Blue screen crash in Minifilter

@jay96612 said:
@rod_widdowson I didn’t understand what do you mean.

Open the dump file in WinDBG and show us what the result was.
The dump file is in C: \ Windows \ if you i not mistaken.

Google translator

@rod_widdowson Output of !analyze -v

Loading Dump File [C:\Windows\Minidump\030121-48640-01.dmp]

For analysis of this file, run !analyze -v
nt!KeBugCheckEx:
fffff80758ff5a80 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:ffffe18c05c3d310=0000000000000050

Loading Dump File [C:\WINDOWS\MEMORY.DMP]
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.

Can’t set dump file contexts
MachineInfo::SetContext failed - Thread: 00000285612F4E50 Handle: 1 Id: 1 - Error == 0x8000FFFF

***** Path validation summary ******
Response Time (ms) Location
Deferred srv*
Symbol search path is: srv*
Executable search path is:
Windows 10 Kernel Version 19041 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Edition build lab: 19041.1.amd64fre.vb_release.191206-1406
Machine Name:
Kernel base = 0xfffff80444800000 PsLoadedModuleList = 0xfffff8044542a390
Debug session time: Mon Mar 1 19:21:54.034 2021 (UTC + 5:30)
System Uptime: 0 days 5:50:54.796
Loading Kernel Symbols

…Page 11befc not present in the dump file. Type “.hh dbgerr004” for details



Loading User Symbols
PEB address is NULL !
Loading unloaded module list

nt!KeBugCheckEx:
fffff80444bf5a80 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:ffff818554785310=0000000000000050
||1:3: kd> !analyze -v


  •                                                                         *
    
  •                    Bugcheck Analysis                                    *
    
  •                                                                         *
    

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except.
Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
Arg1: ffff8b8e6a20eec0, memory referenced.
Arg2: 0000000000000010, value 0 = read operation, 1 = write operation.
Arg3: ffff8b8e6a20eec0, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000002, (reserved)

Debugging Details:

KEY_VALUES_STRING: 1

Key  : Analysis.CPU.mSec
Value: 6452

Key  : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on DESKTOP-T8VRNB1

Key  : Analysis.DebugData
Value: CreateObject

Key  : Analysis.DebugModel
Value: CreateObject

Key  : Analysis.Elapsed.mSec
Value: 20375

Key  : Analysis.Memory.CommitPeak.Mb
Value: 145

Key  : Analysis.System
Value: CreateObject

Key  : WER.OS.Branch
Value: vb_release

Key  : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z

Key  : WER.OS.Version
Value: 10.0.19041.1

ADDITIONAL_XML: 1

OS_BUILD_LAYERS: 1

BUGCHECK_CODE: 50

BUGCHECK_P1: ffff8b8e6a20eec0

BUGCHECK_P2: 10

BUGCHECK_P3: ffff8b8e6a20eec0

BUGCHECK_P4: 2

READ_ADDRESS: ffff8b8e6a20eec0 Paged session pool

MM_INTERNAL_CODE: 2

IMAGE_NAME: win32kbase.sys

MODULE_NAME: win32kbase

FAULTING_MODULE: ffff8b8e6a200000 win32kbase

BLACKBOXBSD: 1 (!blackboxbsd)

BLACKBOXNTFS: 1 (!blackboxntfs)

BLACKBOXPNP: 1 (!blackboxpnp)

BLACKBOXWINLOGON: 1

PROCESS_NAME: Registry

TRAP_FRAME: ffff8185547855b0 – (.trap 0xffff8185547855b0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffff8b8e6a20eec0 rbx=0000000000000000 rcx=ffffca0e20ce12c0
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=ffff8b8e6a20eec0 rsp=ffff818554785748 rbp=0000000000000000
r8=ffff8185547857f0 r9=0000000000000000 r10=000000004f414f41
r11=0000000000001001 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
win32kbase!UserIsUserCritSecIn:
ffff8b8e`6a20eec0 ?? ???
Resetting default scope

FAILED_INSTRUCTION_ADDRESS:
win32kbase!UserIsUserCritSecIn+0
ffff8b8e`6a20eec0 ?? ???

STACK_TEXT:
ffff818554785308 fffff80444c1ebbb : 0000000000000050 ffff8b8e6a20eec0 0000000000000010 ffff8185547855b0 : nt!KeBugCheckEx
ffff818554785310 fffff80444a0c960 : 0000000000000000 0000000000000010 ffff818554785630 0000000000000000 : nt!MiSystemFault+0x1f43ab
ffff818554785410 fffff80444c03c5e : 0000000000000240 ffffca0e0e968c50 0000000000000240 ffff8185547856c1 : nt!MmAccessFault+0x400
ffff8185547855b0 ffff8b8e6a20eec0 : fffff8045eeba14f 0000000000000000 ffff818554785a30 0000000000000020 : nt!KiPageFault+0x35e
ffff818554785748 fffff8045eeba14f : 0000000000000000 ffff818554785a30 0000000000000020 fffff8045eecab6e : win32kbase!UserIsUserCritSecIn
ffff818554785750 fffff8045eebaa5d : ffff8185547858c8 ffffca0e00000000 0000000000004a61 0000000000000000 : SpyShelter!SpS_GetProcessPathW+0x15eb
ffff8185547857e0 fffff80444e0fc1c : ffffa40573e28200 ffff8185547858c8 ffff8185547858c8 0000000000000000 : SpyShelter!SpS_GetProcessPathW+0x1ef9
ffff818554785810 fffff80444e0fd8a : 0000000000000000 0000000000000000 0000000000000000 ffffdc4d19a20f67 : nt!ObpCallPreOperationCallbacks+0x10c
ffff818554785890 fffff80444e2c20d : 0000000000000000 ffff818554785a20 ffffca0e25e0e050 ffffca0e25e0e050 : nt!ObpPreInterceptHandleCreate+0xaa
ffff818554785900 fffff80444de1029 : ffffa4057343d350 0000000000000000 0038005f00620075 0079006b00000000 : nt!ObpCreateHandle+0xa1d
ffff818554785af0 fffff8044395104b : ffff818554786339 fffff80444b3c67c 0000000000000208 ffffca0e25c4c8d8 : nt!ObOpenObjectByPointer+0x1b9
ffff818554785d70 fffff804439512f9 : fffff80443952be0 0000000000000200 0000000000000000 0000000000000000 : minispy+0x104b
ffff818554785dd0 fffff8044712608c : 0000000000000000 ffffca0e25c4c7f0 ffffca0e25c4c8d8 ffffca0e253efbb0 : minispy+0x12f9
ffff818554786280 fffff80447125b37 : ffff818554786400 0000000000000003 ffffca0e26747600 0000000000000000 : FLTMGR!FltpPerformPreCallbacksWorker+0x36c
ffff8185547863a0 fffff80447124b46 : ffff818554788000 ffff818554781000 0000000000000000 ffff8185547864c0 : FLTMGR!FltpPassThroughInternal+0xc7
ffff8185547863f0 fffff804471248bb : 0000000000000000 0000000000000000 0000000000000000 fffff80444e2b3c1 : FLTMGR!FltpPassThrough+0x1d6
ffff818554786490 fffff80444a52f55 : ffffca0e1f8d0630 0000000000001000 0000000000000000 ffffffff80004210 : FLTMGR!FltpDispatch+0x8b
ffff8185547864f0 fffff80444dfd878 : 0000000000000000 ffffca0e267476a0 0000000000000001 ffffca0e0f7ef501 : nt!IofCallDriver+0x55
ffff818554786530 fffff80444de59b9 : ffffca0e00000000 ffff8185547867a0 ffffca0e1c7d16e0 ffff8185547867a0 : nt!IopSynchronousServiceTail+0x1a8
ffff8185547865d0 fffff80444c074b5 : ffffca0e20ce1910 ffffffff80004210 0000000000000000 0000000000000000 : nt!NtReadFile+0x599
ffff8185547866b0 fffff80444bf98e0 : fffff80444b18673 ffffa40586efe000 ffffffff80001b14 0000000000000000 : nt!KiSystemServiceCopyEnd+0x25
ffff8185547868b8 fffff80444b18673 : ffffa40586efe000 ffffffff80001b14 0000000000000000 0000000000000000 : nt!KiServiceLinkage
ffff8185547868c0 fffff80444ee07ac : ffffa40586efe000 ffff818554786a58 ffffa40500000000 ffffa40586efe000 : nt!CmpDoFileRead+0xb7
ffff818554786970 fffff80444e873fc : 01d70ea209a2a5e3 ffffa405970df000 0000000000000000 0000000000000000 : nt!CmpFileRead+0x2c
ffff8185547869c0 fffff80444e858a3 : 01d70ea209a2a5e3 ffffa40584d99e20 ffffa405970df000 ffffa40584d99e20 : nt!HvpGetHiveHeader+0x7c
ffff818554786a00 fffff80444e8857b : ffffa4057626f400 01d70ea209a2a5e3 0000000000000001 ffffa405970df000 : nt!HvLoadHive+0xa7
ffff818554786b50 fffff80444e88b73 : 0000000000000000 ffff818554786c90 0000000000000001 ffffa405970df000 : nt!HvHiveStartFileBacked+0x107
ffff818554786b90 fffff80444e639e1 : 0000000000000000 ffffca0e0000009c ffff818554786ee0 0000000000000000 : nt!CmpCreateHive+0x3d3
ffff818554786de0 fffff80444dd63dc : 0000000000000000 0000000000000000 ffff8185547871d0 fffff80444e2b3c1 : nt!CmpInitHiveFromFile+0x3a9
ffff818554787020 fffff80444e94ce3 : ffffa40584d99e20 0000000000000000 ffffa40500000000 ffffa40584d99e20 : nt!CmpCmdHiveOpen+0xdc
ffff818554787120 fffff80444e8cf82 : 0000000000000000 ffff818500000010 0000000000000000 0000000000000001 : nt!CmLoadAppKey+0x46b
ffff8185547875a0 fffff80444e8c77d : 00007ff800000000 ffffa4057be70580 ffff818554787a00 fffffbbffc1c5d38 : nt!CmLoadDifferencingKey+0x7f6
ffff818554787920 fffff80444c074b5 : 0000000000000000 0000000000000001 000000b333ffe148 ffff818554787a80 : nt!NtLoadKeyEx+0x5d
ffff818554787990 00007ff84510e734 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x25
000000b333ffe1e8 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : 0x00007ff8`4510e734

SYMBOL_NAME: win32kbase!UserIsUserCritSecIn+0

STACK_COMMAND: .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET: 0

FAILURE_BUCKET_ID: AV_INVALID_BAD_IP_win32kbase!UserIsUserCritSecIn

OS_VERSION: 10.0.19041.1

BUILDLAB_STR: vb_release

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

FAILURE_ID_HASH: {c8670668-72de-2a31-2f67-c17c5864267c}

Followup: MachineOwner

||1:3: kd> lmvm win32kbase
Browse full module list
start end module name
ffff8b8e6a200000 ffff8b8e6a4da000 win32kbase # (pdb symbols) C:\ProgramData\Dbg\sym\win32kbase.pdb\E51C1F9B0FA0D0F8FD417E3DB89E9E911\win32kbase.pdb
Loaded symbol image file: win32kbase.sys
Mapped memory image file: C:\ProgramData\Dbg\sym\win32kbase.sys\A6BD5AD22da000\win32kbase.sys
Image path: \SystemRoot\System32\win32kbase.sys
Image name: win32kbase.sys
Browse all global symbols functions data
Image was built with /Brepro flag.
Timestamp: A6BD5AD2 (This is a reproducible build file hash, not a timestamp)
CheckSum: 002CC779
ImageSize: 002DA000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
Information from resource tables:

please analyze this output and help me to get out of the exception. I am completely lost now & need help from the OSR community.

I’d turn off “SpyShelter”

1 Like

@rod_widdowson I haven’t installed SpyShelter.

@jay96612 said:
@rod_widdowson I haven’t installed SpyShelter.

All the more reason to get rid of it.

@“Scott_Noone_(OSR)” please show some helping hand. I am unable to fix it out

Well, I think maybe, it tends to copy some information into user mode, and it is not available, “the user’s address space may not be available” according to the dump file, try the following, before call RtlCopyMemory, make sure the user is connected to the driver.

SpyShelter (whatever that is) has a kernel component and it’s trying to call an undocumented Win32K function:

win32kbase!UserIsUserCritSecIn+0
ffff8b8e`6a20eec0 ?? ???

You’re in the Registry process which does not map Win32K, so you get a crash from SpyShelter calling an invalid address.

Best thing to do is uninstall SpyShelter

1 Like

@rod_widdowson @“Scott_Noone_(OSR)” Thank you so much both for the info you provided. It was SpyShelter who causing the problem. I am very thankful to you :smile:

@“Scott_Noone_(OSR)” @rod_widdowson Crash is only from this code. When trying to get the process name then a crash occurs if spyShelter also running. so is there any wrong with this code?

Code: ToGetProcessName

NTSTATUS GetProcessImageName(
    PEPROCESS eProcess,
    PUNICODE_STRING* ProcessImageName
)
{
    NTSTATUS status = STATUS_UNSUCCESSFUL;
    ULONG returnedLength;
    HANDLE hProcess = NULL;

    PAGED_CODE(); // this eliminates the possibility of the IDLE Thread/Process

    if (eProcess == NULL)
    {
        return STATUS_INVALID_PARAMETER_1;
    }

    status = ObOpenObjectByPointer(eProcess,
        0, NULL, 0, 0, KernelMode, &hProcess);
    if (!NT_SUCCESS(status))
    {
        DbgPrint("ObOpenObjectByPointer Failed: %08x\n", status);
        return status;
    }

    if (ZwQueryInformationProcess == NULL)
    {
        UNICODE_STRING routineName = RTL_CONSTANT_STRING(L"ZwQueryInformationProcess");

        ZwQueryInformationProcess = (QUERY_INFO_PROCESS)MmGetSystemRoutineAddress(&routineName);

        if (ZwQueryInformationProcess == NULL)
        {
            DbgPrint("Cannot resolve ZwQueryInformationProcess\n");
            status = STATUS_UNSUCCESSFUL;
            goto cleanUp;
        }
    }

    /* Query the actual size of the process path */
    status = ZwQueryInformationProcess(hProcess,
        ProcessImageFileName,
        NULL, // buffer
        0,    // buffer size
        &returnedLength);

    if (STATUS_INFO_LENGTH_MISMATCH != status) {
        DbgPrint("ZwQueryInformationProcess status = %x\n", status);
        goto cleanUp;
    }

    *ProcessImageName = ExAllocatePoolWithTag(PagedPool, returnedLength, SPY_TAG);

    if (NULL == ProcessImageName) {
        return STATUS_INSUFFICIENT_RESOURCES;
        goto cleanUp;
    }

    status = ZwQueryInformationProcess(hProcess,
        ProcessImageFileName,
        *ProcessImageName,
        returnedLength,
        &returnedLength);

    if (!NT_SUCCESS(status)) {
        ExFreePool(*ProcessImageName);
        *ProcessImageName = NULL;
    }
cleanUp:

    if (hProcess) {
        ZwClose(hProcess);
    }

    return status;
}

You need to learn to debug your code. Have you set up kernel debugging with WinDbg yet?

Yes. I have done setting up the kernel debugging with windbg.

What steps have you taken to debug the problem?

@“Scott_Noone_(OSR)” I have followed this https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/getting-started-with-windbg–kernel-mode-#:~:text=On%20the%20host%20computer%2C%20open,in%20Debugging%20Tools%20for%20Windows.

Now the stack shows Line Number 702 and 1009 of file minispy.c

STACK_TEXT

FAILED_INSTRUCTION_ADDRESS: 
win32kbase!UserIsUserCritSecIn+0
ffffe54c`f35e0450 ??              ???

STACK_TEXT:  
ffffec87`2d597dd8 fffff805`57ca8d02 : ffffe54c`f35e0450 00000000`00000003 ffffec87`2d597f40 fffff805`57b1afe0 : nt!DbgBreakPointWithStatus
ffffec87`2d597de0 fffff805`57ca83f7 : ffffe54c`00000003 ffffec87`2d597f40 fffff805`57bd81f0 ffffec87`2d598480 : nt!KiBugCheckDebugBreak+0x12
ffffec87`2d597e40 fffff805`57bc3b97 : fffff805`57e641f8 fffff805`57cd2855 ffffe54c`f35e0450 ffffe54c`f35e0450 : nt!KeBugCheck2+0x947
ffffec87`2d598540 fffff805`57c13ae0 : 00000000`00000050 ffffe54c`f35e0450 00000000`00000010 ffffec87`2d598820 : nt!KeBugCheckEx+0x107
ffffec87`2d598580 fffff805`57acdcbf : 00000000`00000000 00000000`00000010 00000000`00000000 ffffe54c`f35e0450 : nt!MiSystemFault+0x18f320
ffffec87`2d598680 fffff805`57bd1b5e : 00000000`00000240 00000000`00000240 00000000`00000000 ffffec87`2d598950 : nt!MmAccessFault+0x34f
ffffec87`2d598820 ffffe54c`f35e0450 : fffff807`cf85af9b ffffec87`2d598c30 ffffec87`2d598db0 00000000`00000020 : nt!KiPageFault+0x35e
ffffec87`2d5989b8 fffff807`cf85af9b : ffffec87`2d598c30 ffffec87`2d598db0 00000000`00000020 fffff807`cf86c772 : win32kbase!UserIsUserCritSecIn
ffffec87`2d5989c0 fffff807`cf85b8a9 : ffffec87`2d598c98 ffff9804`00000000 00000000`000047bb 00000000`00000000 : SpyShelter!SpS_GetProcessPathW+0x15eb
ffffec87`2d598a50 fffff805`5801b10d : ffffbf80`6bec0d00 ffffec87`2d598c98 ffffec87`2d598c98 ffffec87`00000000 : SpyShelter!SpS_GetProcessPathW+0x1ef9
ffffec87`2d598a80 fffff805`5802afa5 : 00000000`00000000 ffffec87`2d598c20 00000000`00000000 ffff9804`9229de80 : nt!ObpCallPreOperationCallbacks+0x10d
ffffec87`2d598b00 fffff805`5800774c : 00000000`00000000 00000000`00000000 ffff9804`998ed4c0 006e0069`00000000 : nt!ObpCreateHandle+0xab5
ffffec87`2d598d30 fffff805`5631104b : ffff9804`99d1bb50 00000000`10000004 ffffec87`2d599549 fffff805`57b1b02c : nt!ObOpenObjectByPointer+0xec
ffffec87`2d598f90 fffff805`56311321 : fffff805`56312c60 00000000`00000200 00000000`00000000 ffff9804`99d1bdb0 : **minispy!GetProcessImageName+0x4b [C:\Users\jay\Documents\Visual Studio 2015\Projects\minispyNetworkShareBlock\filter\minispy.c @ 702] **
ffffec87`2d598ff0 fffff805`5c584a8d : ffff9804`99e7e8a0 00000000`00000000 ffff9804`99e7e8a0 ffff9804`99d1bdb0 : **minispy!MiniPreRead+0x1a1 [C:\Users\jay\Documents\Visual Studio 2015\Projects\minispyNetworkShareBlock\filter\minispy.c @ 1009] **
ffffec87`2d5994a0 fffff805`5c5845d0 : ffffec87`2d599680 00000000`00000000 ffff9804`96fbbb03 00000000`00060900 : FLTMGR!FltpPerformPreCallbacks+0x2fd
ffffec87`2d5995b0 fffff805`5c584142 : 00000000`00000000 ffffec87`2d599680 ffff9804`96fbbb20 ffffec87`2d599690 : FLTMGR!FltpPassThroughInternal+0x90
ffffec87`2d5995e0 fffff805`5c583f2e : 00000000`00000000 00000000`00000000 00000000`00000000 fffff805`580319a5 : FLTMGR!FltpPassThrough+0x162
ffffec87`2d599660 fffff805`57a467f9 : ffff9804`96fbbb20 00000000`00000200 00000000`00000000 ffffffff`80001ef8 : FLTMGR!FltpDispatch+0x9e
ffffec87`2d5996c0 fffff805`58029d65 : 00000000`00000000 ffff9804`9a12c990 ffff9804`9a12c9e0 ffff9804`9a12c990 : nt!IofCallDriver+0x59
ffffec87`2d599700 fffff805`58026cbf : ffff9804`00000000 ffff9804`9abda8e0 ffffec87`2d599af0 ffffec87`2d599980 : nt!IopSynchronousServiceTail+0x1a5
ffffec87`2d5997a0 fffff805`57bd5355 : 00000000`00000001 ffffffff`80001ef8 00000000`00000000 00000000`00000000 : nt!NtReadFile+0x59f
ffffec87`2d599890 fffff805`57bc78b0 : fffff805`57b28996 ffffbf80`744d7000 ffffffff`80002610 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x25
ffffec87`2d599a98 fffff805`57b28996 : ffffbf80`744d7000 ffffffff`80002610 00000000`00000000 00000000`00000000 : nt!KiServiceLinkage
ffffec87`2d599aa0 fffff805`580da37c : ffffbf80`744d7000 ffffec87`2d599c30 ffffbf80`00000000 ffffbf80`744d7000 : nt!CmpDoFileRead+0xb6
ffffec87`2d599b50 fffff805`58086ca4 : 00000000`00000030 ffffbf80`782e1000 ffffbf80`782e1000 ffffbf80`71f2cb90 : nt!CmpFileRead+0x2c
ffffec87`2d599ba0 fffff805`58084e5d : 00000000`00000030 ffffec87`2d59a3d0 ffffbf80`782e1000 ffffbf80`782e1000 : nt!HvpGetHiveHeader+0x7c
ffffec87`2d599be0 fffff805`58086e8c : ffffec87`2d599e60 01d714ee`4baa7a6a 00000000`00000001 ffffbf80`782e1000 : nt!HvLoadHive+0xa1
ffffec87`2d599d20 fffff805`580844ae : ffffffff`ffffffff ffffec87`2d599e60 00000000`00000001 00000000`00000000 : nt!HvHiveStartFileBacked+0x100
ffffec87`2d599d60 fffff805`57fe2151 : 00000000`00000000 00000000`0000009c ffffec87`2d59a090 00000000`00000000 : nt!CmpCreateHive+0x62a
ffffec87`2d599f90 fffff805`58099833 : ffff9804`99bd93a0 fffff805`57a4e5b6 ffff9804`99bd9118 fffff805`57e63878 : nt!CmpInitHiveFromFile+0x3f9
ffffec87`2d59a1d0 fffff805`57fe2f10 : fffff805`57e63880 ffffec87`2d59a350 00000000`00000000 ffffec87`2d59a768 : nt!CmpCmdHiveOpen+0xd7
ffffec87`2d59a250 fffff805`57fe4ba5 : 00000000`00000000 ffffec87`00000010 00000000`00000000 00000000`00000001 : nt!CmLoadAppKey+0x364
ffffec87`2d59a6a0 fffff805`57fe4331 : 00000000`00000000 00000000`00000000 00000000`00000000 ffff813d`8d0f6699 : nt!CmLoadDifferencingKey+0x869
ffffec87`2d59aa20 fffff805`57bd5355 : 00000000`00000620 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtLoadKeyEx+0x51
ffffec87`2d59aa90 00007ffe`ecb7ee04 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x25
000000a9`b57fe238 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffe`ecb7ee04

LINE 702:
status = ObOpenObjectByPointer(eProcess,
0, NULL, 0, 0, KernelMode, &hProcess);
if (!NT_SUCCESS(status))
{
DbgPrint(“ObOpenObjectByPointer Failed: %08x\n”, status);
return status;
}

LINE 1009:
status = GetProcessImageName(IoThreadToProcess(Data->Thread), &pni);

Did you look at the stack? It’s the same crash as before:

nt!KeBugCheckEx+0x107
nt!MiSystemFault+0x18f320
nt!MmAccessFault+0x34f
nt!KiPageFault+0x35e
win32kbase!UserIsUserCritSecIn
SpyShelter!SpS_GetProcessPathW+0x15eb
SpyShelter!SpS_GetProcessPathW+0x1ef9
nt!ObpCallPreOperationCallbacks+0x10d

Get rid of SpyShelter.

@“Scott_Noone_(OSR)” So why system crashes due to my program. If the only spyShelter runs then no crash happens. Once my program runs along with SpyShelter then a crash happens.

Since the crash happens only in getting process path. So should I pass ProcessId to user-mode and then find the process path in user-mode and then do processing accordingly?

You’re opening a Process Object from the context of a process (Registry) that does not have a valid session space. This is valid but unusual. SpyShelter has a bug in their code and they don’t handle this properly.

So, last time: SpyShelter has a bug. Disable it and move on. If you can’t live without SpyShelter then you need to contact them and have them fix their code.

Thank you so much @“Scott_Noone_(OSR)”.