about 3-5 seconds upon restart. It eventually stops and my regular desktop comes back. I've also ran DISM and SFC more times than I can count and there have never been any integrity issues found/repaired.
Here's the 1.5GB Memory kernel dump it saved: https://drive.google.com/file/d/1YPI_GlGygafrRtaXwvPVl5TxQeXv2h7i/view?usp=sharing
Along with the newest minidump...

Colif

Win 11 Master
Moderator
  1. Open Windows File Explore
  2. Navigate to C:\Windows\Minidump
  3. Copy the mini-dump files out onto your Desktop
  4. Do not use Winzip, use the built in facility in Windows
  5. Select those files on your Desktop, right click them and choose 'Send to' - Compressed (zipped) folder
  6. Upload the zip file to the Cloud (OneDrive, DropBox . . . etc.)
  7. Then post a link here to the zip file, so we can take a look for you . . .

its more likely a driver giving CPU the wrong instructions.
 

Moonshaft

Distinguished
Jun 24, 2014
13
0
18,510
  1. Open Windows File Explore
  2. Navigate to C:\Windows\Minidump
  3. Copy the mini-dump files out onto your Desktop
  4. Do not use Winzip, use the built in facility in Windows
  5. Select those files on your Desktop, right click them and choose 'Send to' - Compressed (zipped) folder
  6. Upload the zip file to the Cloud (OneDrive, DropBox . . . etc.)
  7. Then post a link here to the zip file, so we can take a look for you . . .
its more likely a driver giving CPU the wrong instructions.

Uploaded and available here: https://www.dropbox.com/s/u2py22764kj2ywe/Minidumps.zip?dl=0
 
system died after some timer off and windows was processing it.
i would suspect
\SystemRoot\System32\drivers\BazisVirtualCDBus.sys Sat Sep 26 19:51:28 2015

but you would have to run verifier to prove it.
or one of your suspect drivers is corrupting the timer table.

I would remove some of the asus utilities, the one that controls led lights.
I would also remove
\SystemRoot\system32\DRIVERS\cfosspeed6.sys Mon Jan 4 09:05:32 2021

you can google for autoruns and download it from microsoft, find the menu item to hide microsoft entries and unselect driver or delete entries.
this driver corrupts kernel memory:
ScpVBus.sys Sun May 5 14:31:26 2013
remove or find one compiled after 2016 that has the fix

change the memory dump type to kernel then provide c:\windows\memory.dmp file
this will have debug info to see the owner of the timer.
Most of the time the owner of the timer is causing the corruption. but it is sometimes the owner of the object next to it in memory that overwrites the data and screws up a second driver.
 
Last edited:

Moonshaft

Distinguished
Jun 24, 2014
13
0
18,510
system died after some timer off and windows was processing it.
i would suspect
\SystemRoot\System32\drivers\BazisVirtualCDBus.sys Sat Sep 26 19:51:28 2015

but you would have to run verifier to prove it.
or one of your suspect drivers is corrupting the timer table.

I would remove some of the asus utilities, the one that controls led lights.
I would also remove
\SystemRoot\system32\DRIVERS\cfosspeed6.sys Mon Jan 4 09:05:32 2021

you can google for autoruns and download it from microsoft, find the menu item to hide microsoft entries and unselect driver or delete entries.
this driver corrupts kernel memory:
ScpVBus.sys Sun May 5 14:31:26 2013
remove or find one compiled after 2016 that has the fix

change the memory dump type to kernel then provide c:\windows\memory.dmp file
this will have debug info to see the owner of the timer.
Most of the time the owner of the timer is causing the corruption. but it is sometimes the owner of the object next to it in memory that overwrites the data and screws up a second driver.

I went ahead and just uninstalled WinCDEmu since I wasn't really using it anymore anyway--will see how that works out. I also uninstalled cFosSpeed (which I honestly didn't even realize I had). I'll monitor for a few days and see what happens. If the issue persists I'll uninstall the ASUS Armory Crate and look into seeing if I need to remove the ASUS light SDK as well individually.

Thanks for the help! Will post back with results after some monitoring.
 

Moonshaft

Distinguished
Jun 24, 2014
13
0
18,510
system died after some timer off and windows was processing it.
i would suspect
\SystemRoot\System32\drivers\BazisVirtualCDBus.sys Sat Sep 26 19:51:28 2015

but you would have to run verifier to prove it.
or one of your suspect drivers is corrupting the timer table.

I would remove some of the asus utilities, the one that controls led lights.
I would also remove
\SystemRoot\system32\DRIVERS\cfosspeed6.sys Mon Jan 4 09:05:32 2021

you can google for autoruns and download it from microsoft, find the menu item to hide microsoft entries and unselect driver or delete entries.
this driver corrupts kernel memory:
ScpVBus.sys Sun May 5 14:31:26 2013
remove or find one compiled after 2016 that has the fix

change the memory dump type to kernel then provide c:\windows\memory.dmp file
this will have debug info to see the owner of the timer.
Most of the time the owner of the timer is causing the corruption. but it is sometimes the owner of the object next to it in memory that overwrites the data and screws up a second driver.

Looks like I only got a reprieve for a day or two and then it started up again. I've removed everything having to do with ASUS Armory Crate that I could find and to my knowledge I think that included the lighting sdk?

you can google for autoruns and download it from microsoft, find the menu item to hide microsoft entries and unselect driver or delete entries.
this driver corrupts kernel memory:
ScpVBus.sys Sun May 5 14:31:26 2013
remove or find one compiled after 2016 that has the fix
How do I go about finding an updated version of this...? Is it safe to remove by just deleting outright?

change the memory dump type to kernel then provide c:\windows\memory.dmp file
this will have debug info to see the owner of the timer.
Most of the time the owner of the timer is causing the corruption. but it is sometimes the owner of the object next to it in memory that overwrites the data and screws up a second driver.
Here are two more mini dumps: https://drive.google.com/file/d/1SmV64ZiOg4HDW0GiO-_Tl9i6dzuiIWVp/view?usp=sharing
This is the most recent memory.dmp that was saved as a kernel: https://drive.google.com/file/d/1AtZ659fidr3EnDmxzqldVq59LooBYqCp/view?usp=sharing

In the mean time, here's a new one that I've never received before this morning...

==================================================
Dump File : 052622-6546-01.dmp
Crash Time : 5/26/2022 2:39:43 AM
Bug Check String : PAGE_FAULT_IN_NONPAGED_AREA
Bug Check Code : 0x00000050
Parameter 1 : ffffe70bdacf57b0 Parameter 2 : 0000000000000011
Parameter 3 : ffffe70bdacf57b0 Parameter 4 : 0000000000000002
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+3f7d60
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 10.0.19041.1706 (WinBuild.160101.0800)
Processor : x64
Crash Address : ntoskrnl.exe+3f7d60
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\WINDOWS\Minidump\052622-6546-01.dmp
Processors Count : 6
Major Version : 15
Minor Version : 19041
Dump File Size : 926,572
Dump File Time : 5/26/2022 2:40:19 AM
==================================================
 
Last edited:
Looks like I only got a reprieve for a day or two and then it started up again. I've removed everything having to do with ASUS Armory Crate that I could find and to my knowledge I think that included the lighting sdk?


How do I go about finding an updated version of this...? Is it safe to remove by just deleting outright?


Here are two more mini dumps: https://drive.google.com/file/d/1SmV64ZiOg4HDW0GiO-_Tl9i6dzuiIWVp/view?usp=sharing
This is the most recent memory.dmp that was saved as a kernel: https://drive.google.com/file/d/1AtZ659fidr3EnDmxzqldVq59LooBYqCp/view?usp=sharing

In the mean time, here's a new one that I've never received before this morning...

==================================================
Dump File : 052622-6546-01.dmp
Crash Time : 5/26/2022 2:39:43 AM
Bug Check String : PAGE_FAULT_IN_NONPAGED_AREA
Bug Check Code : 0x00000050
Parameter 1 : ffffe70bdacf57b0 Parameter 2 : 0000000000000011
Parameter 3 : ffffe70bdacf57b0 Parameter 4 : 0000000000000002
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+3f7d60
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 10.0.19041.1706 (WinBuild.160101.0800)
Processor : x64
Crash Address : ntoskrnl.exe+3f7d60
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\WINDOWS\Minidump\052622-6546-01.dmp
Processors Count : 6
Major Version : 15
Minor Version : 19041
Dump File Size : 926,572
Dump File Time : 5/26/2022 2:40:19 AM
==================================================
system started running code outside of a module, looked like the address was owned by csrss.exe

so maybe a stack attack on csrss.exe from the 32bit windows emulation. looks like it was coming out of a subsystem. (most likely wow64 emulation of win 32)
details are not in the dump, To get the details you have to do a full memory dump. (very big file)

I would remove this driver:
c:\windows\syswow64\speedfan.sys timestamp dec 29 2012
(just not a good idea to install an optional driver into a subsystem, it could be causing the stack corruption)

the scarlet crush driver, this is a public domain driver someone went up and fixed the source code and if you can find a version build after 2016 it might actually work. 2013 version should only be used on windows7, maybe windows 8. most people end up removing the driver and use a different tool to get support for their device.
 

Moonshaft

Distinguished
Jun 24, 2014
13
0
18,510
system started running code outside of a module, looked like the address was owned by csrss.exe

so maybe a stack attack on csrss.exe from the 32bit windows emulation. looks like it was coming out of a subsystem. (most likely wow64 emulation of win 32)
details are not in the dump, To get the details you have to do a full memory dump. (very big file)

I would remove this driver:
c:\windows\syswow64\speedfan.sys timestamp dec 29 2012
(just not a good idea to install an optional driver into a subsystem, it could be causing the stack corruption)

the scarlet crush driver, this is a public domain driver someone went up and fixed the source code and if you can find a version build after 2016 it might actually work. 2013 version should only be used on windows7, maybe windows 8. most people end up removing the driver and use a different tool to get support for their device.

speedfan.sys and ScpVBus.sys officially deleted and removed. Let's see what happens...
 

Moonshaft

Distinguished
Jun 24, 2014
13
0
18,510
system started running code outside of a module, looked like the address was owned by csrss.exe

so maybe a stack attack on csrss.exe from the 32bit windows emulation. looks like it was coming out of a subsystem. (most likely wow64 emulation of win 32)
details are not in the dump, To get the details you have to do a full memory dump. (very big file)

I would remove this driver:
c:\windows\syswow64\speedfan.sys timestamp dec 29 2012
(just not a good idea to install an optional driver into a subsystem, it could be causing the stack corruption)

the scarlet crush driver, this is a public domain driver someone went up and fixed the source code and if you can find a version build after 2016 it might actually work. 2013 version should only be used on windows7, maybe windows 8. most people end up removing the driver and use a different tool to get support for their device.
speedfan.sys and ScpVBus.sys officially deleted and removed. Let's see what happens...

Well. That didn't last long. Got a crash from desktop about , what, 15 or 20 minutes later? I've noticed that this only happens if I don't have a fullscreen program running (like a game). Only if it's just idling or I'm messing about in a browser/Discord. I'm also still getting the black desktop with flashing taskbar for about 3-5 seconds upon restart. It eventually stops and my regular desktop comes back. I've also ran DISM and SFC more times than I can count and there have never been any integrity issues found/repaired.
Here's the 1.5GB Memory kernel dump it saved: https://drive.google.com/file/d/1YPI_GlGygafrRtaXwvPVl5TxQeXv2h7i/view?usp=sharing
Along with the newest minidump: https://drive.google.com/file/d/1VCtvsUZndoJ1rDSfc7XkHZreWZQoOimJ/view?usp=sharing

Is there any other way I can get these saved for you that gives you more information to pin point the issue?
 
Well. That didn't last long. Got a crash from desktop about , what, 15 or 20 minutes later? I've noticed that this only happens if I don't have a fullscreen program running (like a game). Only if it's just idling or I'm messing about in a browser/Discord. I'm also still getting the black desktop with flashing taskbar for about 3-5 seconds upon restart. It eventually stops and my regular desktop comes back. I've also ran DISM and SFC more times than I can count and there have never been any integrity issues found/repaired.
Here's the 1.5GB Memory kernel dump it saved: https://drive.google.com/file/d/1YPI_GlGygafrRtaXwvPVl5TxQeXv2h7i/view?usp=sharing
Along with the newest minidump: https://drive.google.com/file/d/1VCtvsUZndoJ1rDSfc7XkHZreWZQoOimJ/view?usp=sharing

Is there any other way I can get these saved for you that gives you more information to pin point the issue?
sorry, when the problem is coming from a subsystem I can see why it fails but I don't debug it enough to know the cause.
All I can suggest now is a clean install/repair. apps running in syswow64 subsystem can modify the windows files and now hackers can use it to push malware into the system.
 
Solution

Moonshaft

Distinguished
Jun 24, 2014
13
0
18,510
sorry, when the problem is coming from a subsystem I can see why it fails but I don't debug it enough to know the cause.
All I can suggest now is a clean install/repair. apps running in syswow64 subsystem can modify the windows files and now hackers can use it to push malware into the system.

Daaaaaamnit. All right, thanks,