Forum Discussion

DefinatelyMike's avatar
DefinatelyMike
Rising Newcomer
5 days ago

Battlefield 2042 / EA Anticheat BSOD Bug

The bug: After enabling Secure Boot on my PC post the update that made this a requirement for EA Anticheat, starting the game (and the anticheat) resulted in a BSOD with the error stating "attempted to write to read only memory".

The investigation: I updated Windows 10 to the latest version, updated my graphics card drivers and checked to see if there were any corrupted system drivers (the usual cause for this BSOD). I repaired the Anticheat using their installer and none of these things solved the problem. I went ahead and ran an analysis on the memory dump file that windows generates after a blue screen and low and behold there were no corrupted drivers causing this issue... except for eaanticheat.sys.

The solution: Enabling Settings > Windows Security > Device Security > Core Isolation Details > Memory Integrity prevents malware from inserting malicious code into high security processes, also prevents EA Anticheat from attempting to insert it's code into read only memory where it does not belong and circumvents the BSOD. (note in order to enable this setting some older drivers may need to be removed from your system if they are incompatible).

After speaking with EA Support I learned that Memory Integrity is in fact, not an official requirement for this game, so this is indeed a bug. Considering the danger of messing around with highly secure kernel layer memory EA Absolutely needs to fix this immediately. 

3 Replies

  • for 1 second i thought was an  a uni examination and not a game !!!!!!!!!!!! what the **bleep** you doing you  ruin your game EA with secure boot  ? Games is for **bleep** fun not to learn informatic !!!!!!

  • I experience frequent PC Crashes resulting in BSOD while playing Battlefield 2042 too! It's become more and frequent. Like, today It happened about 7 times and I have minidump files for 5 of them. Upon analysis of the Microsoft minidump file, it revealed the culprit being a kernel-mode exception that wasn’t handled caused by the eaanticheat.sys driver. The Exception code indicates an Access Violation, meaning the driver attempted to access memory it wasn’t allowed to. The Parameters (Arg3, Arg4) 0000000000000000 and fffffffffffffff suggest the memory address involved was invalid or out of bounds which reinforces the Access Violation Exception code. The stack shows the crash originated in eaanticheat.sys (eaanticheat+0x26da9be), followed by calls to core Windows kernel functions (nt!KiGeneralProtectionFault, nt!KiExceptionDispatch, etc.). This confirms the issue is with the anti-cheat driver triggering a general protection fault, which Windows couldn’t recover from.

    Below is the output of the analyzed minidump file I explained above:

    ************* Path validation summary **************
    Response                         Time (ms)     Location
    Deferred                                       srv*C:\Symbols*https://msdl.microsoft.com/download/symbols
    6: kd> !analyze -v
    Loading Kernel Symbols
    ...............................................................
    ................................................................
    ................................................................
    ...........................
    Loading User Symbols
    PEB is paged out (Peb.Ldr = 00000000`00374018).  Type ".hh dbgerr001" for details
    Loading unloaded module list
    .........
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************

    KMODE_EXCEPTION_NOT_HANDLED (1e)
    This is a very common BugCheck.  Usually the exception address pinpoints
    the driver/function that caused the problem.  Always note this address
    as well as the link date of the driver/image that contains this address.
    Arguments:
    Arg1: ffffffffc0000005, The exception code that was not handled
    Arg2: fffff8067d3aa9be, The address that the exception occurred at
    Arg3: 0000000000000000, Parameter 0 of the exception
    Arg4: ffffffffffffffff, Parameter 1 of the exception

    Debugging Details:
    ------------------

    *** WARNING: Unable to verify timestamp for eaanticheat.sys
    *************************************************************************
    ***                                                                   ***
    ***                                                                   ***
    ***    Either you specified an unqualified symbol, or your debugger   ***
    ***    doesn't have full symbol information.  Unqualified symbol      ***
    ***    resolution is turned off by default. Please either specify a   ***
    ***    fully qualified symbol module!symbolname, or enable resolution ***
    ***    of unqualified symbols by typing ".symopt- 100". Note that     ***
    ***    enabling unqualified symbol resolution with network symbol     ***
    ***    server shares in the symbol path may cause the debugger to     ***
    ***    appear to hang for long periods of time when an incorrect      ***
    ***    symbol name is typed or the network symbol server is down.     ***
    ***                                                                   ***
    ***    For some commands to work properly, your symbol path           ***
    ***    must point to .pdb files that have full type information.      ***
    ***                                                                   ***
    ***    Certain .pdb files (such as the public OS symbols) do not      ***
    ***    contain the required information.  Contact the group that      ***
    ***    provided you with these symbols if you need this command to    ***
    ***    work.                                                          ***
    ***                                                                   ***
    ***    Type referenced: ExceptionRecord                               ***
    ***                                                                   ***
    *************************************************************************
    *************************************************************************
    ***                                                                   ***
    ***                                                                   ***
    ***    Either you specified an unqualified symbol, or your debugger   ***
    ***    doesn't have full symbol information.  Unqualified symbol      ***
    ***    resolution is turned off by default. Please either specify a   ***
    ***    fully qualified symbol module!symbolname, or enable resolution ***
    ***    of unqualified symbols by typing ".symopt- 100". Note that     ***
    ***    enabling unqualified symbol resolution with network symbol     ***
    ***    server shares in the symbol path may cause the debugger to     ***
    ***    appear to hang for long periods of time when an incorrect      ***
    ***    symbol name is typed or the network symbol server is down.     ***
    ***                                                                   ***
    ***    For some commands to work properly, your symbol path           ***
    ***    must point to .pdb files that have full type information.      ***
    ***                                                                   ***
    ***    Certain .pdb files (such as the public OS symbols) do not      ***
    ***    contain the required information.  Contact the group that      ***
    ***    provided you with these symbols if you need this command to    ***
    ***    work.                                                          ***
    ***                                                                   ***
    ***    Type referenced: ContextRecord                                 ***
    ***                                                                   ***
    *************************************************************************

    KEY_VALUES_STRING: 1

        Key  : Analysis.CPU.mSec
        Value: 1187

        Key  : Analysis.Elapsed.mSec
        Value: 2897

        Key  : Analysis.IO.Other.Mb
        Value: 10

        Key  : Analysis.IO.Read.Mb
        Value: 1

        Key  : Analysis.IO.Write.Mb
        Value: 47

        Key  : Analysis.Init.CPU.mSec
        Value: 609

        Key  : Analysis.Init.Elapsed.mSec
        Value: 412903

        Key  : Analysis.Memory.CommitPeak.Mb
        Value: 103

        Key  : Analysis.Version.DbgEng
        Value: 10.0.27829.1001

        Key  : Analysis.Version.Description
        Value: 10.2503.24.01 amd64fre

        Key  : Analysis.Version.Ext
        Value: 1.2503.24.1

        Key  : Bugcheck.Code.LegacyAPI
        Value: 0x1e

        Key  : Bugcheck.Code.TargetModel
        Value: 0x1e

        Key  : Dump.Attributes.AsUlong
        Value: 0x21808

        Key  : Dump.Attributes.DiagDataWrittenToHeader
        Value: 1

        Key  : Dump.Attributes.ErrorCode
        Value: 0x0

        Key  : Dump.Attributes.KernelGeneratedTriageDump
        Value: 1

        Key  : Dump.Attributes.LastLine
        Value: Dump completed successfully.

        Key  : Dump.Attributes.ProgressPercentage
        Value: 0

        Key  : Failure.Bucket
        Value: AV_R_eaanticheat!unknown_function

        Key  : Failure.Exception.IP.Address
        Value: 0xfffff8067d3aa9be

        Key  : Failure.Exception.IP.Module
        Value: eaanticheat

        Key  : Failure.Exception.IP.Offset
        Value: 0x26da9be

        Key  : Failure.Hash
        Value: {100f1e0a-abcf-3860-2e0c-3546be52e55a}

        Key  : Hypervisor.Enlightenments.ValueHex
        Value: 0x7417df84

        Key  : Hypervisor.Flags.AnyHypervisorPresent
        Value: 1

        Key  : Hypervisor.Flags.ApicEnlightened
        Value: 0

        Key  : Hypervisor.Flags.ApicVirtualizationAvailable
        Value: 1

        Key  : Hypervisor.Flags.AsyncMemoryHint
        Value: 0

        Key  : Hypervisor.Flags.CoreSchedulerRequested
        Value: 0

        Key  : Hypervisor.Flags.CpuManager
        Value: 1

        Key  : Hypervisor.Flags.DeprecateAutoEoi
        Value: 1

        Key  : Hypervisor.Flags.DynamicCpuDisabled
        Value: 1

        Key  : Hypervisor.Flags.Epf
        Value: 0

        Key  : Hypervisor.Flags.ExtendedProcessorMasks
        Value: 1

        Key  : Hypervisor.Flags.HardwareMbecAvailable
        Value: 1

        Key  : Hypervisor.Flags.MaxBankNumber
        Value: 0

        Key  : Hypervisor.Flags.MemoryZeroingControl
        Value: 0

        Key  : Hypervisor.Flags.NoExtendedRangeFlush
        Value: 0

        Key  : Hypervisor.Flags.NoNonArchCoreSharing
        Value: 1

        Key  : Hypervisor.Flags.Phase0InitDone
        Value: 1

        Key  : Hypervisor.Flags.PowerSchedulerQos
        Value: 0

        Key  : Hypervisor.Flags.RootScheduler
        Value: 0

        Key  : Hypervisor.Flags.SynicAvailable
        Value: 1

        Key  : Hypervisor.Flags.UseQpcBias
        Value: 0

        Key  : Hypervisor.Flags.Value
        Value: 55185662

        Key  : Hypervisor.Flags.ValueHex
        Value: 0x34a10fe

        Key  : Hypervisor.Flags.VpAssistPage
        Value: 1

        Key  : Hypervisor.Flags.VsmAvailable
        Value: 1

        Key  : Hypervisor.RootFlags.AccessStats
        Value: 1

        Key  : Hypervisor.RootFlags.CrashdumpEnlightened
        Value: 1

        Key  : Hypervisor.RootFlags.CreateVirtualProcessor
        Value: 1

        Key  : Hypervisor.RootFlags.DisableHyperthreading
        Value: 0

        Key  : Hypervisor.RootFlags.HostTimelineSync
        Value: 1

        Key  : Hypervisor.RootFlags.HypervisorDebuggingEnabled
        Value: 0

        Key  : Hypervisor.RootFlags.IsHyperV
        Value: 1

        Key  : Hypervisor.RootFlags.LivedumpEnlightened
        Value: 1

        Key  : Hypervisor.RootFlags.MapDeviceInterrupt
        Value: 1

        Key  : Hypervisor.RootFlags.MceEnlightened
        Value: 1

        Key  : Hypervisor.RootFlags.Nested
        Value: 0

        Key  : Hypervisor.RootFlags.StartLogicalProcessor
        Value: 1

        Key  : Hypervisor.RootFlags.Value
        Value: 1015

        Key  : Hypervisor.RootFlags.ValueHex
        Value: 0x3f7


    BUGCHECK_CODE:  1e

    BUGCHECK_P1: ffffffffc0000005

    BUGCHECK_P2: fffff8067d3aa9be

    BUGCHECK_P3: 0

    BUGCHECK_P4: ffffffffffffffff

    FILE_IN_CAB:  071925-12375-01.dmp

    TAG_NOT_DEFINED_202b:  *** Unknown TAG in analysis list 202b


    DUMP_FILE_ATTRIBUTES: 0x21808
      Kernel Generated Triage Dump

    FAULTING_THREAD:  ffff938648d92080

    EXCEPTION_PARAMETER1:  0000000000000000

    EXCEPTION_PARAMETER2:  ffffffffffffffff

    READ_ADDRESS: fffff806c8bc44c0: Unable to get MiVisibleState
    Unable to get NonPagedPoolStart
    Unable to get NonPagedPoolEnd
    Unable to get PagedPoolStart
    Unable to get PagedPoolEnd
    unable to get nt!MmSpecialPagesInUse
     ffffffffffffffff 

    BLACKBOXBSD: 1 (!blackboxbsd)


    BLACKBOXNTFS: 1 (!blackboxntfs)


    BLACKBOXPNP: 1 (!blackboxpnp)


    BLACKBOXWINLOGON: 1

    CUSTOMER_CRASH_COUNT:  1

    PROCESS_NAME:  BF2042.exe

    STACK_TEXT:  
    fffffc8e`c7fd6168 fffff806`c7fc56cb     : 00000000`0000001e ffffffff`c0000005 fffff806`7d3aa9be 00000000`00000000 : nt!KeBugCheckEx
    fffffc8e`c7fd6170 fffff806`c82b9845     : 00006c79`b726df7f fffff806`7b50090a 00000000`7d7e8c1d 1443d9c7`1ca497ef : nt!KiDispatchException+0xb0b
    fffffc8e`c7fd6880 fffff806`c82b4525     : 00000371`38028b7f ffffffff`c7ffffff cbf29c84`84202220 ffffffff`ffffffff : nt!KiExceptionDispatch+0x145
    fffffc8e`c7fd6a60 fffff806`7d3aa9be     : b2c773a1`b2c69ffa e5e65158`4ec3cdf4 7a105263`739f8279 00000001`80a1af5d : nt!KiGeneralProtectionFault+0x365
    fffffc8e`c7fd6bf0 b2c773a1`b2c69ffa     : e5e65158`4ec3cdf4 7a105263`739f8279 00000001`80a1af5d 00000000`00000000 : eaanticheat+0x26da9be
    fffffc8e`c7fd6bf8 e5e65158`4ec3cdf4     : 7a105263`739f8279 00000001`80a1af5d 00000000`00000000 fffffc8e`c7fd6f10 : 0xb2c773a1`b2c69ffa
    fffffc8e`c7fd6c00 7a105263`739f8279     : 00000001`80a1af5d 00000000`00000000 fffffc8e`c7fd6f10 fffffc8e`c7fd74a8 : 0xe5e65158`4ec3cdf4
    fffffc8e`c7fd6c08 00000001`80a1af5d     : 00000000`00000000 fffffc8e`c7fd6f10 fffffc8e`c7fd74a8 1fffff00`cf617932 : 0x7a105263`739f8279
    fffffc8e`c7fd6c10 00000000`00000000     : fffffc8e`c7fd6f10 fffffc8e`c7fd74a8 1fffff00`cf617932 3552f624`9c51c998 : 0x00000001`80a1af5d


    SYMBOL_NAME:  eaanticheat+26da9be

    MODULE_NAME: eaanticheat

    IMAGE_NAME:  eaanticheat.sys

    STACK_COMMAND: .process /r /p 0xffff9386522df080; .thread 0xffff938648d92080 ; kb

    BUCKET_ID_FUNC_OFFSET:  26da9be

    FAILURE_BUCKET_ID:  AV_R_eaanticheat!unknown_function

    OSPLATFORM_TYPE:  x64

    OSNAME:  Windows 10

    FAILURE_ID_HASH:  {100f1e0a-abcf-3860-2e0c-3546be52e55a}

    Followup:     MachineOwner
    ---------

  • Interesting. Did you have to do the mbr2gpt stuff to get your secure boot working? I'm wondering if maybe that had gone slightly awry.

About Battlefield 2042 Technical Issues & Bugs

Having issues with Battlefield 2042? Join here to report bugs, and find help with, crashes, connectivity and more.13,078 PostsLatest Activity: 26 minutes ago