diff --git a/ntoskrnl/mm/ARM3/pagfault.c b/ntoskrnl/mm/ARM3/pagfault.c
index 1e70cc07b907e..8e530da6df8ba 100644
--- a/ntoskrnl/mm/ARM3/pagfault.c
+++ b/ntoskrnl/mm/ARM3/pagfault.c
@@ -576,6 +576,7 @@ MiResolveDemandZeroFault(IN PVOID Address,
     BOOLEAN NeedZero = FALSE, HaveLock = FALSE;
     ULONG Color;
     PMMPFN Pfn1;
+    PMMPTE PtePte;
     DPRINT("ARM3 Demand Zero Page Fault Handler for address: %p in process: %p\n",
             Address,
             Process);
@@ -705,6 +706,9 @@ MiResolveDemandZeroFault(IN PVOID Address,
     if (MI_IS_PAGE_WRITEABLE(&TempPte)) MI_MAKE_DIRTY_PAGE(&TempPte);
 
     /* Write it */
+    /* HACK: mark it as writeable before wiring to it */
+    PtePte = MiAddressToPte(PointerPte);
+    PtePte->u.Hard.Write = 1;
     MI_WRITE_VALID_PTE(PointerPte, TempPte);
 
     /* Did we manually acquire the lock */
@@ -1640,6 +1644,7 @@ MmArmAccessFault(IN BOOLEAN StoreInstruction,
     ULONG Color;
     BOOLEAN IsSessionAddress;
     PMMPFN Pfn1;
+    PMMPTE PtePte;
     DPRINT("ARM3 FAULT AT: %p\n", Address);
 
     /* Check for page fault on high IRQL */
@@ -2029,10 +2034,10 @@ _WARN("Session space stuff is not implemented yet!")
     {
         /* Right now, we only handle scenarios where the PXE is totally empty */
         ASSERT(PointerPxe->u.Long == 0);
-#if 0
+#if 1
         /* Resolve a demand zero fault */
         Status = MiResolveDemandZeroFault(PointerPpe,
-                                          MM_READWRITE,
+                                          MiAddressToPte(PointerPpe),
                                           CurrentProcess,
                                           MM_NOIRQL);
 #endif
@@ -2049,10 +2054,10 @@ _WARN("Session space stuff is not implemented yet!")
     {
         /* Right now, we only handle scenarios where the PPE is totally empty */
         ASSERT(PointerPpe->u.Long == 0);
-#if 0
+#if 1
         /* Resolve a demand zero fault */
         Status = MiResolveDemandZeroFault(PointerPde,
-                                          MM_READWRITE,
+                                          MiAddressToPte(PointerPde),
                                           CurrentProcess,
                                           MM_NOIRQL);
 #endif
@@ -2087,6 +2092,9 @@ _WARN("Session space stuff is not implemented yet!")
         }
 
         /* Write a demand-zero PDE */
+        /* HACK: make it writeable before writing */
+        PtePte = MiAddressToPte(PointerPde);
+        PtePte->u.Hard.Write = 1;
         MI_WRITE_INVALID_PDE(PointerPde, DemandZeroPde);
 
         /* Dispatch the fault */
diff --git a/ntoskrnl/ps/debug.c b/ntoskrnl/ps/debug.c
index d87595a8d540d..2f57191eb7c6c 100644
--- a/ntoskrnl/ps/debug.c
+++ b/ntoskrnl/ps/debug.c
@@ -61,18 +61,18 @@ PspDumpThreads(BOOLEAN IncludeSystem)
                 {
 #ifdef _M_IX86
                     ULONG i = 0;
-                    PULONG Esp = (PULONG)Thread->Tcb.KernelStack;
-                    PULONG Ebp = (PULONG)Esp[4];
+                    PULONG_PTR Esp = (PULONG_PTR)Thread->Tcb.KernelStack;
+                    PULONG_PTR Ebp = (PULONG_PTR)Esp[4];
 
                     /* Print EBP */
                     DbgPrint("Ebp %p\n", Ebp);
 
                     /* Walk it */
-                    while(Ebp != 0 && Ebp >= (PULONG)Thread->Tcb.StackLimit)
+                    while(Ebp != 0 && Ebp >= (PULONG_PTR)Thread->Tcb.StackLimit)
                     {
                         /* Print what's on the stack */
                         DbgPrint("%.8X %.8X%s", Ebp[0], Ebp[1], (i % 8) == 7 ? "\n" : "  ");
-                        Ebp = (PULONG)Ebp[0];
+                        Ebp = (PULONG_PTR)Ebp[0];
                         i++;
                     }