I have test procmon it work good but a now i had a bsod with old version.
I updated to last version then i don’t know
Microsoft (R) Windows Debugger Version 10.0.15063.468 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.
Symbol search path is: srv*
Executable search path is:
Windows 10 Kernel Version 10240 MP (2 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 10240.17443.amd64fre.th1.170602-2340
Machine Name:
Kernel base = 0xfffff800f9c18000 PsLoadedModuleList = 0xfffff800
f9f3c070
Debug session time: Wed Dec 11 18:01:48.806 2019 (UTC + 1:00)
System Uptime: 0 days 7:56:13.148
Loading Kernel Symbols
…
…Page 1b44a not present in the dump file. Type “.hh dbgerr004” for details
…Page 1016fe not present in the dump file. Type “.hh dbgerr004” for details
…Page 14044b not present in the dump file. Type “.hh dbgerr004” for details
.Page 15bc56 not present in the dump file. Type “.hh dbgerr004” for details
…
…Page c1dad not present in the dump file. Type “.hh dbgerr004” for details
…
Loading User Symbols
PEB is paged out (Peb.Ldr = 00007ff6`53b98018). Type “.hh dbgerr001” for details
Use !analyze -v to get detailed debugging information.
BugCheck CC, {ffffcf8034142d77, 0, fffff800f9cf0cd9, 0}
*** ERROR: Module load completed but symbols could not be loaded for FSpy.sys
Probably caused by : fileinfo.sys ( fileinfo!FIPostCreateCallback+153 )
Followup: MachineOwner
1: kd> !analyze -v
PAGE_FAULT_IN_FREED_SPECIAL_POOL (cc)
Memory was referenced after it was freed.
This cannot be protected by try-except.
When possible, the guilty driver’s name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: ffffcf8034142d77, memory referenced
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation
Arg3: fffff800f9cf0cd9, if non-zero, the address which referenced memory.
Arg4: 0000000000000000, Mm internal code.
Debugging Details:
DUMP_CLASS: 1
DUMP_QUALIFIER: 401
BUILD_VERSION_STRING: 10240.17443.amd64fre.th1.170602-2340
SYSTEM_MANUFACTURER: innotek GmbH
VIRTUAL_MACHINE: VirtualBox
SYSTEM_PRODUCT_NAME: VirtualBox
SYSTEM_VERSION: 1.2
BIOS_VENDOR: innotek GmbH
BIOS_VERSION: VirtualBox
BIOS_DATE: 12/01/2006
BASEBOARD_MANUFACTURER: Oracle Corporation
BASEBOARD_PRODUCT: VirtualBox
BASEBOARD_VERSION: 1.2
DUMP_TYPE: 1
BUGCHECK_P1: ffffcf8034142d77
BUGCHECK_P2: 0
BUGCHECK_P3: fffff800f9cf0cd9
BUGCHECK_P4: 0
READ_ADDRESS: ffffcf8034142d77 Special pool
FAULTING_IP:
nt!FsRtlLookupReservedPerStreamContext+9
fffff800`f9cf0cd9 0fb64107 movzx eax,byte ptr [rcx+7]
MM_INTERNAL_CODE: 0
CPU_COUNT: 2
CPU_MHZ: fa0
CPU_VENDOR: AuthenticAMD
CPU_FAMILY: 15
CPU_MODEL: 2
CPU_STEPPING: 0
DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
BUGCHECK_STR: 0xCC
PROCESS_NAME: explorer.exe
CURRENT_IRQL: 2
ANALYSIS_SESSION_HOST: DESKTOP-J0KVJ3N
ANALYSIS_SESSION_TIME: 12-11-2019 18:54:06.0651
ANALYSIS_VERSION: 10.0.15063.468 amd64fre
TRAP_FRAME: ffffd00133469ba0 – (.trap 0xffffd00133469ba0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffff800f9f20448 rbx=0000000000000000 rcx=ffffcf8034142d70
rdx=ffffe0011dbd6280 rsi=0000000000000000 rdi=0000000000000000
rip=fffff800f9cf0cd9 rsp=ffffd00133469d30 rbp=ffffd00133469e88
r8=0000000000000000 r9=ffffd00133469e10 r10=fffff80031900000
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na pe nc
nt!FsRtlLookupReservedPerStreamContext+0x9:
fffff800f9cf0cd9 0fb64107 movzx eax,byte ptr [rcx+7] ds:ffffcf80
34142d77=??
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff800f9daf714 to fffff800f9d675f0
STACK_TEXT:
ffffd00133469958 fffff800
f9daf714 : 0000000000000050 ffffcf80
34142d77 0000000000000000 ffffd001
33469ba0 : nt!KeBugCheckEx
ffffd00133469960 fffff800
f9c4ceb6 : 0000000000000000 00000000
00000000 ffffd00133469ba0 fffff6fc
001910d8 : nt! ?? ::FNODOBFM::string'+0x39514 ffffd001
33469a50 fffff800f9d706bd : ffffe001
1e510080 0000000000000010 fffff800
3221bb60 fffff800f9f59cf0 : nt!MmAccessFault+0x696 ffffd001
33469ba0 fffff800f9cf0cd9 : ffffcf80
34180dc0 fffff80000000000 ffffe001
00000000 00001f80010864e9 : nt!KiPageFault+0x13d ffffd001
33469d30 fffff8003190701d : ffffd001
33469f08 0000000000000000 00000000
00000000 fffff80031900000 : nt!FsRtlLookupReservedPerStreamContext+0x9 ffffd001
33469d60 fffff80031906f51 : ffffe001
1dbd6280 0000000000000000 00000000
00000000 0000000000000000 : FLTMGR!FltpGetStreamListCtrl+0x4d ffffd001
33469dd0 fffff8003221bcb3 : 00000000
00000000 0000000000000000 ffffe001
1dd65d40 0000000000000000 : FLTMGR!FltGetStreamContext+0x21 ffffd001
33469e10 fffff80031903652 : 00000000
00000000 fffff80031a4c0ed ffffe001
1dd65d40 ffffd00133469fd0 : fileinfo!FIPostCreateCallback+0x153 ffffd001
33469ec0 fffff80031903086 : ffffe001
1f30c300 ffffe0011f30c400 ffffcf80
34180dc0 0000000000000000 : FLTMGR!FltpPerformPostCallbacks+0x2b2 ffffd001
33469f90 fffff8003190525a : ffffe001
1f30c408 ffffe0011f30c3f0 ffffcf80
34180dc0 ffffcf8034180f20 : FLTMGR!FltpPassThroughCompletionWorker+0x76 ffffd001
33469fd0 fffff8003193383a : ffffe001
1dde48f0 fffff800fa352009 ffffe001
00000103 ffffe001205f21c8 : FLTMGR!FltpLegacyProcessingAfterPreCallbacksCompleted+0x33a ffffd001
3346a050 fffff800fa343044 : ffffcf80
34180d00 ffffcf8034180dc0 ffffe001
00000000 ffffe001205f2010 : FLTMGR!FltpCreate+0x34a ffffd001
3346a100 fffff800f9c2ad42 : ffffe001
1e59dd20 0000000000000000 00000000
00000000 ffffe0011fe3f1b0 : nt!IovCallDriver+0x3d8 ffffd001
3346a160 fffff800344f10f5 : ffffe001
a0000000 fffff80031904ec2 fffff800
31924000 ffffd0013346a1d8 : nt!IofCallDriver+0x72 ffffd001
3346a1a0 fffff800344f1333 : ffffcf80
34180dc0 ffffe0011e59dd20 00000000
00000002 ffffe0011f5c4dc0 : FSpy+0x10f5 ffffd001
3346a210 fffff800fa343044 : ffffcf80
34180dc0 0000000000000002 ffffd001
3346a264 ffffe001205f2240 : FSpy+0x1333 ffffd001
3346a240 fffff800f9c2ad42 : ffffe001
1ff29900 0000000000000000 ffffcf80
34180dc0 ffffe0011f5c4dc0 : nt!IovCallDriver+0x3d8 ffffd001
3346a2a0 fffff800319051c4 : ffffd001
3346a3a9 ffffcf8034180dc0 ffffe001
1f191610 ffffe0011f191668 : nt!IofCallDriver+0x72 ffffd001
3346a2e0 fffff8003193383a : ffffe001
1fe0cdf0 ffffe001202f3010 00000000
00000001 fffff80000000000 : FLTMGR!FltpLegacyProcessingAfterPreCallbacksCompleted+0x2a4 ffffd001
3346a360 fffff800fa343044 : ffffcf80
34180d00 ffffcf8034180dc0 6d4e6f49
00000005 0000000000000000 : FLTMGR!FltpCreate+0x34a ffffd001
3346a410 fffff800f9c2ad42 : 00000000
00000085 ffffd0013346a7c0 ffffe001
1f191610 ffffe0011fed9790 : nt!IovCallDriver+0x3d8 ffffd001
3346a470 fffff800fa031245 : 00000000
00000085 ffffd0013346a7c0 ffffe001
1f191610 ffffe00100000000 : nt!IofCallDriver+0x72 ffffd001
3346a4b0 fffff800fa0365d0 : fffff800
f9c18000 fffff800f9c18000 00000000
00000000 fffff800fa02f860 : nt!IopParseDevice+0x19e5 ffffd001
3346a6c0 fffff800fa03440c : ffffe001
20aa6b00 ffffd0013346a8b8 00000000
00000040 ffffe00119576f20 : nt!ObpLookupObjectName+0x9f0 ffffd001
3346a830 fffff800fa099e5c : 00000000
00000001 ffffe001202f3010 00000000
06dfc570 0000000006dfc560 : nt!ObOpenObjectByName+0x1ec ffffd001
3346a960 fffff800fa099a2c : 00000000
184e3698 ffffe0011fde0300 00000000
06dfc570 0000000006dfc560 : nt!IopCreateFile+0x38c ffffd001
3346aa00 fffff800f9d71c63 : ffffe001
1d1c0840 0000000006dfc088 ffffd001
3346aaa8 0000000006dfc5d0 : nt!NtOpenFile+0x58 ffffd001
3346aa90 00007ffd114e3b5a : 00000000
00000000 0000000000000000 00000000
00000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x13 00000000
06dfc518 0000000000000000 : 00000000
00000000 0000000000000000 00000000
00000000 0000000000000000 : 0x00007ffd
114e3b5a
STACK_COMMAND: kb
THREAD_SHA1_HASH_MOD_FUNC: 0279078ba70937b635d7d9340f54873408376cdb
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: f8e42bf6d000efcb4795bdc022f912f7d0c8427a
THREAD_SHA1_HASH_MOD: 3ece0f0830f3e25e4e89407f7e0e049e2312afa9
FOLLOWUP_IP:
fileinfo!FIPostCreateCallback+153
fffff800`3221bcb3 448be0 mov r12d,eax
FAULT_INSTR_CODE: 85e08b44
SYMBOL_STACK_INDEX: 7
SYMBOL_NAME: fileinfo!FIPostCreateCallback+153
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: fileinfo
IMAGE_NAME: fileinfo.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 559f38b1
BUCKET_ID_FUNC_OFFSET: 153
FAILURE_BUCKET_ID: 0xCC_VRF_R_INVALID_fileinfo!FIPostCreateCallback
BUCKET_ID: 0xCC_VRF_R_INVALID_fileinfo!FIPostCreateCallback
PRIMARY_PROBLEM_CLASS: 0xCC_VRF_R_INVALID_fileinfo!FIPostCreateCallback
TARGET_TIME: 2019-12-11T17:01:48.000Z
OSBUILD: 10240
OSSERVICEPACK: 0
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
SUITE_MASK: 272
PRODUCT_TYPE: 1
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS
OS_LOCALE:
USER_LCID: 0
OSBUILD_TIMESTAMP: 2017-06-03 13:24:02
BUILDDATESTAMP_STR: 170602-2340
BUILDLAB_STR: th1
BUILDOSVER_STR: 10.0.10240.17443.amd64fre.th1.170602-2340
ANALYSIS_SESSION_ELAPSED_TIME: 918
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:0xcc_vrf_r_invalid_fileinfo!fipostcreatecallback
FAILURE_ID_HASH: {f457b6e3-30f6-5237-081a-8fb50b58947b}
Followup: MachineOwner