Since the crash happens only in getting process path. So should I pass ProcessId to user-mode and then find the process path in user-mode and then do processing accordingly?
You’re opening a Process Object from the context of a process (Registry) that does not have a valid session space. This is valid but unusual. SpyShelter has a bug in their code and they don’t handle this properly.
So, last time: SpyShelter has a bug. Disable it and move on. If you can’t live without SpyShelter then you need to contact them and have them fix their code.
Thank you so much @“Scott_Noone_(OSR)”.