Interpreting Process Monitor Result

NTSTATUS Code: 0xC0000022⁷⁰

Primary Originating Layer/System (Potential): Security Reference Monitor (SRM in NTOSKRNL.EXE), File System Driver (e.g., NTFS.SYS), Registry Manager (NTOSKRNL.EXE), Third-Party Filter Driver (File System, Registry, Process, Network).

Typical Operations: CreateFile, OpenFile, DeleteFile, SetBasicInformationFile, RegOpenKey, RegCreateKey, RegSetValue, RegDeleteKey, Process Create, Thread Create, TCP Bind (privileged ports), DeviceIoControlFile.

Detailed Causation ("Why"):

• Permissions/ACLs (SRM): Primary cause. Object's security descriptor denies requested Desired Access based on caller's token (SeAccessCheck in NTOSKRNL.EXE).
• Explicit blocking/denial by Filter Drivers (CRITICAL): Very common. FS Filters (AV, EDR, DLP) block based on policy (malware, sensitive data, ransomware protection).⁶ Registry Filters block key/value access. Process/Thread Filters (EDR) prevent creation/injection. Network Filters (WFP) deny connections based on firewall rules.⁵⁴
• Privilege Issues: Operation requires specific privilege (e.g., SeSecurityPrivilege, SeBackupPrivilege) caller lacks. Often STATUS_PRIVILEGE_NOT_HELD (0xC0000061) but can be ACCESS DENIED.
• Integrity Level Mismatch: Lower integrity process denied access to higher integrity object (Mandatory Integrity Control - MIC).
• Sharing Mode Conflicts (Less Common): Sometimes exclusive access attempts conflicting with existing opens manifest as ACCESS DENIED.
• Invalid Device State or Request: E.g., write attempt to read-only mounted volume by FS driver.

Procmon Diagnostic Clues ("How to Corroborate"):

• Detail column for CreateFile: Shows Desired Access and ShareMode. Compare with object permissions.
• Stack Trace (Crucial): If ntoskrnl.exe!SeAccessCheck prominent, likely standard ACL denial. If third-party filter (mfehidk.sys, symefasi.sys, wdfilter.sys, carbonblack.sys, sentinel.sys, etc.) at/near top, filter likely source.⁶²
• Path column: Identifies object. Inspect ACLs using Explorer properties, icacls.exe, Get-Acl.
• Event Sequence: Look for security software ops before/after the denial.
• External Tools: fltmc.exe instances for FS filters.⁶⁷ Temporarily disable suspect security software. netsh wfp show filters for WFP rules.

NTSTATUS Code: 0xC000020A⁷⁰

Primary Originating Layer/System (Potential): Network Stack Component (e.g., TCPIP.SYS, AFD.SYS), Third-Party Network Filter Driver (WFP/NDIS).

Typical Operations: TCP Bind (e.g., via IRP_MJ_INTERNAL_DEVICE_CONTROL with TDI_BIND or IOCTL_AFD_BIND), UDP Bind.

Detailed Causation ("Why"):

• Port in Use: Most common. Attempt to bind socket to local IP/port already in use by another active socket.
• Lingering Sockets: Socket in TIME_WAIT state prevents immediate reuse.
• Filter Driver Intervention: Network filter might manage own state and deem address "in use" or reserved.

Procmon Diagnostic Clues ("How to Corroborate"):

• Path column: Shows local IP/port being bound (e.g., 0.0.0.0:80).
• Detail column: May show specifics for AFD_BIND.
• External Tools: netstat -ano -p TCP (or -p UDP) lists active endpoints, states, owning PID. Compare with Procmon path to find conflict.
• Stack Trace: Shows if TCPIP.SYS or AFD.SYS returns error. Third-party network filter presence indicates possible involvement.
• Event Sequence: Check for recent socket closure on that address/port.

NTSTATUS Code: 0x80000005⁷⁰ (Warning/Informational, NT_SUCCESS macro is TRUE)

Primary Originating Layer/System (Potential): I/O Manager, various Kernel Drivers (FS, Registry, Network), Third-Party Filter Driver.

Typical Operations: QueryDirectoryFile, RegQueryValueKey, RegQueryKey, DeviceIoControlFile (variable data), NtQueryInformationFile, NtQuerySystemInformation.

Detailed Causation ("Why"):

• Variable-Length Data Retrieval: Caller provides buffer; buffer large enough for some data but not all. System/filter fills buffer, returns this status, indicates amount written.¹⁹
• Caller Expectation: Expected pattern. Caller checks status, notes data returned, potentially reallocates larger buffer (based on required size sometimes returned) and retries.⁷⁶
• Filter Driver Behavior: Filter processing such query might return this if its modified data exceeds caller's buffer.

Procmon Diagnostic Clues ("How to Corroborate"):

• Detail column: Often shows buffer Length provided. May show length returned.
• Event Sequence: Look for subsequent retry of same operation with larger buffer size (often visible in Detail). Retry often succeeds or gets this status again if data large/growing.
• Stack Trace: Shows component returning status.
• Usually not an error itself, but part of API contract. Problem if application fails to handle retry logic.

NTSTATUS Code: 0xC0000023⁷⁰ (Error status, NT_SUCCESS macro is FALSE)

Primary Originating Layer/System (Potential): I/O Manager, various Kernel Drivers (FS, Registry, Network), Third-Party Filter Driver.

Typical Operations: Similar to BUFFER OVERFLOW: QueryDirectoryFile, RegQueryValueKey, RegQueryKey, DeviceIoControlFile, NtQueryInformationFile, NtQueryVolumeInformationFile.

Detailed Causation ("Why"):

• Insufficient Buffer for Any Data: Caller buffer too small for minimal/any data. Unlike BUFFER_OVERFLOW, usually no data returned.¹⁹
• Required Size Indication: System/filter often sets IoStatus.Information to required buffer size for caller retry.
• Fixed-Size Output Mismatch: Provided buffer smaller than expected fixed-size output structure.
• Filter Driver Behavior: Filter intercepting query can return this if buffer insufficient for its (potentially modified) data.

Procmon Diagnostic Clues ("How to Corroborate"):

• Detail column: May show buffer Length provided. Might state required size.
• Event Sequence: Look for subsequent retry with larger buffer size (visible in Detail). Retry often succeeds.
• Stack Trace: Identifies component determining buffer too small.
• Common error; applications should handle by reissuing with adequate buffer.

NTSTATUS Code: 0xC0000236⁷⁰

Primary Originating Layer/System (Potential): Network Stack Component (TCPIP.SYS), Third-Party Network Filter Driver (WFP/NDIS).

Typical Operations: TCP Connect (often Procmon TCP:Connect, initiated by AFD_CONNECT).

Detailed Causation ("Why"):

• No Listening Service: Remote host reached, but no application listening on destination port. Remote TCP stack actively rejected (sent TCP RST).
• Firewall on Remote Host: Remote firewall blocking port and configured to send RST.
• Firewall on Local Host (Less Common): Local firewall (potentially Third-Party WFP Filter) could actively refuse outgoing SYN, though silent drop (leading to TIMEOUT) is more common.
• Application Layer Rejection: Server app accepts TCP then immediately closes (e.g., unmet criteria), possibly mapped to this error by client stack.

Procmon Diagnostic Clues ("How to Corroborate"):

• Path column: Shows destination IP address and port.
• Detail column: May show source/destination ports for TCP Connect.
• External Tools: Verify remote service listening (netstat -ano on remote). Check client/server firewalls. Test connect from different client/tool (telnet, Test-NetConnection).
• Stack Trace: Typically shows TCPIP.SYS/AFD.SYS. If third-party network filter high in stack, investigate its role.
• Event Sequence: Look for repeated attempts if application retries.

NTSTATUS Code: 0xC0000056⁷⁰

Primary Originating Layer/System (Potential): File System Driver (e.g., NTFS.SYS), Third-Party File System Filter Driver.

Typical Operations: Any file operation (except CloseFile, some queries) on a file object marked for deletion (e.g., ReadFile, WriteFile, SetBasicInformationFile, another CreateFile).

Detailed Causation ("Why"):

• File Marked for Deletion: Previous op marked file for delete (SetDispositionInformationFile with DeleteFile=TRUE, or FILE_FLAG_DELETE_ON_CLOSE used on open).
• File System Behavior: FS disallows most subsequent ops on existing handles (or new opens) once marked DELETE_PENDING. Actual disk deletion on last handle close.
• Filter Driver Intervention: Filter might implement own deferred delete logic or intercept deletes, mark file pending, and return this status.

Procmon Diagnostic Clues ("How to Corroborate"):

• Event Sequence: Look for preceding SetDispositionInformationFile (Detail shows Delete: True) or CreateFile (Options include Delete On Close) on same path/handle.
• Path column: Identifies file.
• Stack Trace: Indicates FS driver or filter returning status.
• Indicates file is being deleted; apps should close handles.

NTSTATUS Code: 0x80000011⁷⁰ (Warning/Informational)

Primary Originating Layer/System (Potential): Device Driver (storage, serial, etc.), I/O Manager, Third-Party Filter Driver.

Typical Operations: CreateFile (esp. devices), DeviceIoControlFile, WriteFile, ReadFile.

Detailed Causation ("Why"):

• Exclusive Access Conflict: Attempt to open device already in exclusive use, or request requires exclusive access not currently grantable.
• Device Overloaded/Queues Full: Device/driver has too many pending requests.
• Resource Contention: Required hardware resource (interrupt, DMA) unavailable.
• Filter Driver Holding Resource: Filter in device stack might hold device busy or manage access leading to this.
• Media Change/Initialization: Removable media changing state.

Procmon Diagnostic Clues ("How to Corroborate"):

• Path column: Identifies device/file.
• Detail column for CreateFile: Desired Access/ShareMode show if exclusive access requested.
• Event Sequence: Look for other processes accessing same device. Check system event logs. Retries common.
• Duration: Consistently slow ops on device might precede this status.
• Stack Trace: Pinpoints driver in stack returning status. Investigate filters if present.

NTSTATUS Code: 0xC0000101⁷⁰

Primary Originating Layer/System (Potential): File System Driver (e.g., NTFS.SYS, FASTFAT.SYS), Third-Party File System Filter Driver.

Typical Operations: SetDispositionInformationFile (deleting directory), DeleteFile (targeting directory with older APIs).

Detailed Causation ("Why"):

• Contains Files/Subdirectories: Attempt to delete directory that still contains items. Most FS require directory empty for deletion.
• Hidden or System Files: Directory appears empty in Explorer but hidden/system files prevent deletion.
• Open Handles: Open handles to files/subdirectories within the target directory prevent their removal, thus blocking parent deletion.
• Filter Driver Interference: Filter could prevent enumeration/deletion of items, hold items open, or directly return this status based on own logic.

Procmon Diagnostic Clues ("How to Corroborate"):

• Path column: Identifies directory.
• Event Sequence: Look for preceding QueryDirectoryFile on target dir to see enumerated contents. Look for failed delete attempts on items within target dir (Result indicates why they failed, e.g., SHARING_VIOLATION, ACCESS_DENIED).
• External Tools: dir /a <path> or Get-ChildItem -Path <path> -Force lists all contents. Check for open handles (Resource Monitor, Process Explorer).
• Stack Trace: Shows FS driver. Filter might be visible if involved.

NTSTATUS Code: 0xC0000032⁷⁰

Primary Originating Layer/System (Potential): File System Driver (e.g., NTFS.SYS, FASTFAT.SYS), Storage Driver.

Typical Operations: Any FS operation involving disk metadata/data read/write (CreateFile, ReadFile, WriteFile, QueryDirectoryFile, SetInformationFile).

Detailed Causation ("Why"):

• File System Structure Corruption: Severe error. On-disk FS structures (MFT, FAT, directories, bitmaps) damaged/inconsistent.
• Bad Sectors: Physical bad sectors on media lead to unreadable/unwritable metadata/data, interpreted as corruption.
• Sudden Power Loss/Unsafe Shutdown: Leaves FS structures inconsistent.
• Hardware Malfunction: Failing HDD/SSD/controller.
• Driver Bugs (Less Common): Storage or FS driver bugs could cause corruption.

Procmon Diagnostic Clues ("How to Corroborate"):

• Path column: May indicate file/dir accessed when corruption detected, but could be general FS structure.
• Event Sequence: Often multiple ops fail with this or related errors (STATUS_FILE_CORRUPT_ERROR, STATUS_CRC_ERROR).
• System Event Log: Check System log for disk errors (sources "Disk", "NTFS", "PartMgr").
• External Tools: Run CHKDSK /f /r <volume>:. Check SMART data (CrystalDiskInfo).
• Stack Trace: Typically points to FS driver (NTFS.SYS!NtfsFsdRead) or lower storage driver.

NTSTATUS Code: 0xC0000011⁷⁰

Primary Originating Layer/System (Potential): File System Driver (e.g., NTFS.SYS), I/O Manager.

Typical Operations: ReadFile, NtReadFile.

Detailed Causation ("Why"):

• Read Past File Boundary: Read attempt at or beyond current end of file's valid data. Normal/expected for sequential reads.
• Zero-Length File: Attempting read from 0-byte file.
• Sparse File Region: Read from unallocated sparse region might return EOF or zeros depending on FS/flags.

Procmon Diagnostic Clues ("How to Corroborate"):

• Detail column for ReadFile: Shows Offset and Length requested. Compare Offset with file size. IoStatus.Information (bytes read) will be 0 if read started at/beyond EOF, or less than Length if read crossed EOF.
• Event Sequence: Often last successful/semi-successful read before close.
• File Size: Correlate with size from preceding CreateFile or QueryStandardInformationFile/QueryBasicInformationFile.
• Generally not an error, but indicator for app to stop reading.

NTSTATUS Code: 0x0000012A⁷⁰ (Informational/Success)

Primary Originating Layer/System (Potential): File System Driver, Third-Party File System Filter Driver.

Typical Operations: LockFile (NtLockFile), DeviceIoControlFile (FSCTL_LOCK_VOLUME).

Detailed Causation ("Why"):

• Successful Lock with Existing Readers: Lock request succeeded, but file/range already locked by others permitting only reading. Current lock granted, status informs caller.
• Filter Driver Custom Locking: Filter implementing own locking might return this based on its state.

Procmon Diagnostic Clues ("How to Corroborate"):

• Detail column for LockFile: Shows Offset, Length, flags (shared/exclusive lock).
• Event Sequence: Look for other LockFile ops on same file by other processes/handles.
• Informational status, usually not a problem unless exclusive lock required.

NTSTATUS Code: 0x0000012B⁷⁰ (Informational/Success)

Primary Originating Layer/System (Potential): File System Driver, Third-Party File System Filter Driver.

Typical Operations: LockFile (NtLockFile), DeviceIoControlFile (FSCTL_LOCK_VOLUME).

Detailed Causation ("Why"):

• Successful Lock with Existing Writers: Lock request succeeded, but file/range already locked by others permitting write access. Current lock granted, status informs caller.
• Filter Driver Custom Locking: Filter managing own locks could return this.

Procmon Diagnostic Clues ("How to Corroborate"):

• Detail column for LockFile: Shows Offset, Length, lock flags.
• Event Sequence: Examine other LockFile ops on same file.
• Informational status.

NTSTATUS Code: 0xC0000054⁷⁰

Primary Originating Layer/System (Potential): File System Driver (e.g., NTFS.SYS), Third-Party File System Filter Driver.

Typical Operations: LockFile (NtLockFile), sometimes ReadFile/WriteFile if implicit locks conflict with existing byte-range locks.

Detailed Causation ("Why"):

• Conflicting Byte-Range Lock: Attempt to lock byte range conflicts with existing lock on overlapping range held by another process/handle (e.g., exclusive requested over existing shared, any lock requested over existing exclusive).
• Filter Driver Interference: Filter might manage locks or hold conflicting lock itself.

Procmon Diagnostic Clues ("How to Corroborate"):

• Detail column for LockFile: Shows Offset, Length, requested lock type (shared/exclusive).
• Event Sequence: Search for other LockFile ops on same path. Identify process/handle holding conflicting lock (Procmon Find Handle/DLL, filter path, examine open handles/locks).
• Stack Trace: Likely points to FS driver. Filter might appear if involved.

NTSTATUS Code: 0xC000023D⁷⁰

Primary Originating Layer/System (Potential): Network Stack Component (TCPIP.SYS), Third-Party Network Filter Driver (WFP/NDIS).

Typical Operations: TCP Connect, UDP Send, TCP Send (if route changes or remote becomes unreachable).

Detailed Causation ("Why"):

• No Route to Host: Local system lacks network route to destination IP (bad local config, routing table issue, destination genuinely unreachable).
• ARP Failure (Local Network): Failed to resolve MAC address for destination IP or gateway via ARP.
• Firewall Blocking (Local or Intermediate): Firewall (local, possibly Third-Party WFP Filter; or intermediate router) dropping packets, preventing response, leading stack to determine unreachability (often after timeouts).
• Physical Layer Issues: Cable disconnected, faulty NIC, switch port down.
• VPN/Tunneling Issues: Problems with tunnel interface or routing if traffic should use VPN/tunnel.

Procmon Diagnostic Clues ("How to Corroborate"):

• Path column: Shows destination IP address and port.
• External Tools: ping <host_ip> (basic connectivity). tracert <host_ip> / pathping (route tracing). ipconfig /all (local config). route print (local routing table). Check firewall logs.
• Stack Trace: Usually points to TCPIP.SYS. Network filter visible if involved in blocking/misrouting.
• Event Sequence: Look for preceding DNS resolution attempts (UDP Send/Receive port 53) to verify IP address correctness.

NTSTATUS Code: 0xC000009A⁷⁰

Primary Originating Layer/System (Potential): Memory Manager (NTOSKRNL.EXE), I/O Manager, various Drivers (FS, Net, Reg), Third-Party Filter Driver.

Typical Operations: Virtually any op requiring kernel memory (nonpaged/paged pool), handles, or other finite resources: CreateFile, RegCreateKey, Process Create, TCP Connect, ReadFile/WriteFile (internal buffers), DeviceIoControlFile.

Detailed Causation ("Why"):

• Kernel Memory Exhaustion (Most Common): System out of nonpaged or paged pool memory needed for kernel data structures (IRPs, FCBs, sockets). Often due to driver leaks (including third-party filters) or high load.
• Handle Limit Exceeded: Process exceeds handle quota or system limit.
• Quota Exhaustion: Process exceeds paged pool or other resource quotas.
• Other System Limits: Exhaustion of PTEs, I/O map registers, etc.
• Filter Driver Resource Consumption: Poorly written filter leaks kernel memory or consumes excessive resources, contributing to or causing error.

Procmon Diagnostic Clues ("How to Corroborate"):

• Event Sequence: Error may appear for various ops across processes if system globally low. Look for pattern.
• Duration: Ops may slow significantly before this error appears.
• External Tools: Task Manager/Resource Monitor (check nonpaged/paged pool). Performance Monitor (track Memory\Pool Nonpaged Bytes, Pool Paged Bytes, Available MBytes; Process\Handle Count). PoolMon (WDK tool identifies pool tags/drivers consuming memory, diagnoses leaks). Kernel Debugger (!vm, !poolused for advanced analysis).
• Stack Trace: Shows component failing allocation. Filter driver visible if it failed allocation.

NTSTATUS Code: 0xC0000008⁷⁰

Primary Originating Layer/System (Potential): Object Manager (NTOSKRNL.EXE), I/O Manager, various Drivers.

Typical Operations: Any op taking handle input: ReadFile, WriteFile, CloseFile, RegQueryValue, DeviceIoControlFile, NtWaitForSingleObject.

Detailed Causation ("Why"):

• Handle is Not Valid: Value doesn't correspond to open object in process handle table.
• Handle Closed Prematurely: Handle was valid but since closed (CloseHandle/NtClose); app attempts reuse (common programming error).
• Incorrect Handle Value: App passed uninitialized variable, corrupted value, or non-handle value (e.g., pointer).
• Handle Used in Wrong Process Context (kernel callers): Kernel code uses user-mode handle in wrong process context.
• Object Type Mismatch (Less Common): API expects file handle, receives event handle (more likely STATUS_OBJECT_TYPE_MISMATCH).

Procmon Diagnostic Clues ("How to Corroborate"):

• Detail column: May show handle value used.
• Event Sequence: Trace handle value backward from failure. Look for original CreateFile/RegOpenKey returning it. Look for CloseFile/NtClose for that handle before the failure.
• Application Code Review: Often points to app handle management bugs.
• Stack Trace: Shows API call receiving invalid handle.

NTSTATUS Code: 0xC000000D⁷⁰

Primary Originating Layer/System (Potential): I/O Manager, Object Manager, any Kernel Driver (FS, Reg, Net, Device), Third-Party Filter Driver.

Typical Operations: Almost any system call/IRP: CreateFile, ReadFile, WriteFile, DeviceIoControlFile, RegSetValueEx, NtCreateUserProcess.

Detailed Causation ("Why"):

• Incorrect Flags or Options: Invalid flag combination (e.g., mutually exclusive flags in CreateFile options).
• Invalid Buffer Address/Alignment/Size: Buffer pointer NULL, invalid user address, misaligned for direct I/O. Size zero or inconsistent.
• Illegal Value for a Parameter: Out-of-range or undefined value for parameter expecting specific range/enum.
• Inconsistent Parameters: Parameters individually valid but inconsistent together (e.g., ReadFile offset+length exceeds max file size).
• Malformed Structures: Structure passed as parameter malformed/invalid data.
• Filter Driver Validation: Filter performs own validation, returns this if criteria unmet, even if underlying driver might accept (or fail differently).

Procmon Diagnostic Clues ("How to Corroborate"):

• Detail column (Crucial): Shows parameters passed. CreateFile: Desired Access, ShareMode, Options, Disposition. DeviceIoControlFile: IOCTL code, buffer lengths. Registry ops: data types/lengths.
• Stack Trace: Helps identify component (OS API, driver, filter) performing validation and returning error.
• API Documentation: Refer to MS docs for specific operation (NtCreateFile WDK, CreateFileW SDK) for valid parameter values/combinations.
• Application Code Review: Often indicates bug in how caller forms request.

NTSTATUS Code: 0xC000017C⁷⁰

Primary Originating Layer/System (Potential): Registry Manager (NTOSKRNL.EXE), Third-Party Registry Filter Driver.

Typical Operations: Any registry op on key marked for deletion (except close handle): RegQueryValue, RegSetValue, RegOpenKey (on subkey).

Detailed Causation ("Why"):

• Operation on Deleted Key: Attempted op (other than close) on registry key handle after key marked for deletion (RegDeleteKey/NtDeleteKey). Key logically gone; most ops fail until last handle closed.
• Filter Driver Intervention: Filter might manage key deletion customly or return this if policy dictates key effectively deleted.

Procmon Diagnostic Clues ("How to Corroborate"):

• Path column: Identifies registry key.
• Event Sequence: Look for preceding RegDeleteKey/NtDeleteKey targeting same key or parent.
• Stack Trace: Typically shows Configuration Manager (Cmp* functions in NTOSKRNL.EXE) or registry filter driver returning error.
• Status indicates key no longer valid for most operations.

NTSTATUS Code: 0xC000013B⁷⁰

Primary Originating Layer/System (Potential): Network Stack Component (TCPIP.SYS, AFD.SYS), Third-Party Network Filter Driver.

Typical Operations: TCP Send, TCP Receive, TCP Disconnect (when local side initiates).

Detailed Causation ("Why"):

• Local Application Closed Socket: Local app explicitly closed socket (closesocket()/CloseHandle()). Normal termination.
• Local Stack Initiated Termination: Local TCP/IP stack terminated connection due to internal reason (local protocol error, policy enforced by local component/filter).
• Filter Driver Action: Third-Party Network Filter (WFP/NDIS) could programmatically terminate connection based on rules, causing this status for affected app.

Procmon Diagnostic Clues ("How to Corroborate"):

• Path column: Shows source/destination IP/port of disconnected connection.
• Event Sequence: Look for preceding ops by local process indicating connection shutdown (TCP Disconnect op, app logic completion).
• Stack Trace: Can show AFD.SYS (app close) or TCPIP.SYS. Filter driver visible if forcing disconnect.
• Application Logs: May indicate why app closed connection.

NTSTATUS Code: 0xC0000034 (STATUS_OBJECT_NAME_NOT_FOUND)⁷⁰

Primary Originating Layer/System (Potential): Object Manager (NTOSKRNL.EXE), File System Driver (e.g., NTFS.SYS), Registry Manager (NTOSKRNL.EXE), Network Stack Component (TCPIP.SYS via AFD.SYS for DNS), Third-Party Filter Driver (FS, Reg, Net).

Typical Operations: CreateFile, OpenFile, RegOpenKey, RegQueryValue (value name), GetHostByName/DNS query (UDP Send/Receive port 53).

Detailed Causation ("Why"):

• Object Does Not Exist (Object Manager): Object Manager couldn't find named object (event, mutex, section, symlink) in its namespace.
• File or Directory Not Found (File System Driver): Specified file/dir name doesn't exist within parent directory (parent path itself valid).
• Registry Key or Value Not Found (Registry Manager): Specified key doesn't exist under parent, or value name doesn't exist under key.
• DNS Name Resolution Failure (Network Stack): For network ops resolving hostname, DNS server couldn't find A/AAAA record. Visible on UDP port 53 ops if network activity shown.⁷⁷
• Filter Driver Hiding/Blocking: Third-party filter intercepts, returns this if policy dictates object hidden or access blocked as "not found" (e.g., security software cloaking files/keys).
• SMB Directory Cache Inconsistency: SMB redirector cache not updated after remote file creation, subsequent open fails with this.²²

Procmon Diagnostic Clues ("How to Corroborate"):

• Path column: Shows full path/name sought. Check for typos, incorrect construction.
• Detail column for CreateFile: Check Disposition (e.g., if OPEN_EXISTING used for non-existent file).
• Stack Trace: Obj Mgr (ObpLookupObjectName), FS driver (NtfsCommonCreate), Reg Mgr (CmpDoOpen). Filter driver high in stack is strong suspect.
• Event Sequence: Check if file recently deleted/renamed. For DNS, examine query/response packets (Procmon/Wireshark).
• External Tools: Verify existence (Explorer, dir, regedit, nslookup). Check fltmc.exe for FS filters.

NTSTATUS Code: 0xC0000103⁷⁰ (Note: Also STATUS_PENDING; Procmon disambiguates)

Primary Originating Layer/System (Potential): File System Driver (e.g., NTFS.SYS, FASTFAT.SYS), Object Manager (certain namespace ops).

Typical Operations: CreateFile (with FILE_DIRECTORY_FILE option on a file, or opening file as directory for enumeration), QueryDirectoryFile (on a file).

Detailed Causation ("Why"):

• Operation Requires Directory, Target is File: Operation valid only for directories (enumerate, create file within with certain flags) attempted on a file.
• Path Incorrectly Identifies File as Directory Segment: E.g., C:\Path\To\File.txt\NewFile.txt fails because File.txt isn't a directory.

Procmon Diagnostic Clues ("How to Corroborate"):

• Path column: Shows target path. Verify if component identified as directory is one.
• Detail column for CreateFile: Check Options field for flags like FILE_DIRECTORY_FILE / FILE_NON_DIRECTORY_FILE.
• External Tools: Use Explorer or dir to check object type at path.
• Stack Trace: Usually points to FS driver.

NTSTATUS Code: 0xC00000BB⁷⁰

Primary Originating Layer/System (Potential): Any Kernel Driver (FS, Net, Device), I/O Manager, Third-Party Filter Driver.

Typical Operations: DeviceIoControlFile (unsupported IOCTLs), FsControlFile (unsupported FSCTLs), SetInformationFile/QueryInformationFile (unsupported FileInformationClass), CreateFile (unsupported flags/options for device type).

Detailed Causation ("Why"):

• Unsupported Functionality: Requested operation or specific feature/option not implemented/supported by target device/driver/FS.
• IOCTL/FSCTL: Control code in DeviceIoControlFile/FsControlFile not recognized/handled by target driver.
• FileInformationClass: FILE_INFORMATION_CLASS enum value used in query/set file info not supported by FS for that object type.
• Unsupported Flags/Options: CreateFile flags meaningless/unsupported for target device type (e.g., file flags on raw device).
• Operation Not Allowed on Target: Operation valid generally but not for specific object/device type (e.g., set EOF on directory).
• Filter Driver Rejection: Third-party filter intercepts, returns this if it doesn't implement/allow that operation/variation, even if underlying native component supports it.

Procmon Diagnostic Clues ("How to Corroborate"):

• Detail column (Very important): DeviceIoControlFile/FsControlFile shows IOCTL/FSCTL code (lookup in WDK/docs). SetInformationFile/QueryInformationFile shows FileInformationClass. CreateFile shows Options, Desired Access.
• Stack Trace: Identifies driver/system component returning status. Filter high in stack is likely source.
• API/Driver Documentation: Consult docs for target device/driver/FS to verify if operation/IOCTL/FileInformationClass supported.

NTSTATUS Code: 0xC0000035⁷⁰

Primary Originating Layer/System (Potential): Object Manager (NTOSKRNL.EXE), File System Driver, Registry Manager, Third-Party Filter Driver.

Typical Operations: CreateFile (with CREATE_NEW disposition), RegCreateKeyEx (with REG_CREATED_NEW_KEY intended), NtCreateNamedPipeFile, NtCreateMailslotFile.

Detailed Causation ("Why"):

• Object Already Exists (and overwrite not allowed): Attempt to create object (file, dir, key, named pipe, mailslot) with specific name, but object with same name already exists, and creation disposition disallowed overwrite/open existing (e.g., CreateFile with CREATE_NEW fails if file exists).
• Case Insensitivity: NTFS lookups case-insensitive by default but preserve case. Creating myfile.txt collides if MyFile.TXT exists.
• Filter Driver Logic: Filter might enforce own naming policies or manage virtualized namespace, returning this if create violates rules.

Procmon Diagnostic Clues ("How to Corroborate"):

• Path column: Shows name of object attempted creation.
• Detail column for CreateFile: Check Disposition. If CREATE_NEW (1), error expected if file exists. CREATE_ALWAYS (2) should overwrite; OPEN_ALWAYS (4) should open if exists or create if not.
• External Tools: Verify if object with same name (case-insensitively for files/dirs) exists at path (Explorer, dir, regedit).
• Event Sequence: Look for prior ops creating conflicting object.

NTSTATUS Code: 0xC000003A⁷⁰

Primary Originating Layer/System (Potential): Object Manager (NTOSKRNL.EXE), File System Driver, Registry Manager.

Typical Operations: CreateFile, OpenFile, RegOpenKey.

Detailed Causation ("Why"):

• Intermediate Directory/Key Missing: Component (directory/key) in path leading to final object name does not exist. E.g., for C:\Dir1\Dir2\File.txt, occurs if Dir1 exists but Dir2 does not. Distinct from STATUS_OBJECT_NAME_NOT_FOUND (path prefix exists, final name doesn't).
• Root of Path Invalid: Path root invalid (e.g., access file on non-existent drive X:\File.txt).

Procmon Diagnostic Clues ("How to Corroborate"):

• Path column: Carefully examine full path.
• External Tools: Manually navigate path component by component (Explorer, cd, regedit) to find missing part.
• Stack Trace: Points to Object Manager (namespace paths), FS driver (file paths), or Registry Manager (reg paths).

NTSTATUS Code: 0x00000103⁷⁰ (Informational/Success by NT_SUCCESS macro)

Primary Originating Layer/System (Potential): I/O Manager, various Kernel Drivers (FS, Net, Device), Third-Party Filter Driver.

Typical Operations: Common with async I/O: ReadFile, WriteFile, DeviceIoControlFile, TCP Connect, TCP Send, TCP Receive, NtWaitForSingleObject (with non-zero timeout).

Detailed Causation ("Why"):

• Asynchronous Operation Initiated: Requested I/O op successfully initiated but not yet completed.¹⁹ Calling thread can continue while op proceeds in background. I/O Mgr/driver queued op, will signal completion later (event, APC, completion port).
• Normal for Asynchronous I/O: Standard/expected return for async I/O (handle opened with FILE_FLAG_OVERLAPPED, sockets). Not an error.
• Filter Driver Behavior: Filter intercepting async IRP, needing own lengthy async processing, might return STATUS_PENDING and complete IRP later.

Procmon Diagnostic Clues ("How to Corroborate"):

• Event Sequence (Crucial): Look for corresponding completion event later in trace for same operation (match file handle, socket context, IRP pointer if advanced output/symbols enabled). Completion event has actual final Result (e.g., SUCCESS, END_OF_FILE, error code) and bytes transferred (Detail for Read/Write). Completion often from "System" process (PID 4) or DPC/ISR context.
• Duration of PENDING op: Usually very short (just queuing). True duration is time between PENDING and completion event.
• Detail column: May show flags indicating async I/O.
• If completion event never seen, might indicate hung op or capture stopped too soon.

NTSTATUS Code: 0xC000023F⁷⁰

Primary Originating Layer/System (Potential): Network Stack Component (TCPIP.SYS for UDP), Third-Party Network Filter Driver.

Typical Operations: UDP Send.

Detailed Causation ("Why"):

• No UDP Listener on Remote Port: UDP datagram sent to remote port with no listening app. Remote host stack may respond with ICMP "Port Unreachable". Local TCPIP.SYS receives ICMP, translates to this status for sender.
• Remote Firewall Blocking UDP Port: Remote firewall blocks UDP port, configured to send ICMP Port Unreachable.
• Filter Driver Action: Local/intermediate network filter could potentially generate/simulate condition.

Procmon Diagnostic Clues ("How to Corroborate"):

• Path column: Shows destination IP/port for UDP Send.
• Event Sequence: Look for corresponding incoming ICMP message in network trace (Wireshark). Procmon doesn't usually show ICMP directly unless part of TCP/UDP op result.
• External Tools: Verify expected UDP service listening on remote host/port. UDP connectionless; relies on ICMP feedback.
• Stack Trace: Usually TCPIP.SYS if standard ICMP-indicated unreachability.

NTSTATUS Code: 0xC0000061⁷⁰

Primary Originating Layer/System (Potential): Security Reference Monitor (SRM in NTOSKRNL.EXE), various kernel components checking specific privileges.

Typical Operations: Ops requiring specific admin/system privileges: NtOpenFile with FILE_FLAG_BACKUP_SEMANTICS (SeBackupPrivilege/SeRestorePrivilege), NtShutdownSystem (SeShutdownPrivilege), NtLoadDriver (SeLoadDriverPrivilege), accessing SACLs (SeSecurityPrivilege).

Detailed Causation ("Why"):

• Missing Required Privilege: Caller process access token lacks specific privilege required by operation. Windows uses privileges for sensitive system-wide ops beyond object ACLs.²⁸
• Privilege Exists but Not Enabled: Process has privilege in token but not enabled (some need explicit enable via AdjustTokenPrivileges).

Procmon Diagnostic Clues ("How to Corroborate"):

• Detail column: May sometimes provide hints, but specific privilege often implicit.
• Stack Trace: Can show SePrivilegeCheck or other Se* functions in NTOSKRNL.EXE.
• Process Token Information: Use Process Explorer (Properties -> Security tab) to view process privileges and status (enabled/disabled).
• API Documentation: Docs for failing NtXxx/Win32 API often list required privileges.
• Clear security failure; caller not authorized for specific system-level action.

NTSTATUS Code: 0xC000014C⁷⁰

Primary Originating Layer/System (Potential): Registry Manager (NTOSKRNL.EXE).

Typical Operations: Any registry op (RegOpenKey, RegQueryValue, RegCreateKey), esp. during boot hive loading, or accessing specific hive.

Detailed Causation ("Why"):

• Hive File Corruption: On-disk registry hive file (SYSTEM, SOFTWARE, SAM, NTUSER.DAT) physically corrupted (disk errors, unsafe shutdown, malware).
• In-Memory Corruption: In-memory image of hive corrupted.
• Failed Recovery: Configuration Manager attempted hive recovery using log file (.LOG1, .LOG2) but failed.
• Very serious error, often leads to instability/unbootable system if critical hive affected.²⁵

Procmon Diagnostic Clues ("How to Corroborate"):

• Path column: May indicate specific reg path accessed when corruption detected. If during boot logging, might relate to core hive loading.
• System Event Log: Check System log for errors from "Microsoft-Windows-Registry-TrE" or similar, potentially detailing corrupted hive/recovery attempts.
• External Tools: WinRE might allow CHKDSK/System Restore. Offline registry editors/analysis tools for non-booting systems.
• Stack Trace: Points to Configuration Manager functions (Cmp* routines in NTOSKRNL.EXE).

NTSTATUS Code: 0xC000013C⁷⁰

Primary Originating Layer/System (Potential): Network Stack Component (TCPIP.SYS, AFD.SYS), Third-Party Network Filter Driver.

Typical Operations: TCP Send, TCP Receive (when remote side initiates disconnect).

Detailed Causation ("Why"):

• Remote Application Closed Socket: Remote app explicitly closed its socket. Normal remote termination.
• Remote Stack Initiated Termination: Remote TCP/IP stack initiated termination (sent FIN/RST). Due to remote app crash, remote system shutdown, remote network timeout, remote protocol error.
• Network Interruption Closer to Remote: Network device closer to remote (firewall, NAT) terminated session.
• Filter Driver Action (Remote or Intercepting): Filter on remote side causing drop, or intermediate network device filter resetting connection, manifests as remote disconnect locally.

Procmon Diagnostic Clues ("How to Corroborate"):

• Path column: Shows source/destination IP/port of disconnected connection.
• Event Sequence: Look for last successful data exchange before status.
• Stack Trace: Can show AFD.SYS/TCPIP.SYS processing disconnect notification.
• Network Trace (Wireshark): Concurrent capture shows TCP FIN/RST received from remote triggering status.
• Remote System Logs: Logs on remote server/app might indicate why it closed connection.

NTSTATUS Code: 0x00000104⁷⁰ (Informational/Success by NT_SUCCESS macro)

Primary Originating Layer/System (Potential): Object Manager (NTOSKRNL.EXE), File System Driver (e.g., NTFS.SYS), Third-Party File System Filter Driver.

Typical Operations: CreateFile, OpenFile (any op involving path parsing).

Detailed Causation ("Why"):

• Symbolic Link/Junction/Mount Point Encountered: Not an error. During path resolution, Object Manager or FS Driver encountered reparse point (symlink, junction, mount point, file with special reparse tag like HSM, OneDrive placeholders, deduplication, WCI).²¹
• Redirection Directive: STATUS_REPARSE instructs I/O Manager/filter to re-evaluate operation, typically with modified path (symlink target) or allow specific driver (owning tag) to handle I/O.⁷⁴
• File System Filter Driver Redirection (CRITICAL): Many filters use reparse points/status extensively.⁶⁴ HSM (stub file -> filter retrieves from slow storage -> reissue open). File Virtualization/Sync (OneDrive placeholders -> filter downloads/hydrates). Deduplication (points to common chunks).
• IO Manager Handling: If known tag (symlink), I/O Mgr substitutes path and retries. If filter tag, filter's handler invoked.

Procmon Diagnostic Clues ("How to Corroborate"):

• Event Sequence (Crucial): Look for subsequent CreateFile immediately following REPARSE result. New CreateFile often has different Path (resolved target), Result often SUCCESS or other status.
• Detail column of REPARSE CreateFile: With "Enable Advanced Output", might show reparse tag value (Tag: Symbolic Link, Mount Point, custom value).
• Stack Trace: Can show IopParseDevice/ObpLookupObjectName (OS handled). If filter driver (wcifs.sys, storqosflt.sys, rdbss.sys, cldflt.sys, third-party AV/HSM/sync) returning/handling, its module in stack.
• External Tools: fsutil reparsepoint query <path> shows reparse data. dir /AL shows symlinks/junctions.

NTSTATUS Code: 0xC0000043⁷⁰

Primary Originating Layer/System (Potential): File System Driver (e.g., NTFS.SYS), Third-Party File System Filter Driver.

Typical Operations: CreateFile, OpenFile.

Detailed Causation ("Why"):

• Incompatible Share Modes (CRITICAL): Attempt to open file with ShareMode (e.g., FILE_SHARE_READ, FILE_SHARE_WRITE) incompatible with how file already opened by another handle (same/different process). Example: Proc A opens exclusive (ShareMode=0); Proc B attempts any open -> fails. Example: Proc A opens with ShareMode=FILE_SHARE_READ, DesiredAccess=GENERIC_WRITE; Proc B attempts DesiredAccess=GENERIC_READ -> fails. Rule: New open's access must be permitted by all existing openers' share modes, AND new open's share mode must permit all existing openers' access modes.
• Filter Driver Holding File Open (CRITICAL): Third-party FS filter (AV, backup, indexer) might have file open, potentially with restrictive share mode, while processing. Very common cause of unexpected violations. Filter's open may be brief but conflict.⁶
• Desired Access vs. Existing Open: Attempting write access when another handle open without FILE_SHARE_WRITE. Attempting delete access when another handle open without FILE_SHARE_DELETE.

Procmon Diagnostic Clues ("How to Corroborate"):

• Detail column for failing CreateFile: Shows requested Desired Access and ShareMode.
• Event Sequence & Filtering: Filter Procmon for file Path. Look for all prior successful CreateFile ops on this path by any process; examine their ShareMode. Identify processes/handles currently holding file open (Procmon Find Handle/DLL, Process Explorer, Resource Monitor).
• Stack Trace: Usually FS driver (NTFS.SYS, FASTFAT.SYS) returns error. Critically, if filter holding file open conflictingly, its own open ops might be visible prior. Filter might also directly return STATUS_SHARING_VIOLATION based on policy or if high in stack when violation returned.
• Temporarily disabling security/backup software can help isolate cause.

NTSTATUS Code: 0x00000000⁷⁰

Primary Originating Layer/System (Potential): I/O Manager, Object Manager, FS Driver, Reg Mgr, Net Stack, any other driver, Third-Party Filter Driver (if allows pass-through, completes own op successfully, or uses success-equivalent bypass like STATUS_CALLBACK_BYPASS⁵⁷).

Typical Operations: Virtually all operations can result in SUCCESS (CreateFile, ReadFile, WriteFile, CloseFile, RegOpenKey, RegQueryValue, TCP Connect, Process Create).

Detailed Causation ("Why"):

• Operation Completed as Requested: Kernel component/driver performed op successfully. Conditions met: object found, rights granted, no sharing conflicts, valid params, resources available, device state ok.
• For CreateFile: File/dir opened/created per Desired Access, ShareMode, Disposition. Detail shows outcome (Disposition: OPENED, CREATED, OVERWRITTEN).¹⁷
• For ReadFile/WriteFile: Data transferred. Detail shows Offset, Length requested, I/O Flags. Bytes transferred in IoStatus.Information (matches Length for success unless EOF/BUFFER_OVERFLOW).
• For Registry ops: Key opened, value read/written/deleted. Detail shows data for queries/sets.
• For Network ops: TCP connection established, data sent/received.
• For Process/Thread ops: Process/thread created.
• Filter Driver Context: If filters present: Filter pre-op returned success status (FLT_PREOP_SUCCESS_*), allowing op to proceed/complete successfully below. Filter post-op observed success from below, returned success. Filter handled op itself, returned STATUS_SUCCESS or equivalent (STATUS_CALLBACK_BYPASS for some reg filter post-notifications⁵⁷).

Procmon Diagnostic Clues ("How to Corroborate"):

• Detail column: Confirms specifics (access granted, data read, connection established).
• Duration: Typically low for simple/quick ops. Higher duration indicates significant work (large read, slow network) or latency from stack components (including filters).
• Stack Trace: Shows execution path leading to success. Useful for understanding component involvement (including filters) even in success cases.
• Event Sequence: Successful ops enable subsequent dependent ops (e.g., successful CreateFile followed by ReadFile/WriteFile on handle).

NTSTATUS Code: 0x00000102⁷⁰

Primary Originating Layer/System (Potential): Network Stack Component (TCPIP.SYS, AFD.SYS), I/O Manager (ops with timeouts), various Device Drivers, Third-Party Filter Driver (esp. net/FS filters imposing time limits or causing delays).

Typical Operations: TCP Connect, TCP Send, TCP Receive, NtWaitForSingleObject (and related waits), DeviceIoControlFile (if IOCTL/driver implements timeout), ReadFile/WriteFile (some devices/flags).

Detailed Causation ("Why"):

• Network Operation Timeout: TCP Connect: No response (SYN-ACK) from remote within retransmission timeout (remote down, connectivity issue, firewall silently dropping packets). TCP Send/Receive: No ACK for sent data, or no expected data received within protocol/app timeout.
• Wait Operation Timeout: Wait function (NtWaitForSingleObject) expired because timeout interval elapsed before object(s) signaled.
• Device I/O Timeout: Device driver failed to complete I/O within prescribed limit (non-responsive device, hardware errors, driver bug).
• Filter Driver Induced Latency (CRITICAL): Third-party filter (FS, net, etc.) performing lengthy processing (deep inspection, encryption, slow remote lookups) adds significant latency. If latency exceeds timeout (app, I/O Mgr, higher driver), op may complete with STATUS_TIMEOUT.⁶
• Application-Defined Timeout: App implements own timeout, aborts op. May manifest differently unless app cancels underlying I/O resulting in this status.

Procmon Diagnostic Clues ("How to Corroborate"):

• Path column: Shows destination IP/port (network), target file/device.
• Duration column: Duration of timed-out op approx equals timeout value. Examine durations of preceding related ops; long durations in underlying calls (filters?) can cause higher-level timeout.
• Event Sequence: TCP Connect: Look for TCP:Retransmit events (Procmon/Wireshark) before TIMEOUT. Look for other network/device problems (HOST_UNREACHABLE, DEVICE_NOT_READY).
• Stack Trace: Indicates component reporting timeout. TCPIP.SYS -> network-level timeout. Higher up -> app/framework timeout. Filter presence in stack of timed-out or preceding ops significant if involved in long processing.
• External Tools: Network diagnostics (ping, tracert, Wireshark). Device diagnostics/system event logs.