I have test procmon it work good but a now i had a bsod with old version.
I updated to last version then i don’t know
Microsoft (R) Windows Debugger Version 10.0.15063.468 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.
Symbol search path is: srv*
Executable search path is:
Windows 10 Kernel Version 10240 MP (2 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 10240.17443.amd64fre.th1.170602-2340
Machine Name:
Kernel base = 0xfffff800f9c18000 PsLoadedModuleList = 0xfffff800f9f3c070
Debug session time: Wed Dec 11 18:01:48.806 2019 (UTC + 1:00)
System Uptime: 0 days 7:56:13.148
Loading Kernel Symbols
…
…Page 1b44a not present in the dump file. Type “.hh dbgerr004” for details
…Page 1016fe not present in the dump file. Type “.hh dbgerr004” for details
…Page 14044b not present in the dump file. Type “.hh dbgerr004” for details
.Page 15bc56 not present in the dump file. Type “.hh dbgerr004” for details
…
…Page c1dad not present in the dump file. Type “.hh dbgerr004” for details
…
Loading User Symbols
PEB is paged out (Peb.Ldr = 00007ff6`53b98018). Type “.hh dbgerr001” for details
Use !analyze -v to get detailed debugging information.
BugCheck CC, {ffffcf8034142d77, 0, fffff800f9cf0cd9, 0}
*** ERROR: Module load completed but symbols could not be loaded for FSpy.sys
Probably caused by : fileinfo.sys ( fileinfo!FIPostCreateCallback+153 )
Followup: MachineOwner
1: kd> !analyze -v
PAGE_FAULT_IN_FREED_SPECIAL_POOL (cc)
Memory was referenced after it was freed.
This cannot be protected by try-except.
When possible, the guilty driver’s name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: ffffcf8034142d77, memory referenced
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation
Arg3: fffff800f9cf0cd9, if non-zero, the address which referenced memory.
Arg4: 0000000000000000, Mm internal code.
Debugging Details:
DUMP_CLASS: 1
DUMP_QUALIFIER: 401
BUILD_VERSION_STRING: 10240.17443.amd64fre.th1.170602-2340
SYSTEM_MANUFACTURER: innotek GmbH
VIRTUAL_MACHINE: VirtualBox
SYSTEM_PRODUCT_NAME: VirtualBox
SYSTEM_VERSION: 1.2
BIOS_VENDOR: innotek GmbH
BIOS_VERSION: VirtualBox
BIOS_DATE: 12/01/2006
BASEBOARD_MANUFACTURER: Oracle Corporation
BASEBOARD_PRODUCT: VirtualBox
BASEBOARD_VERSION: 1.2
DUMP_TYPE: 1
BUGCHECK_P1: ffffcf8034142d77
BUGCHECK_P2: 0
BUGCHECK_P3: fffff800f9cf0cd9
BUGCHECK_P4: 0
READ_ADDRESS: ffffcf8034142d77 Special pool
FAULTING_IP:
nt!FsRtlLookupReservedPerStreamContext+9
fffff800`f9cf0cd9 0fb64107 movzx eax,byte ptr [rcx+7]
MM_INTERNAL_CODE: 0
CPU_COUNT: 2
CPU_MHZ: fa0
CPU_VENDOR: AuthenticAMD
CPU_FAMILY: 15
CPU_MODEL: 2
CPU_STEPPING: 0
DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
BUGCHECK_STR: 0xCC
PROCESS_NAME: explorer.exe
CURRENT_IRQL: 2
ANALYSIS_SESSION_HOST: DESKTOP-J0KVJ3N
ANALYSIS_SESSION_TIME: 12-11-2019 18:54:06.0651
ANALYSIS_VERSION: 10.0.15063.468 amd64fre
TRAP_FRAME: ffffd00133469ba0 – (.trap 0xffffd00133469ba0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffff800f9f20448 rbx=0000000000000000 rcx=ffffcf8034142d70
rdx=ffffe0011dbd6280 rsi=0000000000000000 rdi=0000000000000000
rip=fffff800f9cf0cd9 rsp=ffffd00133469d30 rbp=ffffd00133469e88
r8=0000000000000000 r9=ffffd00133469e10 r10=fffff80031900000
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na pe nc
nt!FsRtlLookupReservedPerStreamContext+0x9:
fffff800f9cf0cd9 0fb64107 movzx eax,byte ptr [rcx+7] ds:ffffcf8034142d77=??
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff800f9daf714 to fffff800f9d675f0
STACK_TEXT:
ffffd00133469958 fffff800f9daf714 : 0000000000000050 ffffcf8034142d77 0000000000000000 ffffd00133469ba0 : nt!KeBugCheckEx
ffffd00133469960 fffff800f9c4ceb6 : 0000000000000000 0000000000000000 ffffd00133469ba0 fffff6fc001910d8 : nt! ?? ::FNODOBFM::string'+0x39514 ffffd00133469a50 fffff800f9d706bd : ffffe0011e510080 0000000000000010 fffff8003221bb60 fffff800f9f59cf0 : nt!MmAccessFault+0x696 ffffd00133469ba0 fffff800f9cf0cd9 : ffffcf8034180dc0 fffff80000000000 ffffe00100000000 00001f80010864e9 : nt!KiPageFault+0x13d ffffd00133469d30 fffff8003190701d : ffffd00133469f08 0000000000000000 0000000000000000 fffff80031900000 : nt!FsRtlLookupReservedPerStreamContext+0x9 ffffd00133469d60 fffff80031906f51 : ffffe0011dbd6280 0000000000000000 0000000000000000 0000000000000000 : FLTMGR!FltpGetStreamListCtrl+0x4d ffffd00133469dd0 fffff8003221bcb3 : 0000000000000000 0000000000000000 ffffe0011dd65d40 0000000000000000 : FLTMGR!FltGetStreamContext+0x21 ffffd00133469e10 fffff80031903652 : 0000000000000000 fffff80031a4c0ed ffffe0011dd65d40 ffffd00133469fd0 : fileinfo!FIPostCreateCallback+0x153 ffffd00133469ec0 fffff80031903086 : ffffe0011f30c300 ffffe0011f30c400 ffffcf8034180dc0 0000000000000000 : FLTMGR!FltpPerformPostCallbacks+0x2b2 ffffd00133469f90 fffff8003190525a : ffffe0011f30c408 ffffe0011f30c3f0 ffffcf8034180dc0 ffffcf8034180f20 : FLTMGR!FltpPassThroughCompletionWorker+0x76 ffffd00133469fd0 fffff8003193383a : ffffe0011dde48f0 fffff800fa352009 ffffe00100000103 ffffe001205f21c8 : FLTMGR!FltpLegacyProcessingAfterPreCallbacksCompleted+0x33a ffffd0013346a050 fffff800fa343044 : ffffcf8034180d00 ffffcf8034180dc0 ffffe00100000000 ffffe001205f2010 : FLTMGR!FltpCreate+0x34a ffffd0013346a100 fffff800f9c2ad42 : ffffe0011e59dd20 0000000000000000 0000000000000000 ffffe0011fe3f1b0 : nt!IovCallDriver+0x3d8 ffffd0013346a160 fffff800344f10f5 : ffffe001a0000000 fffff80031904ec2 fffff80031924000 ffffd0013346a1d8 : nt!IofCallDriver+0x72 ffffd0013346a1a0 fffff800344f1333 : ffffcf8034180dc0 ffffe0011e59dd20 0000000000000002 ffffe0011f5c4dc0 : FSpy+0x10f5 ffffd0013346a210 fffff800fa343044 : ffffcf8034180dc0 0000000000000002 ffffd0013346a264 ffffe001205f2240 : FSpy+0x1333 ffffd0013346a240 fffff800f9c2ad42 : ffffe0011ff29900 0000000000000000 ffffcf8034180dc0 ffffe0011f5c4dc0 : nt!IovCallDriver+0x3d8 ffffd0013346a2a0 fffff800319051c4 : ffffd0013346a3a9 ffffcf8034180dc0 ffffe0011f191610 ffffe0011f191668 : nt!IofCallDriver+0x72 ffffd0013346a2e0 fffff8003193383a : ffffe0011fe0cdf0 ffffe001202f3010 0000000000000001 fffff80000000000 : FLTMGR!FltpLegacyProcessingAfterPreCallbacksCompleted+0x2a4 ffffd0013346a360 fffff800fa343044 : ffffcf8034180d00 ffffcf8034180dc0 6d4e6f4900000005 0000000000000000 : FLTMGR!FltpCreate+0x34a ffffd0013346a410 fffff800f9c2ad42 : 0000000000000085 ffffd0013346a7c0 ffffe0011f191610 ffffe0011fed9790 : nt!IovCallDriver+0x3d8 ffffd0013346a470 fffff800fa031245 : 0000000000000085 ffffd0013346a7c0 ffffe0011f191610 ffffe00100000000 : nt!IofCallDriver+0x72 ffffd0013346a4b0 fffff800fa0365d0 : fffff800f9c18000 fffff800f9c18000 0000000000000000 fffff800fa02f860 : nt!IopParseDevice+0x19e5 ffffd0013346a6c0 fffff800fa03440c : ffffe00120aa6b00 ffffd0013346a8b8 0000000000000040 ffffe00119576f20 : nt!ObpLookupObjectName+0x9f0 ffffd0013346a830 fffff800fa099e5c : 0000000000000001 ffffe001202f3010 0000000006dfc570 0000000006dfc560 : nt!ObOpenObjectByName+0x1ec ffffd0013346a960 fffff800fa099a2c : 00000000184e3698 ffffe0011fde0300 0000000006dfc570 0000000006dfc560 : nt!IopCreateFile+0x38c ffffd0013346aa00 fffff800f9d71c63 : ffffe0011d1c0840 0000000006dfc088 ffffd0013346aaa8 0000000006dfc5d0 : nt!NtOpenFile+0x58 ffffd0013346aa90 00007ffd114e3b5a : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x13 0000000006dfc518 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : 0x00007ffd114e3b5a
STACK_COMMAND: kb
THREAD_SHA1_HASH_MOD_FUNC: 0279078ba70937b635d7d9340f54873408376cdb
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: f8e42bf6d000efcb4795bdc022f912f7d0c8427a
THREAD_SHA1_HASH_MOD: 3ece0f0830f3e25e4e89407f7e0e049e2312afa9
FOLLOWUP_IP:
fileinfo!FIPostCreateCallback+153
fffff800`3221bcb3 448be0 mov r12d,eax
FAULT_INSTR_CODE: 85e08b44
SYMBOL_STACK_INDEX: 7
SYMBOL_NAME: fileinfo!FIPostCreateCallback+153
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: fileinfo
IMAGE_NAME: fileinfo.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 559f38b1
BUCKET_ID_FUNC_OFFSET: 153
FAILURE_BUCKET_ID: 0xCC_VRF_R_INVALID_fileinfo!FIPostCreateCallback
BUCKET_ID: 0xCC_VRF_R_INVALID_fileinfo!FIPostCreateCallback
PRIMARY_PROBLEM_CLASS: 0xCC_VRF_R_INVALID_fileinfo!FIPostCreateCallback
TARGET_TIME: 2019-12-11T17:01:48.000Z
OSBUILD: 10240
OSSERVICEPACK: 0
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
SUITE_MASK: 272
PRODUCT_TYPE: 1
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS
OS_LOCALE:
USER_LCID: 0
OSBUILD_TIMESTAMP: 2017-06-03 13:24:02
BUILDDATESTAMP_STR: 170602-2340
BUILDLAB_STR: th1
BUILDOSVER_STR: 10.0.10240.17443.amd64fre.th1.170602-2340
ANALYSIS_SESSION_ELAPSED_TIME: 918
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:0xcc_vrf_r_invalid_fileinfo!fipostcreatecallback
FAILURE_ID_HASH: {f457b6e3-30f6-5237-081a-8fb50b58947b}
Followup: MachineOwner