bug in EA AntiCheat (eaanticheat.sys)
i had BSOD (bugcheck 0x18 REFERENCE_BY_POINTER) is almost certainly caused by a bug in EA AntiCheat (eaanticheat.sys), the kernel-mode driver that EA uses in games Battlefield 6, which continuously crashes my PC to death.
The crash happens in the System process, but the call stack clearly shows the faulting code is inside eaanticheat + 0x59970d → nt!ObfDereferenceObject → nt!KeBugCheckEx. This is a classic over-dereference (the driver decrements the reference count on a kernel object one time too many).
This exact pattern (0x18 caused by eaanticheat.sys) has been widely reported on this forums.
I already tried Uninstall/repair/update the EA AntiCheat, don't try to fool me by telling me the Standard Customer service script.
My Memory integrity also already been tuned off, also with the newest version of Dell BIOS.
Tell ur engineers to fix it asap
P.S. Here is one of the minidump analysis logs:
************* Preparing the environment for Debugger Extensions Gallery repositories **************
ExtensionRepository : Implicit
UseExperimentalFeatureForNugetShare : true
AllowNugetExeUpdate : true
NonInteractiveNuget : true
AllowNugetMSCredentialProviderInstall : true
AllowParallelInitializationOfLocalRepositories : true
EnableRedirectToChakraJsProvider : false
-- Configuring repositories
----> Repository : LocalInstalled, Enabled: true
----> Repository : UserExtensions, Enabled: true
>>>>>>>>>>>>> Preparing the environment for Debugger Extensions Gallery repositories completed, duration 0.016 seconds
************* Waiting for Debugger Extensions Gallery to Initialize **************
>>>>>>>>>>>>> Waiting for Debugger Extensions Gallery to Initialize completed, duration 0.031 seconds
----> Repository : UserExtensions, Enabled: true, Packages count: 0
----> Repository : LocalInstalled, Enabled: true, Packages count: 46
Microsoft (R) Windows Debugger Version 10.0.29457.1000 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Windows\Minidump\112025-38687-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
************* Path validation summary **************
Response Time (ms) Location
Deferred srv*
Symbol search path is: srv*
Executable search path is:
Windows 10 Kernel Version 26100 MP (80 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Kernel base = 0xfffff803`9ce00000 PsLoadedModuleList = 0xfffff803`9dcf5030
Debug session time: Thu Nov 20 10:50:12.900 2025 (UTC + 8:00)
System Uptime: 0 days 2:23:08.730
Loading Kernel Symbols
..
Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.
.............................................................
................................................................
................................................................
..........
Loading User Symbols
Loading unloaded module list
.........
For analysis of this file, run !analyze -v
nt!KeBugCheckEx:
fffff803`9d2f6880 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:ffffbc8e`9265e390=0000000000000018
16: kd> !analyze -v
Loading Kernel Symbols
..
Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.
.............................................................
................................................................
................................................................
..........
Loading User Symbols
Loading unloaded module list
.........
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
REFERENCE_BY_POINTER (18)
Arguments:
Arg1: 0000000000000000, Object type of the object whose reference count is being lowered
Arg2: ffffe48ba9da8f58, Object whose reference count is being lowered
Arg3: 0000000000000002, Reserved
Arg4: ffffffffffffffff, Reserved
The reference count of an object is illegal for the current state of the object.
Each time a driver uses a pointer to an object the driver calls a kernel routine
to increment the reference count of the object. When the driver is done with the
pointer the driver calls another kernel routine to decrement the reference count.
Drivers must match calls to the increment and decrement routines. This BugCheck
can occur because an object's reference count goes to zero while there are still
open handles to the object, in which case the fourth parameter indicates the number
of opened handles. It may also occur when the object's reference count drops below zero
whether or not there are open handles to the object, and in that case the fourth parameter
contains the actual value of the pointer references count.
Debugging Details:
------------------
*** WARNING: Unable to verify timestamp for eaanticheat.sys
KEY_VALUES_STRING: 1
Key : Analysis.CPU.mSec
Value: 1937
Key : Analysis.Elapsed.mSec
Value: 10735
Key : Analysis.IO.Other.Mb
Value: 0
Key : Analysis.IO.Read.Mb
Value: 1
Key : Analysis.IO.Write.Mb
Value: 4
Key : Analysis.Init.CPU.mSec
Value: 1500
Key : Analysis.Init.Elapsed.mSec
Value: 145750
Key : Analysis.Memory.CommitPeak.Mb
Value: 107
Key : Analysis.Version.DbgEng
Value: 10.0.29457.1000
Key : Analysis.Version.Description
Value: 10.2506.23.01 amd64fre
Key : Analysis.Version.Ext
Value: 1.2506.23.1
Key : Bugcheck.Code.LegacyAPI
Value: 0x18
Key : Bugcheck.Code.TargetModel
Value: 0x18
Key : Dump.Attributes.AsUlong
Value: 0x21008
Key : Dump.Attributes.DiagDataWrittenToHeader
Value: 1
Key : Dump.Attributes.ErrorCode
Value: 0x0
Key : Dump.Attributes.KernelGeneratedTriageDump
Value: 1
Key : Dump.Attributes.LastLine
Value: Dump completed successfully.
Key : Dump.Attributes.ProgressPercentage
Value: 0
Key : Failure.Bucket
Value: 0x18_OVER_DEREFERENCE_eaanticheat!unknown_function
Key : Failure.Hash
Value: {d34621e2-c642-27ce-cc1e-ae03b2ecef67}
Key : WER.System.BIOSRevision
Value: 2.46.0.0
BUGCHECK_CODE: 18
BUGCHECK_P1: 0
BUGCHECK_P2: ffffe48ba9da8f58
BUGCHECK_P3: 2
BUGCHECK_P4: ffffffffffffffff
FILE_IN_CAB: 112025-38687-01.dmp
DUMP_FILE_ATTRIBUTES: 0x21008
Kernel Generated Triage Dump
FAULTING_THREAD: ffffd4828b4b4480
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXNTFS: 1 (!blackboxntfs)
BLACKBOXPNP: 1 (!blackboxpnp)
BLACKBOXWINLOGON: 1 (!blackboxwinlogon)
CUSTOMER_CRASH_COUNT: 1
PROCESS_NAME: System
STACK_TEXT:
ffffbc8e`9265e388 fffff803`9d141d2d : 00000000`00000018 00000000`00000000 ffffe48b`a9da8f58 00000000`00000002 : nt!KeBugCheckEx
ffffbc8e`9265e390 fffff803`514e970d : 00007fff`ffffffff ffffe48b`a9da8f58 00000000`00000010 00007fff`ffffffff : nt!ObfDereferenceObject+0x7d
ffffbc8e`9265e3d0 00007fff`ffffffff : ffffe48b`a9da8f58 00000000`00000010 00007fff`ffffffff ffffbc8e`9265e4e0 : eaanticheat+0x59970d
ffffbc8e`9265e3d8 ffffe48b`a9da8f58 : 00000000`00000010 00007fff`ffffffff ffffbc8e`9265e4e0 fffffffd`7fffff00 : 0x00007fff`ffffffff
ffffbc8e`9265e3e0 00000000`00000010 : 00007fff`ffffffff ffffbc8e`9265e4e0 fffffffd`7fffff00 00000000`00000000 : 0xffffe48b`a9da8f58
ffffbc8e`9265e3e8 00007fff`ffffffff : ffffbc8e`9265e4e0 fffffffd`7fffff00 00000000`00000000 ffffbc8e`9265e418 : 0x10
ffffbc8e`9265e3f0 ffffbc8e`9265e4e0 : fffffffd`7fffff00 00000000`00000000 ffffbc8e`9265e418 ffbc8e92`65e70100 : 0x00007fff`ffffffff
ffffbc8e`9265e3f8 fffffffd`7fffff00 : 00000000`00000000 ffffbc8e`9265e418 ffbc8e92`65e70100 ffffdc86`dd6cedd0 : 0xffffbc8e`9265e4e0
ffffbc8e`9265e400 00000000`00000000 : ffffbc8e`9265e418 ffbc8e92`65e70100 ffffdc86`dd6cedd0 00000138`9d00104e : 0xfffffffd`7fffff00
SYMBOL_NAME: eaanticheat+59970d
MODULE_NAME: eaanticheat
IMAGE_NAME: eaanticheat.sys
STACK_COMMAND: .process /r /p 0xffffd4825fae1040; .thread 0xffffd4828b4b4480 ; kb
BUCKET_ID_FUNC_OFFSET: 59970d
FAILURE_BUCKET_ID: 0x18_OVER_DEREFERENCE_eaanticheat!unknown_function
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {d34621e2-c642-27ce-cc1e-ae03b2ecef67}
Followup: MachineOwner
---------
16: kd> !object ffffe48ba9da8f58
Could not read ObjectType addressand here is another crash minidump log:
>>>>>>>>>>>>> Preparing the environment for Debugger Extensions Gallery repositories completed, duration 0.000 seconds
************* Waiting for Debugger Extensions Gallery to Initialize **************
>>>>>>>>>>>>> Waiting for Debugger Extensions Gallery to Initialize completed, duration 0.032 seconds
----> Repository : UserExtensions, Enabled: true, Packages count: 0
----> Repository : LocalInstalled, Enabled: true, Packages count: 46
Microsoft (R) Windows Debugger Version 10.0.29457.1000 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Windows\Minidump\112025-38109-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
************* Path validation summary **************
Response Time (ms) Location
Deferred srv*
Symbol search path is: srv*
Executable search path is:
Windows 10 Kernel Version 26100 MP (80 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Kernel base = 0xfffff803`a7a00000 PsLoadedModuleList = 0xfffff803`a88f5030
Debug session time: Thu Nov 20 08:25:41.264 2025 (UTC + 8:00)
System Uptime: 0 days 0:15:28.090
Loading Kernel Symbols
..
Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.
.............................................................
................................................................
................................................................
..........
Loading User Symbols
Loading unloaded module list
........
For analysis of this file, run !analyze -v
nt!KeBugCheckEx:
fffff803`a7ef6880 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:fffff602`d22bdfa0=0000000000000050
56: kd> !analyze -v
Loading Kernel Symbols
..
Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.
.............................................................
................................................................
................................................................
..........
Loading User Symbols
Loading unloaded module list
........
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except.
Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
Arg1: ffffffff0000ffcf, memory referenced.
Arg2: 0000000000000002, X64: bit 0 set if the fault was due to a not-present PTE.
bit 1 is set if the fault was due to a write, clear if a read.
bit 3 is set if the processor decided the fault was due to a corrupted PTE.
bit 4 is set if the fault was due to attempted execute of a no-execute PTE.
- ARM64: bit 1 is set if the fault was due to a write, clear if a read.
bit 3 is set if the fault was due to attempted execute of a no-execute PTE.
Arg3: fffff803a7d41cea, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000002, (reserved)
Debugging Details:
------------------
*** WARNING: Unable to verify timestamp for eaanticheat.sys
KEY_VALUES_STRING: 1
Key : AV.Type
Value: Write
Key : Analysis.CPU.mSec
Value: 1859
Key : Analysis.Elapsed.mSec
Value: 4925
Key : Analysis.IO.Other.Mb
Value: 0
Key : Analysis.IO.Read.Mb
Value: 1
Key : Analysis.IO.Write.Mb
Value: 0
Key : Analysis.Init.CPU.mSec
Value: 1453
Key : Analysis.Init.Elapsed.mSec
Value: 39917
Key : Analysis.Memory.CommitPeak.Mb
Value: 107
Key : Analysis.Version.DbgEng
Value: 10.0.29457.1000
Key : Analysis.Version.Description
Value: 10.2506.23.01 amd64fre
Key : Analysis.Version.Ext
Value: 1.2506.23.1
Key : Bugcheck.Code.LegacyAPI
Value: 0x50
Key : Bugcheck.Code.TargetModel
Value: 0x50
Key : Dump.Attributes.AsUlong
Value: 0x21008
Key : Dump.Attributes.DiagDataWrittenToHeader
Value: 1
Key : Dump.Attributes.ErrorCode
Value: 0x0
Key : Dump.Attributes.KernelGeneratedTriageDump
Value: 1
Key : Dump.Attributes.LastLine
Value: Dump completed successfully.
Key : Dump.Attributes.ProgressPercentage
Value: 0
Key : Failure.Bucket
Value: AV_W_(null)_eaanticheat!unknown_function
Key : Failure.Exception.IP.Address
Value: 0xfffff803a7d41cea
Key : Failure.Exception.IP.Module
Value: nt
Key : Failure.Exception.IP.Offset
Value: 0x341cea
Key : Failure.Hash
Value: {3b72c825-0ff2-cb62-709d-7e1f175da344}
Key : WER.System.BIOSRevision
Value: 2.46.0.0
BUGCHECK_CODE: 50
BUGCHECK_P1: ffffffff0000ffcf
BUGCHECK_P2: 2
BUGCHECK_P3: fffff803a7d41cea
BUGCHECK_P4: 2
FILE_IN_CAB: 112025-38109-01.dmp
DUMP_FILE_ATTRIBUTES: 0x21008
Kernel Generated Triage Dump
FAULTING_THREAD: ffffaf8b396dd080
READ_ADDRESS: fffff803a89c44c0: Unable to get MiVisibleState
Unable to get NonPagedPoolStart
Unable to get NonPagedPoolEnd
Unable to get PagedPoolStart
Unable to get PagedPoolEnd
unable to get nt!MmSpecialPagesInUse
ffffffff0000ffcf
MM_INTERNAL_CODE: 2
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXNTFS: 1 (!blackboxntfs)
BLACKBOXPNP: 1 (!blackboxpnp)
BLACKBOXWINLOGON: 1 (!blackboxwinlogon)
CUSTOMER_CRASH_COUNT: 1
PROCESS_NAME: System
STACK_TEXT:
fffff602`d22bdf98 fffff803`a7dd1a0c : 00000000`00000050 ffffffff`0000ffcf 00000000`00000002 fffff602`d22be200 : nt!KeBugCheckEx
fffff602`d22bdfa0 fffff803`a7c40510 : fffff602`d22be1e0 ffff8000`00000000 ffffffff`0000ffcf 0000007f`fffffff8 : nt!MiSystemFault+0x7a0
fffff602`d22be090 fffff803`a80addcb : 00000000`00040246 00000000`00000000 ffffffff`0000ffcf fffff602`d22be9b8 : nt!MmAccessFault+0x630
fffff602`d22be200 fffff803`a7d41cea : fffff801`db3f0000 cded4ce9`d4814d3d 00000000`00000000 00000000`00000001 : nt!KiPageFault+0x38b
fffff602`d22be390 fffff803`5b98970d : 00007fff`ffffffff ffffffff`0000ffff 00000000`00000010 00007fff`ffffffff : nt!ObfDereferenceObject+0x3a
fffff602`d22be3d0 00007fff`ffffffff : ffffffff`0000ffff 00000000`00000010 00007fff`ffffffff fffff602`d22be4e0 : eaanticheat+0x59970d
fffff602`d22be3d8 ffffffff`0000ffff : 00000000`00000010 00007fff`ffffffff fffff602`d22be4e0 fffffffd`7fffff00 : 0x00007fff`ffffffff
fffff602`d22be3e0 00000000`00000010 : 00007fff`ffffffff fffff602`d22be4e0 fffffffd`7fffff00 00000000`00000000 : 0xffffffff`0000ffff
fffff602`d22be3e8 00007fff`ffffffff : fffff602`d22be4e0 fffffffd`7fffff00 00000000`00000000 fffff602`d22be418 : 0x10
fffff602`d22be3f0 fffff602`d22be4e0 : fffffffd`7fffff00 00000000`00000000 fffff602`d22be418 00000000`00000000 : 0x00007fff`ffffffff
fffff602`d22be3f8 fffffffd`7fffff00 : 00000000`00000000 fffff602`d22be418 00000000`00000000 ffffaf8b`2e646c30 : 0xfffff602`d22be4e0
fffff602`d22be400 00000000`00000000 : fffff602`d22be418 00000000`00000000 ffffaf8b`2e646c30 00000138`0000104e : 0xfffffffd`7fffff00
SYMBOL_NAME: eaanticheat+59970d
MODULE_NAME: eaanticheat
IMAGE_NAME: eaanticheat.sys
STACK_COMMAND: .process /r /p 0xffffa7851dac8040; .thread 0xffffaf8b396dd080 ; kb
BUCKET_ID_FUNC_OFFSET: 59970d
FAILURE_BUCKET_ID: AV_W_(null)_eaanticheat!unknown_function
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {3b72c825-0ff2-cb62-709d-7e1f175da344}
Followup: MachineOwner
---------
