Win 10 2019 with Universal Write filter Blue Screen

Question

I have a bunch of Dell Wyse thin clients with Win 10 2019 LTSC installed with the Universal Write Filter (UWF) installed, that seem to randomly have a Blue Screen. Unfortunately I have not managed to catch a local device to witness what the crash dump code is. I have added %SystemRoot%\MEMORY.dmp to the UWF exclusion so that it is maintained and have the system failure settings set to record an "Automatic Memory Dump". however when the machine BSOD there are event log errors "Dump File Creation failed due to an error during dump creation (Evt ID 161)" and "The system could not successfully load the crash dump driver (Evt ID 45)" and "Crash dump initialization failed (Evt ID 46)"

I have seen elsewhere on this forum a recommendation to ensure that no pagefile is created on the UWF protected drive and this is teh configuration I have set.

Any help or suggestions on how to fix this problem so I can work out what is causing teh BSOD would be gratefully received.

Answer 1

Hi

If you disable UWF does the Blue Screen happen ?

If you activate UWF cache on disk, and not memory does the same happen ?

I ask as if you have big update and low space, your device might have limited RAM to work on.

It happened to me on HP Thin Client, and running MS Team was using a lot of heap, and when it when caching to memory it caused a segfault. Caching to HDD it don't happen.

On Win10 LTSC 2019 you are lucky as new overlay option exist, like; wfmgr overlay set-passthrough on. That can help to prevent the cache filling problem.

Thanks

Philippe

Answer 2

The only way to capture memory dumps is to put the dumps on a non-UWF protected partition. This means on start up you will have to change the location to the partition. If the BSOD is happening during startup then finding the issue becomes a real challenge to be there when the BSOD occurs. You might want to disable auto reboot on BSOD.

Answer 3

Hi PaulRF-6259 ,

1) Open administrative command prompt (ACP) and type or copy and paste:
2) sfc /scannow
3) dism /online /cleanup-image /scanhealth
4) dism /online /cleanup-image /restorehealth
5) sfc /scannow
6) chkdsk /scan
7) wmic recoveros set autoreboot = false
8) wmic recoveros set DebugInfoType = 7
9) wmic recoveros get autoreboot
10) wmic recoveros get DebugInfoType
11) wmic Computersystem where name="%computername%" set AutomaticManagedPagefile=True
12) wmic Computersystem where name="%computername%" get AutomaticManagedPagefile
13) bcdedit /enum {badmemory}

14) When these have completed > right click on the top bar or title bar of the administrative command prompt box > left click on edit then select all > right click on the top bar again > left click on edit then copy > paste into the thread

15) After multiple BSODs with the above settings run the V2 log collector and post a share link into this thread:

https://www.windowsq.com/resources/v2-log-collector.8/
https://www.tenforums.com/bsod-crashes-debugging/2198-bsod-posting-instructions.html
https://www.elevenforum.com/t/bsod-posting-instructions.103/

.
.
.
.
.

Please remember to vote and to mark the replies as answers if they help.

On the bottom of each post there is:

Propose as answer = answered the question

On the left side of each post: Vote = a helpful post
.
.
.
.
.

Answer 4

@PaulRF I don't have a habit of replying to random posts I find during my own Google searches but after reading your post I felt I had to assist as it instantly gave me war flashbacks. We too are using Dell Wyse W10IoT devices (mobility 5470 in my case) running a mix of 2016 LTSB and 2019 LTSC and we have had (and still have) our share of headaches regarding the write filter. We also had a situation where we had BSOD's all the time on the 2016 LTSB builds, we contacted Dell but they could not help us so we turned to Microsoft.

The people who have already replied to this post have good intentions but might lack some experience in terms of UWF and its behavior. My first guess an UWF-exclusions causing damage to one of the critical system files or registry hives. However, we too are experiencing the odd BSOD with the Dell 2019 LTSC builds, the number of occurrences is so low that we have not yet bothered to troubleshoot it further but these BSODs don't seem to occur with the same UWF-exclusions on the Dell 2016 LTSB builds.

Would you mind posting your UWF-exclusions?

Enabling the write filter disables, among many things, default Windows functionality that could interfere with its internals. Some examples of this are page files, system restore points, defrag, indexing, fastboot, .... The reason why the memory dump on the device doesn't work is simple, the paging file is responsible for this, which is not active when UWF is enabled.

Side-note, if you don't get any specific blue screen codes when the crash occurs, you can inject the following reg values (with UWF off) to get some more info.

REG ADD "HKLM\System\CurrentControlSet\Control\CrashControl" /v DisplayParameters /t REG_DWORD /d 1 /f
REG ADD "HKLM\System\CurrentControlSet\Control\CrashControl" /v DisplayDisabled /t REG_DWORD /d 0 /f

So how does one get information about blue screens when it occurs? Download and install the Windows Debugger Tools (included in Windows AIK) on a second machine, preferably a Windows device without UWF. I got all the info I needed to get it working right here. The annoying thing here of course is that you need the second device online and you need to trigger the BSOD. To my knowledge there is no other way to get additional crash dump information.

In my case a forceful shutdown off (pressing the power button until the device powers off) was causing the BSODs and it was linked to a bad UWF-exclusion I had configured due to my inexperience with UWF and lack of understanding of its internals.

I hope this helps you or anyone reading this.

Answer 5

Please see the post dated Jul 29 2021.
Please run the V2 log collector and post share links into this thread using one drive, drop box, or google drive.

.
.
.
.
.

Please remember to vote and to mark the replies as answers if they help.

On the bottom of each post there is:

Propose as answer = answered the question

On the left side of each post: Vote = a helpful post
.
.
.
.
.