Windows Error Codes and Messages

1. Kernel-mode Core Components:

• a. NTOSKRNL.EXE (Executive subsystems): This is the core of the Windows kernel and executive.
  • Object Manager (Ob): Manages kernel objects (files, devices, events, semaphores, sections, processes, threads, symbolic links, etc.). Errors originating here include STATUS_OBJECT_NAME_NOT_FOUND (object does not exist), STATUS_OBJECT_PATH_NOT_FOUND (a component in the path to an object does not exist), STATUS_INVALID_HANDLE (handle is not valid or does not grant required access), STATUS_ACCESS_DENIED (access check failed, often in conjunction with SRM), STATUS_OBJECT_NAME_COLLISION (attempt to create an object with a name that already exists), and STATUS_REPARSE (symbolic link encountered, requiring re-evaluation of the path).^12,13
  • Process Manager (Ps): Manages processes and threads. Errors include STATUS_PROCESS_IS_TERMINATING or STATUS_THREAD_IS_TERMINATING (operation attempted on a terminating entity), STATUS_INVALID_CID (invalid client ID for process/thread), STATUS_NO_MEMORY or STATUS_INSUFFICIENT_RESOURCES during process/thread creation if resources are exhausted.¹²
  • Memory Manager (MM): Manages physical and virtual memory, including paging and the system cache. A primary source of critical errors such as STATUS_ACCESS_VIOLATION (invalid memory access), STATUS_IN_PAGE_ERROR (I/O error during paging), STATUS_NO_MEMORY (virtual memory or quota exhaustion), STATUS_COMMITMENT_LIMIT (system commit charge limit reached), and STATUS_INSUFFICIENT_RESOURCES (often related to pool depletion).¹²
  • I/O Manager (Io): Manages I/O requests to device drivers via IRPs. It is a conduit for errors from underlying device drivers and can also generate its own errors. Common errors include STATUS_NO_SUCH_FILE, STATUS_DEVICE_DOES_NOT_EXIST, STATUS_IO_DEVICE_ERROR (generic hardware error from device), STATUS_SHARING_VIOLATION, STATUS_INVALID_DEVICE_REQUEST (operation not valid for device type), STATUS_BUFFER_TOO_SMALL, STATUS_BUFFER_OVERFLOW, and STATUS_PENDING (operation initiated asynchronously).^6,12
  • Security Reference Monitor (SRM): Enforces security policies and performs access checks. Generates errors like STATUS_ACCESS_DENIED when an access check fails based on an object's security descriptor and the caller's access token, and STATUS_PRIVILEGE_NOT_HELD if a required privilege is not enabled in the caller's token.¹²
  • Configuration Manager (Cm): Manages the system registry. Errors include STATUS_REGISTRY_CORRUPT (hive file corruption), STATUS_ACCESS_DENIED (insufficient permissions for registry key access), STATUS_OBJECT_NAME_NOT_FOUND (key or value not found), and STATUS_INSUFFICIENT_RESOURCES if pool is exhausted during registry operations.¹²

  Driver signature enforcement by the PnP Manager or OS loader is another source of errors. Unsigned, improperly signed, or tampered drivers may fail to load, resulting in codes like STATUS_IMAGE_CHECKSUM_MISMATCH or STATUS_INVALID_IMAGE_FORMAT. This is a security measure but can present as an operational error if legitimate drivers are misconfigured in a secure environment.

• b. Hardware Abstraction Layer (HAL.DLL): Interfaces NTOSKRNL.EXE with platform-specific hardware details (interrupts, timers, DMA controllers, buses). While it may not frequently originate high-level named NTSTATUS codes returned to applications, HAL malfunctions or incompatibilities are a critical source of system instability, often leading to bug checks (Blue Screen of Death - BSODs).^1,14,15 Errors like HAL_INITIALIZATION_FAILED (a bug check code, not a typical API return NTSTATUS) can occur during boot. A faulty HAL can cause incorrect hardware programming or misinterpretation of hardware signals, leading to diverse and severe errors like unexpected interrupts, memory corruption, or system deadlocks.
• c. Native File System Drivers (e.g., NTFS.SYS, FASTFAT.SYS, Refs.sys): Implement file system logic, managing on-disk structures, metadata, and enforcing file sharing rules. They are a source of NTSTATUS codes such as STATUS_DISK_CORRUPT_ERROR, STATUS_FILE_CORRUPT_ERROR, STATUS_SHARING_VIOLATION (e.g., due to incompatible share flags or specific issues like NTFS attribute list handling for highly fragmented files²⁰), STATUS_DISK_FULL, STATUS_LOG_FILE_FULL (for transactional file systems), and STATUS_ACCESS_DENIED.^16,17
• d. Other native device drivers (Network, Graphics, Storage, etc.): These drivers directly control hardware peripherals. Bugs within these drivers, hardware malfunctions, or improper interaction with the hardware can cause them to return a wide range of NTSTATUS errors to the I/O Manager (e.g., STATUS_DEVICE_POWER_FAILURE, STATUS_DEVICE_NOT_READY, STATUS_IO_TIMEOUT, STATUS_NDIS_ADAPTER_NOT_FOUND for network drivers). Severe driver errors often lead to system crashes.^14,18,19,21

2. User-mode System Libraries:

• a. NTDLL.DLL: The lowest-level user-mode library, acting as the primary interface between user-mode applications and the kernel. It exposes the Native API (functions typically prefixed with Nt or Zw) and contains the system service dispatcher that transitions calls into kernel mode (syscalls). Many NTSTATUS codes returned by kernel services pass directly through NTDLL.DLL to the calling Win32 subsystem library or application. NTDLL.DLL also contains crucial helper routines, including RtlNtStatusToDosError for translating NTSTATUS codes to Win32 error codes.³
• b. KERNEL32.DLL, KERNELBASE.DLL: These libraries implement the core Win32 API functions for fundamental operations like file I/O (CreateFile, ReadFile), memory management (VirtualAlloc, HeapAlloc), and process/thread management (CreateProcess, CreateThread). They typically call underlying Native API functions in NTDLL.DLL and are responsible for translating the returned NTSTATUS codes into Win32 error codes, which are then retrievable via GetLastError().^22,23,24 KERNELBASE.DLL was introduced in Windows 7 as a refactoring of KERNEL32.DLL to hold base functionality, part of the MinWin effort. The evolution of these libraries and the introduction of API sets can sometimes lead to "DLL Hell" type issues if applications have incorrect dependencies or manifests, potentially resulting in ERROR_MOD_NOT_FOUND or ERROR_PROC_NOT_FOUND.
• c. USER32.DLL: Manages user interface elements such as windows, messages, menus, dialog boxes, and user input (keyboard, mouse). Errors generated by or propagated through USER32.DLL often relate to invalid window handles, resource limitations (e.g., exhaustion of desktop heap or user object GDI handles), or issues with message queues.^22,25,26
• d. GDI32.DLL: The Graphics Device Interface library, responsible for 2D graphics rendering, drawing operations, font management, and printer interactions. Errors can arise from invalid GDI object handles (pens, brushes, bitmaps, device contexts), exhaustion of GDI object limits, or issues with display or printer drivers.^22,27,28 Both USER32 and GDI32 manage finite resources. Applications leaking these resources (e.g., not destroying windows or GDI objects) can exhaust per-process or system-wide limits, leading to failures in creating new UI elements. This can manifest as a generic ERROR_NOT_ENOUGH_MEMORY (Win32 error 8) even if system RAM is plentiful, because specific heaps like the desktop heap (for user objects) or GDI handle tables are depleted.
• e. ADVAPI32.DLL: Provides access to advanced Windows services, including security APIs (e.g., LogonUser, GetTokenInformation, AccessCheck), registry manipulation APIs (often layered over NTDLL's native registry functions), and Service Control Manager (SCM) functions (OpenSCManager, CreateService, StartService). Errors commonly include access denied conditions, invalid credentials, privilege not held, registry access failures, or service control failures.^22,29,30
• f. SHELL32.DLL: Implements shell APIs, providing functionality related to the Windows shell (desktop, taskbar, file explorer), file operations (copy, move, delete, often wrapping KERNEL32 calls), namespace navigation, and common dialogs. Errors can relate to file system operations, issues with shell extensions, or problems accessing shell namespace objects.^22,31,32

3. Component Object Model (COM):

• a. OLE32.DLL, COMBASE.DLL: These DLLs provide the fundamental COM infrastructure, including services for object activation (CoCreateInstance, CoGetClassObject), interface querying (QueryInterface), reference counting (AddRef, Release), and marshalling of interface pointers across apartments, processes, or machines. They are the primary source of HRESULT values in COM.^33,34,35 COMBASE.DLL is a more recent library that incorporates core COM functionality, reflecting API set refactoring. Common HRESULTs include E_NOINTERFACE, E_POINTER, E_OUTOFMEMORY, CO_E_NOTINITIALIZED, REGDB_E_CLASSNOTREG (class not registered), and CO_E_INIT_TLS.^22,38,39 Failures in marshalling parameters or return values, especially for cross-boundary calls, can result in generic HRESULTs like E_FAIL or RPC-related errors, obscuring the marshalling problem itself. This can be due to buggy proxy/stub implementations, unregistered interfaces for marshalling, or network issues in DCOM.
• b. RPCSS (RPC Subsystem): The RPCSS service is essential for COM's inter-process and remote communication capabilities (DCOM). Failures within the RPCSS service itself, or network problems impacting RPC communication, can lead to HRESULTs such as RPC_E_SERVER_UNAVAILABLE (server process not running or unreachable), RPC_E_CALL_FAILED (generic communication failure), or E_ACCESSDENIED (if security contexts mismatch or authentication fails during the RPC call).^36,37 Errors like CO_E_INIT_RPC_CHANNEL indicate issues initializing RPC services for COM.³⁸
• c. COM Servers/Objects: Individual COM components (in-process servers like DLLs, or out-of-process servers like EXEs) return HRESULTs from their implemented interface methods. These can be standard HRESULTs defined in winerror.h or custom, application-specific HRESULTs (where the Customer bit is set). The meaning of custom HRESULTs is defined by the component vendor. Incorrect management of COM apartment threading models (Single-Threaded Apartment - STA, Multi-Threaded Apartment - MTA) can lead to unexpected behavior and errors. For instance, directly accessing an STA object from a thread other than its creator without proper marshalling can result in RPC_E_WRONG_THREAD or unpredictable crashes.

4. .NET Framework / .NET Core:

• a. Common Language Runtime (CLR) (e.g., mscorwks.dll, coreclr.dll): The CLR manages the execution of .NET applications. It has its own exception handling system. When .NET code interoperates with native COM components or Win32 APIs (via P/Invoke), the CLR is responsible for marshalling data and translating error codes. HRESULTs from COM calls or Win32 errors from P/Invoke calls are typically converted into .NET exceptions.⁴⁰ The original HRESULT is often stored in the Exception.HResult property. The CLR's marshalling and error translation can sometimes lose context, especially with custom error codes or if IErrorInfo is not properly provided by a COM component.⁴¹
• b. Base Class Library (BCL): The BCL provides fundamental .NET classes and functionalities. Methods within the BCL that call underlying OS services will catch errors from those services (HRESULTs, Win32 errors) and wrap them in more specific .NET exception types, such as System.IO.IOException, System.UnauthorizedAccessException, or System.OutOfMemoryException. The original error information may be available via the HResult property or as an InnerException. Issues with garbage collection and finalization, particularly concerning the release of unmanaged resources (handles, native memory) wrapped by .NET objects, can lead to delayed errors. If an object's Dispose method is not called and its finalizer attempts to release an already invalid handle or perform an illegal operation, an exception (often an SEHException or a critical failure) can occur on the finalizer thread, making it difficult to attribute to the code that originally misused the resource.

5. Networking Stack:

• a. WinSock (WS2_32.DLL): The Windows Sockets API provides the interface for network programming. It is the source of WSA error codes, which are retrieved using WSAGetLastError(). Examples include WSAECONNREFUSED (connection actively refused), WSAETIMEDOUT (connection attempt timed out), WSAHOST_NOT_FOUND (host name resolution failed), WSAENETDOWN (network subsystem failed), and WSAENOBUFS (insufficient buffer space, often ephemeral port exhaustion).^42,43,44,45
• b. Windows Filtering Platform (WFP) / Transport Driver Interface (TDI - legacy):
  • WFP: The modern framework for network packet filtering and modification in Windows. WFP callout drivers, registered by applications like firewalls or security software, can inspect, modify, or drop network traffic at various layers of the network stack.^46,47 Actions taken by WFP callouts can directly lead to connection failures or modifications that result in Winsock errors being reported to applications.^48,49
  • TDI (Legacy): An older interface used by network protocol drivers and filter drivers. TDI filters could also intercept and modify network traffic, potentially causing errors.
• c. Network Driver Interface Specification (NDIS) drivers: These include drivers for physical Network Interface Cards (NICs) and NDIS intermediate or filter drivers that can be layered within the NDIS stack.^50,51 Problems at this level, such as NIC hardware failures, bugs in NIC drivers, or interference from NDIS filter drivers (e.g., third-party firewalls, VPN clients, network monitoring tools), can lead to a range of network connectivity issues, manifesting as higher-level Winsock errors or complete loss of network access.⁴⁹

The layered nature of network filtering (NDIS filters, WFP callouts, legacy LSPs/WSPs, application-level firewalls) means a Winsock error like WSAECONNREFUSED or WSAETIMEDOUT could be due to a block or modification at any of these layers. Pinpointing the responsible layer often requires specialized diagnostic tools. Furthermore, DNS resolution failures (leading to WSAHOST_NOT_FOUND) are a common source of network errors.^52,53 However, intermittent DNS issues or misconfigurations might cause subsequent connection attempts to fail with timeouts or unreachability errors if an application caches a stale IP or if the DNS resolution itself times out, thereby masking the DNS root cause.

6. Third-Party Filter Drivers (Critical External Influence):

Third-party filter drivers are kernel-mode components that intercept and potentially modify system operations. They are commonly used by security software (Antivirus, EDR, DLP), encryption tools, backup agents, and virtualization software.

• a. Role and Mechanism:
  • File System Minifilters: These drivers attach to the file system stack using the Filter Manager (FltMgr.sys) and can intercept IRPs for file operations (create, read, write, close, query/set information, etc.).⁵⁴ Examples include antivirus scanners inspecting files on open, EDR solutions monitoring file access patterns, DLP tools preventing unauthorized data movement, and on-access encryption drivers.
  • NDIS Filter Drivers: These insert into the NDIS network stack to monitor or modify network packets exchanged between protocol drivers (like TCP/IP) and miniport drivers (NIC drivers).⁵¹ They are used by personal firewalls, VPN client software, network traffic shapers, and monitoring tools.
  • WFP Callout Drivers: These integrate with the Windows Filtering Platform at various network layers to inspect, modify, or block network data flows.⁴⁶ Modern firewalls, intrusion detection/prevention systems (IDS/IPS), and some types of content filtering software utilize WFP callouts.
  • Registry Filter Drivers: These drivers register callback routines with the Configuration Manager (using CmRegisterCallbackEx) to intercept operations on registry keys and values (e.g., create key, open key, set value, delete key).^{55,56,57,58,59} Security hardening tools, application virtualization, and some EDR solutions may use registry filters.
• b. Error Generation Impact:

  Filter drivers can be a direct or indirect source of errors.

  • Direct Error Generation: A filter driver can complete an intercepted operation (e.g., an IRP for a file system filter, a network packet for an NDIS/WFP filter, or a registry callback) with an error status if its internal logic or policy dictates that the operation should be blocked. For example:
    • A DLP file system minifilter might return STATUS_ACCESS_DENIED for an unauthorized attempt to copy a sensitive file.⁶⁰
    • An antivirus minifilter might return STATUS_ACCESS_DENIED or a custom status if a file is infected and access is blocked.
    • A WFP firewall callout might cause network connections to be dropped, leading to Winsock errors like WSAECONNREFUSED or WSAETIMEDOUT at the application layer.^61,62,63,64
    • A registry filter might return STATUS_ACCESS_DENIED if an application attempts to modify a protected registry key.
  • Indirect Error Generation:
    • Bugs in Filter Drivers: Software defects within the filter driver itself (e.g., memory corruption, incorrect handling of IRPs or network data structures, use-after-free errors, pool exhaustion due to leaks) can lead to system instability, BSODs (e.g., DRIVER_IRQL_NOT_LESS_OR_EQUAL, PAGE_FAULT_IN_NONPAGED_AREA), deadlocks, resource leaks (STATUS_INSUFFICIENT_RESOURCES), or performance degradation severe enough to cause timeouts in applications or other system components.^65,66
    • Performance Degradation: A filter driver performing excessive processing for each intercepted operation can introduce significant latency. This can cause applications to time out or the system to become unresponsive. For example, a slow network filter could contribute to WSAETIMEDOUT errors.
    • Resource Leaks: Filter drivers that leak kernel resources (e.g., non-paged pool, handles, IRPs) can gradually degrade system performance and stability, eventually leading to resource exhaustion errors like STATUS_INSUFFICIENT_RESOURCES or system crashes.
    • Conflicts Between Multiple Filters: When multiple filter drivers are attached to the same device stack (e.g., multiple file system minifilters on a volume, or multiple NDIS filters on a network adapter), their interactions can be complex. The load order (altitude for minifilters) is critical.⁵⁴ Conflicts can arise if filters make incompatible assumptions about the state of an operation or data, if one filter undoes the work of another, or if they contend for resources, potentially leading to deadlocks, incorrect behavior, or explicit errors.
• c. Diagnostic Challenge:

  Errors originating from or induced by filter drivers are often reported by the core Windows component whose operation was intercepted, rather than by the filter driver itself. This makes attribution difficult. For instance, if a file system minifilter returns STATUS_ACCESS_DENIED for an IRP_MJ_CREATE request, the application calling CreateFile will receive ERROR_ACCESS_DENIED. The application and its logs will point to CreateFile or the file system as the source of the error, unaware of the intercepting filter.

  Diagnosing such issues typically requires specialized tools and techniques:

  • fltmc.exe: This command-line utility is used to manage file system minifilter drivers. fltmc instances can list attached minifilters and their altitudes for a given volume, helping identify which filters are active.
  • Event Tracing for Windows (ETW): Many system components, including Filter Manager (FltMgr), WFP, NDIS, and individual drivers, provide ETW providers. Analyzing ETW traces can reveal the flow of operations through filter drivers and pinpoint where an error was generated or an operation was blocked.⁶⁷
  • Kernel Debugging (WinDbg): Allows direct inspection of kernel memory, IRPs, filter driver data structures, and stepping through filter driver code. This is often essential for complex issues.
  • Process Monitor (ProcMon): While a user-mode tool, ProcMon can show the results of file system and registry operations. Failures like "ACCESS DENIED" or "SHARING VIOLATION" might be correlated with the presence of certain filter drivers, especially if disabling a filter changes the outcome. ProcMon can also display filter driver altitudes for file system operations.⁶⁷
  • Vendor-Specific Logging/Tools: Security software vendors often provide their own logging mechanisms or diagnostic tools that can offer insight into why their filters are taking certain actions.

  Filter drivers can interfere with IRP processing in subtle ways, such as modifying IRP parameters incorrectly, holding IRPs for excessive durations (causing perceived hangs or timeouts), or mishandling IRP completion, leading to a wide spectrum of I/O errors or even data corruption.^68,69 The altitude and load order of filter drivers are critical; incorrectly ordered filters or filters that make unsafe assumptions about other filters in the stack can lead to instability, conflicts, and errors.

  It is also important to recognize that not all filter driver interventions result in explicit error codes. Some filters might silently modify data streams (e.g., content filtering by a web proxy filter) or redirect operations. While the API call might return success, the application receives altered data or an altered outcome, which can be perceived as a malfunction and is often very difficult to diagnose because no error is flagged.

a. Memory Manager (MM)

• Error Code Value: 0xC0000005

  Symbolic Name: STATUS_ACCESS_VIOLATION

  Originating Module/Component: Kernel Executive Subsystems (Memory Manager)

  Associated Error Message Text(s): "The instruction at 0x\%08lx referenced memory at 0x\%08lx. The memory could not be %s." (Variables: instruction pointer, faulting address, "read" or "written" or "executed").

  Detailed Causation ("Why"):

  • Invalid Parameters: Attempting to access memory using a NULL pointer, an uninitialized pointer, or a pointer to an invalid address space (e.g., user-mode code trying to access kernel-space addresses directly).
  • Access Control/Permissions: Writing to a read-only memory region, attempting to execute code from a non-executable memory region (Data Execution Prevention - DEP), or accessing a guard page.
  • Buffer Issues: Buffer overflows or underflows corrupting adjacent memory, including pointers or critical data structures, leading to subsequent attempts to access memory using these corrupted values.
  • Hardware/Device Issues: Faulty RAM modules can cause sporadic and unpredictable access violations.^{80, 81}
  • Concurrency/Synchronization: Race conditions in multithreaded applications or kernel-mode drivers leading to corrupted shared memory, dangling pointers, or inconsistent data structures that are then accessed.
  • Software Bugs: Dereferencing a stale pointer (a pointer to memory that has been freed), incorrect pointer arithmetic, use-after-free vulnerabilities. Bugs in kernel-mode drivers, such as attempting to access paged-out kernel memory at an elevated IRQL (>= DISPATCH_LEVEL) or accessing user-mode buffers without proper validation, probing (ProbeForRead/ProbeForWrite), and exception handling (__try/__except).
  • Third-Party Filter Driver Impact: A bug within a third-party filter driver (e.g., file system minifilter, network filter) that involves incorrect buffer handling, accessing user-mode buffers without proper mechanisms, or dereferencing invalid pointers can directly cause a STATUS_ACCESS_VIOLATION in kernel mode, typically resulting in a system crash (BSOD).

  Triggering Conditions ("When"):

  • Dereferencing NULL, uninitialized, or corrupted pointers during any memory operation (read, write, execute).
  • Passing invalid buffer pointers or handles that map to invalid memory to API calls.
  • During process or thread startup or shutdown if critical memory structures are corrupted.
  • When a kernel-mode driver attempts to access paged memory at or above DISPATCH_LEVEL.
  • When Data Execution Prevention (DEP) is triggered by an attempt to execute code from a memory region marked as non-executable.
  • Occurs frequently when applications or drivers have memory corruption bugs or interact with faulty hardware.^{12, 80, 81}

• Error Code Value: 0xC0000006

  Symbolic Name: STATUS_IN_PAGE_ERROR

  Originating Module/Component: Kernel Executive Subsystems (Memory Manager, with I/O Manager involvement)

  Associated Error Message Text(s): "The instruction at 0x\%08lx referenced memory at 0x\%08lx. The required data was not placed into memory because of an I/O error status of 0x\%08lx." (Variables: instruction pointer, faulting address, underlying I/O NTSTATUS error code).

  Detailed Causation ("Why"):

  • Hardware/Device Issues: Failing hard disk drive, presence of bad sectors on the disk where the page file or a memory-mapped file resides, faulty disk controller, loose storage cables, or failing RAM modules that corrupt data being transferred to/from disk.
  • Dependency Failures: The underlying I/O subsystem (I/O Manager, disk drivers, file system drivers) returned an error when the Memory Manager attempted to read a required page from disk into memory (a page fault). The embedded I/O error status (e.g., STATUS_DEVICE_DATA_ERROR, STATUS_CRC_ERROR, STATUS_DEVICE_NOT_READY) provides more specific information about the I/O failure.
  • Data Integrity/Corruption: Corruption of the page file (pagefile.sys), or corruption of an executable file (EXE, DLL) or data file that is memory-mapped.
  • Software Bugs: Bugs in disk drivers, storage stack filter drivers, or file system drivers that cause I/O operations to fail during paging.
  • Resource Scarcity: In rare cases, extreme resource exhaustion (e.g., non-paged pool) in underlying storage drivers might prevent them from completing paging I/O.
  • Third-Party Filter Driver Impact: A file system filter driver (e.g., antivirus, encryption) or a storage filter driver that intercepts paging I/O operations could:
    • Incorrectly modify the I/O request, leading to failure.
    • Block access to the page file or the file being paged in.
    • Contain a bug that directly causes the I/O to fail or corrupts the data.
    • An aggressive antivirus filter might erroneously block access to a system file being paged in if it's falsely flagged.⁸²

  Triggering Conditions ("When"):

  • When the system attempts to load a required page of data or code from a memory-mapped file (e.g., an executable, DLL, or data file) or from the system page file into physical RAM, and the underlying disk I/O operation fails.
  • Frequently observed when launching applications, loading DLLs, or accessing data from files if the backing storage is faulty, the page file is corrupt, or a problematic driver is in the storage or file system stack.^{82, 83}
  • Can occur when running an executable from a network volume if there are significant network issues or interference from network filter drivers, causing the remote file data to be inaccessible during paging.^{12, 82}

• Error Code Value: 0xC0000017

  Symbolic Name: STATUS_NO_MEMORY

  Originating Module/Component: Kernel Executive Subsystems (Memory Manager)

  Associated Error Message Text(s): "{Not Enough Quota} Not enough virtual memory or paging file quota is available to complete the specified operation."

  Detailed Causation ("Why"):

  • Resource Scarcity (System Commit Limit): Exhaustion of the system commit limit, which is the sum of physical RAM and the current sizes of all page files. This occurs when the total committed virtual memory by all processes exceeds available resources.
  • Resource Scarcity (Page File): The page file(s) cannot grow large enough (due to disk space limitations or configured size limits) to satisfy memory demands.
  • Resource Scarcity (Kernel Pools): Depletion of kernel-mode memory pools, specifically non-paged pool or paged pool. This is often due to memory leaks in kernel-mode drivers or excessive allocations by kernel components.
  • Quota Limits: A process attempting to allocate memory may exceed its assigned job object quota or other system-imposed quota limits.
  • Memory Fragmentation: Severe virtual address space fragmentation within a process can prevent large contiguous allocations, even if total free virtual address space appears sufficient. In kernel mode, pool fragmentation can have similar effects.
  • Software Bugs: Memory leaks in user-mode applications or kernel-mode drivers that continuously consume memory without releasing it, eventually exhausting available resources.
  • Configuration Errors: During Windows Update or setup, if the Boot Configuration Data (BCD) incorrectly marks valid memory regions as "badmemory," it can lead to insufficient usable RAM for operations like creating a ramdisk, triggering this error.^{84, 85}
  • Third-Party Filter Driver Impact: A filter driver leaking paged or non-paged pool is a significant potential cause of kernel memory exhaustion, leading to STATUS_NO_MEMORY conditions, system-wide instability, or BSODs.^{65, 66}

  Triggering Conditions ("When"):

  • During memory allocation requests by applications or system components (e.g., user-mode VirtualAlloc, HeapAlloc; kernel-mode NtAllocateVirtualMemory, ExAllocatePoolWithTag).
  • During process or thread creation if system resources are critically low.
  • When loading large executable files, DLLs, or data files into memory.
  • During system operations like Windows Update, especially if BCD contains incorrect "badmemory" entries preventing the use of available RAM.^{12, 84, 85}

b. I/O Manager (Io)

• Error Code Value: 0xC000000E

  Symbolic Name: STATUS_NO_SUCH_DEVICE (Note: MS-ERREF lists this as STATUS_NO_SUCH_DEVICE, while some contexts might use STATUS_DEVICE_DOES_NOT_EXIST with the same value. The message text aligns with "device does not exist".)

  Originating Module/Component: Kernel Executive Subsystems (I/O Manager, PnP Manager)

  Associated Error Message Text(s): "{No Such Device} The specified device does not exist."

  Detailed Causation ("Why"):

  • Object/Entity Non-existence: An attempt was made to access a device object that does not exist or is not currently available in the system. The device may have been removed, disabled, or never properly installed/initialized.
  • Hardware/Device Issues: Physical disconnection of the device, hardware malfunction, or device failure.
  • Driver Issues: The driver for the device failed to load, crashed, or was uninstalled. The PnP Manager could not find or start a suitable driver.
  • Configuration Errors: Incorrect system configuration, such as corrupted Boot Configuration Data (BCD) pointing to a non-existent boot device, leading to boot failures with this error or similar ones like 0xc000000f.^{86, 87} Incorrect BIOS/UEFI boot order trying to boot from a non-bootable or unavailable device.
  • Resource Conflicts: Though less common for this specific error, severe resource conflicts could prevent a device from being recognized or started.
  • Third-Party Filter Driver Impact: A bus filter driver or a lower filter driver in the device stack for the target device could prevent the device from being enumerated or started correctly. A bug in such a filter might make the device appear non-existent to higher levels.

  Triggering Conditions ("When"):

  • During system boot if the boot device specified in the BCD is not found or its driver fails to load.^{86, 87}
  • When an application or driver attempts to open a handle to a device object (e.g., via NtCreateFile with a device path like \Device\DeviceName) that is not registered with the I/O Manager.
  • During Plug and Play device enumeration if a device is physically present but cannot be initialized due to hardware or driver problems.
  • Accessing a removable media device that has been ejected.
  • Snippet Integration: ^{12, 86, 87}

• Error Code Value: 0xC000000F

  Symbolic Name: STATUS_NO_SUCH_FILE

  Originating Module/Component: Kernel Executive Subsystems (I/O Manager) / File System Drivers

  Associated Error Message Text(s): "{File Not Found} The file %hs does not exist."

  Detailed Causation ("Why"):

  • Object/Entity Non-existence: The primary cause: the specified file or directory genuinely does not exist at the provided path.
  • Invalid Parameters: An incorrect file path string was provided (e.g., syntax errors, invalid characters, excessively long path for some contexts).
  • Path Component Missing: One of the directory components in the specified path does not exist.
  • Configuration Errors: During system startup, if critical boot files referenced in the Boot Configuration Data (BCD) are missing or the BCD itself is corrupted, this error can occur, preventing the system from booting.^{88, 89}
  • Dependency Failures: When loading a module (e.g., an EXE or DLL), if a statically linked dependent DLL cannot be found.
  • Third-Party Filter Driver Impact:
    • A file system minifilter could, in theory, hide a file or modify a path lookup in such a way that a file appears not to exist, though this is less common than explicit blocking with STATUS_ACCESS_DENIED.
    • A bug in a filter driver could corrupt directory metadata on disk, leading to files becoming "lost" or inaccessible.

  Triggering Conditions ("When"):

  • During file system operations such as opening (NtCreateFile, NtOpenFile), querying attributes, renaming, or deleting a file when the target file or a directory in its path does not exist.
  • During system boot if essential system files (e.g., kernel, HAL, boot drivers, BCD store) are missing or cannot be located.^{88, 89}
  • When an application attempts to load a DLL that is not present in the standard search paths or the application's directory.
  • When CreateProcess is called for an executable file that cannot be found.
  • Snippet Integration: ^{12, 88, 89}

• Error Code Value: 0xC0000010

  Symbolic Name: STATUS_INVALID_DEVICE_REQUEST

  Originating Module/Component: Kernel Executive Subsystems (I/O Manager) / Device Drivers

  Associated Error Message Text(s): "{Invalid Device Request} The specified command or parameters are not valid for the device." (Message text may vary slightly or be generic like "The parameter is incorrect.")

  Detailed Causation ("Why"):

  • Invalid Parameters: An I/O control code (IOCTL) sent to a device driver is not recognized or supported by that driver. The parameters associated with the IOCTL (input/output buffer sizes, method codes) are incorrect or inconsistent with what the driver expects for that IOCTL.
  • Unsupported Operation: The requested operation (e.g., a specific FSCTL for a file system, or a specific IOCTL for a device) is not implemented or is not valid for the target file object or device state.
  • Driver State: The device driver is not in a state to process the request (e.g., device not started, being removed, or in a fault state).
  • File System Incompatibility: Attempting a file system control (FSCTL) operation on a file object that resides on a file system that does not support that specific FSCTL.
  • WDF Framework Handling: The Windows Driver Framework (WDF) might complete an IRP with this status if it receives an IRP with a major function code that it does not support by default and the driver has not registered a preprocessor callback for it.⁶⁸
  • Third-Party Filter Driver Impact:
    • A filter driver might incorrectly modify an IRP (e.g., changing the IOCTL code or parameters) before passing it to a lower driver, causing the lower driver to reject it with STATUS_INVALID_DEVICE_REQUEST.
    • A filter driver might itself handle certain IOCTLs and return this status if the incoming request is malformed from its perspective or if it decides to block it for policy reasons (though STATUS_ACCESS_DENIED might be more appropriate for policy blocks).
    • DFS referrals using IOCTLs can fail with this if there's an issue in the DFS process or with the target file system.⁹⁰

  Triggering Conditions ("When"):

  • When a user-mode application calls DeviceIoControl with an invalid IOCTL code or incorrect buffer parameters for the target device driver.
  • When a kernel-mode driver sends an IRP with an unsupported major function code or IOCTL/FSCTL to another driver.
  • If a KMDF driver receives an IRP for an operation like IRP_MJ_CREATE_NAMED_PIPE or IRP_MJ_FILE_SYSTEM_CONTROL and is not a filter driver and has no preprocessor callback registered; the framework completes it with this status.⁶⁸
  • During interactions with Distributed File System (DFS) if an IOCTL related to a DFS referral fails on the target server.⁹⁰
  • Disabling and re-enabling display adapters, then attempting to update drivers, can sometimes trigger this if the device state is inconsistent.⁹¹
  • Snippet Integration: ^{12, 68, 90, 91}

• Error Code Value: 0xC0000022

  Symbolic Name: STATUS_ACCESS_DENIED

  Originating Module/Component: Kernel Executive Subsystems (I/O Manager, Security Reference Monitor, Object Manager) / File System Drivers / Registry Filters / Network Filters

  Associated Error Message Text(s): "{Access Denied} A process has requested access to an object but has not been granted those access rights."

  Detailed Causation ("Why"):

  • Access Control/Permissions: The primary cause. The caller's security token (representing the user and their groups) lacks the necessary access rights as defined in the Discretionary Access Control List (DACL) of the target object (file, directory, registry key, device, named pipe, etc.) for the type of access being requested (e.g., read, write, delete, execute, synchronize).
  • Privileges: A required privilege (e.g., SeBackupPrivilege for certain backup operations, SeSecurityPrivilege for SACL access) is not present or not enabled in the caller's token.
  • Mandatory Integrity Control (MIC): A process running at a lower integrity level attempting to write to or modify an object labeled with a higher integrity level (e.g., a Low integrity process trying to write to a Medium integrity file).
  • Sharing Modes (Less Common): While STATUS_SHARING_VIOLATION is specific to file sharing conflicts, sometimes overly restrictive opens by one party can lead to subsequent access attempts failing with STATUS_ACCESS_DENIED if the desired access bits cannot be granted due to the existing open.
  • Object Type Specific Restrictions: Certain objects may have inherent restrictions (e.g., trying to open a process object for PROCESS_TERMINATE on a protected system process).
  • Third-Party Filter Driver Impact (CRITICAL):
    • Explicit Blocking by Security Software: File system minifilters (antivirus, EDR, DLP), registry filter drivers, and network filter drivers (WFP/NDIS, e.g., firewalls) are frequent sources of this error. They intercept operations and can complete them with STATUS_ACCESS_DENIED if the operation violates a defined security policy (e.g., an AV quarantining a file, a DLP tool preventing writing to a USB drive, an EDR blocking a suspicious process modification, a firewall blocking a network connection attempt that translates to this at a higher layer).^{60, 77, 78, 92, 93}
    • Filter Bugs or Conflicts: A bug in a filter driver might erroneously deny access, or conflicts between multiple layered filters could lead to an incorrect denial.

  Triggering Conditions ("When"):

  • Attempting to open, read, write, delete, execute, or query/set security on any securable kernel object without sufficient permissions.
  • During NtCreateFile for file/directory access, NtOpenKey/NtCreateKey for registry access, NtOpenProcess/NtOpenThread for process/thread access.
  • When a service attempts to start but its service account lacks permissions to its executable file, dependencies, or required resources.⁹³
  • When Kernel-EventTracing fails to start a logger session due to permission issues on log files or ETW provider registration.⁹²
  • A minifilter driver explicitly returning STATUS_ACCESS_DENIED in its pre-operation callback for an IRP.⁶⁰
  • Snippet Integration: ^{12, 60, 77, 78, 92, 93}

• Error Code Value: 0xC0000034

  Symbolic Name: STATUS_OBJECT_NAME_NOT_FOUND

  Originating Module/Component: Kernel Executive Subsystems (Object Manager)

  Associated Error Message Text(s): "The object name is not found."

  Detailed Causation ("Why"):

  • Object/Entity Non-existence: The specified named kernel object (e.g., device, symbolic link, event, mutex, semaphore, section, job, file, directory, registry key) does not exist in the Object Manager namespace or the relevant object directory (e.g., \Device, \KernelObjects, \??).
  • Invalid Parameters: The path or name provided for the object is syntactically incorrect, contains invalid characters, or is NULL.
  • Path Component Missing: For hierarchical object names (like file paths or registry paths), an intermediate component of the path does not exist.
  • Timing Issues: An attempt to open an object that has just been deleted by another thread/process or has not yet been created.
  • Configuration Errors (Boot): During system startup, if the Boot Configuration Data (BCD) is corrupted or refers to missing boot devices or files, the Object Manager may fail to find critical named objects required for the boot process, leading to this error or related errors like STATUS_NO_SUCH_DEVICE or STATUS_NO_SUCH_FILE.^{94, 95}
  • Networked File Systems (SMB Cache): When accessing files on a remote SMB share, the client-side SMB redirector (e.g., Mrxsmb20.sys) maintains a directory cache. If this cache is not updated correctly after a file is created on the server, a subsequent attempt to open that newly created file from the client might fail with STATUS_OBJECT_NAME_NOT_FOUND due to the stale cache entry.⁹⁶
  • Third-Party Filter Driver Impact:
    • File system or registry filter drivers could theoretically interfere with name lookup operations, for example, by modifying the name string being looked up or by incorrectly failing a name query.
    • More commonly, a filter might cause the object to be deleted or renamed unexpectedly, leading to subsequent "not found" errors.

  Triggering Conditions ("When"):

  • During calls to open or query kernel objects by name (e.g., NtOpenFile, NtOpenKey, NtOpenSymbolicLinkObject, NtOpenEvent) when the name is incorrect, the object does not exist, or an intermediate path component is missing.
  • When a driver attempts to open a device object by name (IoGetDeviceObjectPointer) and the name is misspelled or the device is not registered.
  • During system startup if critical named objects required for booting are missing or their paths are invalid in the BCD.^{94, 95}
  • When accessing files on an SMB share under specific caching race conditions, particularly after remote file creation.⁹⁶
  • Snippet Integration: ^{12, 94, 95, 96}

• Error Code Value: 0xC0000035

  Symbolic Name: STATUS_OBJECT_NAME_COLLISION

  Originating Module/Component: Kernel Executive Subsystems (Object Manager) / File System Drivers / Registry

  Associated Error Message Text(s): "{Object Exists} An attempt was made to create an object and the object name already exists."¹²

  Detailed Causation ("Why"):

  • Object/Entity Existence: An attempt was made to create a named kernel object (e.g., file, directory, registry key, symbolic link, event, mutex, semaphore, device) with a specific name, but an object with that same name already exists in the target directory or namespace.
  • Concurrency/Synchronization: A race condition where multiple threads or processes attempt to create an object with the same name simultaneously, and one succeeds while others get this error.
  • Software Bugs: An application or driver does not correctly check for the existence of an object before attempting to create it, or fails to clean up (delete) a named object from a previous instance or run.
  • File System Operations: When creating a file or directory using NtCreateFile with a CreateDisposition of FILE_CREATE (create if not exists, fail if exists), this status is returned if the file/directory already exists. This is then typically translated to ERROR_ALREADY_EXISTS in user mode.
  • Registry Operations: Similar to file systems, attempting to create a registry key with NtCreateKey when the key already exists and no "open if exists" disposition is specified.

  Triggering Conditions ("When"):

  • Calling object creation functions like NtCreateFile, NtCreateKey, IoCreateDevice, IoCreateSymbolicLink, NtCreateEvent with parameters that specify "create only" semantics, when an object of the same name already exists at the target location.
  • Commonly encountered by applications that use named mutexes or events for singleton behavior (ensuring only one instance runs) if a previous instance did not shut down cleanly and release the named object.
  • When an ETW (Event Tracing for Windows) logger (e.g., PerfDiag Logger) attempts to start a session with a name that is already in use by another active logger session.⁹⁷
  • In file system operations, attempting to create a directory (mkdir) that already exists can result in this error, especially in networked file system protocols like SMB if not handled by checking existence first.^98,99
  • Snippet Integration: ^{12, 97, 98, 99}

• Error Code Value: 0xC0000043

  Symbolic Name: STATUS_SHARING_VIOLATION

  Originating Module/Component: Kernel Executive Subsystems (I/O Manager) / File System Drivers

  Associated Error Message Text(s): "A file cannot be opened because the share access flags are incompatible."

  Detailed Causation ("Why"):

  • Access Control/Permissions (Sharing Modes): The primary cause. An attempt was made to open a file using NtCreateFile with DesiredAccess (e.g., GENERIC_READ, GENERIC_WRITE, DELETE) and/or ShareAccess (e.g., FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE) flags that conflict with how the file is already opened by another handle (which could be in the same process or a different process). For example, Process A opens file.txt with DesiredAccess = GENERIC_READ and ShareAccess = FILE_SHARE_READ. If Process B then attempts to open file.txt with DesiredAccess = GENERIC_WRITE, it will fail with STATUS_SHARING_VIOLATION because Process A did not specify FILE_SHARE_WRITE.
  • Handles Not Closed: A previous operation (or another currently running process/thread) opened the file but did not properly close its handle, leaving the file locked according to the share mode of that existing open. This includes handles to memory sections (NtCreateSection) that are backed by the file, as these also maintain a reference and enforce sharing.¹⁰⁰
  • File System Specifics: Certain file system behaviors can lead to this. For NTFS on older Windows versions (Windows 7/Server 2008 R2), opening a highly fragmented file with the IO_OPEN_PAGING_FILE flag, closing it, and then attempting to reopen it without this flag (or vice-versa) could result in STATUS_SHARING_VIOLATION due to issues with how the attribute list of the File Control Block (FCB) was handled.²⁰
  • Third-Party Filter Driver Impact:
    • File system filter drivers (e.g., antivirus scanners, backup agents, on-access encryption tools, EDR agents) often need to open files to perform their tasks. If such a filter opens a file with restrictive sharing flags (e.g., no sharing allowed while it scans) or holds the file handle for an extended period, it can cause subsequent open attempts by other applications or system components to fail with STATUS_SHARING_VIOLATION.
    • A filter driver might also incorrectly modify the sharing flags in an IRP_MJ_CREATE request or might itself attempt to open a file (e.g., in a post-cleanup callback to delete it) and encounter a sharing violation due to locks held by other components like the network redirector.⁶⁰
    • Security software can explicitly return this status to block an operation based on policy, though STATUS_ACCESS_DENIED is often more semantically correct for policy-based blocks.

  Triggering Conditions ("When"):

  • Calling NtCreateFile (or Win32 CreateFile) to open a file when another handle to the same file already exists with incompatible sharing modes specified in the ShareAccess parameter of the existing open(s) and the DesiredAccess and ShareAccess of the current request.
  • Common in scenarios with concurrent access to the same file by multiple applications, services, or even different threads within the same application if they open separate handles with conflicting sharing.
  • When a kernel driver attempts to open a file (e.g., ntdll.dll or notepad.exe as in ¹⁰⁰) for mapping, and a previous instance of the driver or another component still holds a conflicting handle or mapping.
  • A minifilter attempting to delete a file on a network share in a post-cleanup callback might encounter this if the file is still locked by the client-side redirector or the server, even if IO_IGNORE_SHARE_ACCESS_CHECK is used (as this flag may not be effective for network shares).⁶⁰
  • Snippet Integration: ^{12, 20, 60, 100}

• Error Code Value: 0xC000009A

  Symbolic Name: STATUS_INSUFFICIENT_RESOURCES

  Originating Module/Component: Kernel Executive Subsystems (Various: Memory Manager, I/O Manager, Object Manager, etc.) / Device Drivers

  Associated Error Message Text(s): "{Insufficient System Resources} Insufficient system resources exist to complete the API."

  Detailed Causation ("Why"):

  • Resource Scarcity (Kernel Memory Pools): This is a very common cause. Exhaustion of kernel-mode memory pools, particularly non-paged pool, but also paged pool or system Page Table Entries (PTEs). Drivers or system components may fail to allocate necessary memory for their operations.
  • Resource Scarcity (Other System Resources): Depletion of other critical system resources like system worker threads, IRPs, MDLs, lookaside list entries, or other internal data structures managed by kernel components.
  • Quota Limits: Exceeding system-wide or per-process/job quotas for certain resources (though STATUS_NO_MEMORY or STATUS_QUOTA_EXCEEDED might be more specific for memory quotas).
  • Driver Issues: Memory leaks in kernel-mode drivers are a primary culprit for pool exhaustion. Drivers making excessive or inefficient resource allocations can also lead to this.
  • Hardware Limitations: Insufficient physical RAM can exacerbate pool pressure, but this error usually points to exhaustion of specific kernel-managed resources rather than just general RAM shortage.
  • Configuration Issues: Misconfiguration of system parameters related to resource limits (rarely user-adjustable for these specific resources).
  • Third-Party Filter Driver Impact:
    • Filter drivers are a significant source if they leak kernel pool memory (non-paged or paged), IRPs, or other kernel resources.
    • Bugs in filter drivers causing excessive resource consumption (e.g., allocating large buffers per I/O without proper limits) can also trigger this.
    • Conflicts between filter drivers could lead to resource contention or leaks.
    • A filter driver might fail an operation by returning this status if it cannot allocate its own necessary internal resources to process an intercepted request.

  Triggering Conditions ("When"):

  • During any kernel-mode operation that requires allocation of finite system resources, such as memory from kernel pools (ExAllocatePoolWithTag), IRPs (IoAllocateIrp), MDLs (IoAllocateMdl), or other internal structures.
  • When loading or initializing drivers if they attempt to allocate significant resources and the system is already constrained (e.g., WdfDriverCreate failing if its small internal allocation fails or a subsequent call it makes fails due to resource issues⁹).
  • During high system load or after prolonged uptime if memory leaks in drivers have accumulated.
  • When the SMB server component encounters resource issues, it might return this status to SMB clients attempting file access.⁸
  • Can manifest as BSODs if critical kernel operations fail due to resource unavailability (e.g., KERNEL_MODE_HEAP_CORRUPTION or DRIVER_IRQL_NOT_LESS_OR_EQUAL if resource exhaustion leads to data corruption or invalid operations).
  • Snippet Integration: ^{8, 9, 12, 65}

• Error Code Value: 0xC0000185

  Symbolic Name: STATUS_IO_DEVICE_ERROR

  Originating Module/Component: Kernel Executive Subsystems (I/O Manager) / Device Drivers (especially disk/storage drivers)

  Associated Error Message Text(s): "{Device I/O Error} The I/O device reported an I/O error." (Message can be generic).

  Detailed Causation ("Why"):

  • Hardware/Device Issues: This is a primary cause. Malfunctioning hardware, such as a failing hard disk drive (HDD) or solid-state drive (SSD), bad sectors on the disk, faulty disk controller, loose or damaged data cables (SATA, NVMe), or problems with the storage device's firmware.
  • Driver Issues: Bugs in the storage device driver (e.g., Storport miniport, class driver) or lower-level bus drivers (e.g., SATA AHCI controller driver). The driver might be unable to communicate correctly with the hardware or might misinterpret hardware status.
  • Data Integrity/Corruption: Corruption of file system metadata or data on the storage device, making it unreadable or causing the device to report errors.
  • Power Issues: Insufficient or unstable power supply to the storage device.
  • Overheating: Storage device overheating, leading to erratic behavior or failure.
  • Configuration Errors: Incorrect BIOS/UEFI settings related to storage controllers (e.g., AHCI/RAID mode). Corrupted Boot Configuration Data (BCD) can lead to boot failures where the system attempts to read from a device that then reports an I/O error.^{101, 102}
  • Third-Party Filter Driver Impact:
    • Storage filter drivers (e.g., disk encryption software, some types of backup software that interact at a low level, or third-party storage utilities) could interfere with I/O operations.
    • A bug in a storage filter driver might corrupt I/O requests or misinterpret responses from the hardware/lower drivers, leading to this error being propagated upwards.
    • Filters might also cause excessive load or incompatible commands to be sent to the device.

  Triggering Conditions ("When"):

  • During any read or write operation to a storage device (HDD, SSD, USB drive, etc.) if the device itself or its controller reports an unrecoverable error.
  • When the system attempts to page data to/from the page file located on a faulty disk.
  • During system boot if critical boot files or the BCD cannot be read due to underlying device errors, often resulting in a BSOD or boot failure screen with error 0xc0000185.^{101, 102}
  • When formatting a disk or performing disk diagnostics if the hardware is failing.
  • Accessing files or launching applications whose data resides on a problematic storage device.
  • Snippet Integration: ^{12, 101, 102}

c. Object Manager (Ob)

• (Covered STATUS_OBJECT_NAME_NOT_FOUND and STATUS_OBJECT_NAME_COLLISION under I/O Manager as they often manifest in file/device contexts, but Ob is the ultimate source for named object management.)

• Error Code Value: 0xC000003A

  Symbolic Name: STATUS_OBJECT_PATH_NOT_FOUND

  Originating Module/Component: Kernel Executive Subsystems (Object Manager)

  Associated Error Message Text(s): "{Path Not Found} The path %hs does not exist."

  Detailed Causation ("Why"):

  • Object/Entity Non-existence: Similar to STATUS_OBJECT_NAME_NOT_FOUND, but specifically indicates that one of the intermediate directory components in a hierarchical object path does not exist. For example, in \DirectoryA\DirectoryB\ObjectName, if DirectoryA exists but DirectoryB does not, this error would be returned when trying to access ObjectName.
  • Invalid Parameters: The path string is malformed, or contains invalid characters specifically within a path component.
  • File System Context: For file system paths, this means a directory in the path leading to the target file or directory does not exist.
  • Registry Context: For registry paths, an intermediate key in the path to the target key or value does not exist.
  • Third-Party Filter Driver Impact:
    • A file system or registry filter driver could potentially hide an intermediate directory/key or modify a path lookup, causing a legitimate path to appear non-existent.
    • Bugs in filters could corrupt directory/key structures, leading to path components becoming inaccessible.

  Triggering Conditions ("When"):

  • During calls to open or create kernel objects using a full path when an intermediate component of that path is missing (e.g., NtCreateFile, NtOpenKey).
  • When an application attempts to access a file or registry key using a path where one of the parent directories/keys does not exist.
  • Can be returned by SMB server if a path component is not found during a remote file access operation.⁹⁹
  • Snippet Integration: [⁹⁶ (related context), ^{12, 99}]

d. Process and Thread Manager (Ps)

• Error Code Value: 0xC000000B

  Symbolic Name: STATUS_INVALID_CID

  Originating Module/Component: Kernel Executive Subsystems (Process Manager)

  Associated Error Message Text(s): "{Invalid Client ID} An invalid Client ID was specified."

  Detailed Causation ("Why"):

  • Invalid Parameters: An invalid or non-existent Process ID (PID) or Thread ID (TID) was supplied to a system service that operates on processes or threads (e.g., NtOpenProcess, NtOpenThread).
  • Object/Entity Non-existence: The process or thread identified by the supplied PID/TID no longer exists (e.g., it has terminated).
  • Timing Issues: A race condition where a PID/TID was valid when obtained, but the corresponding process/thread terminated before the API call using that ID was made.
  • Incorrect ID Type: Supplying a Thread ID where a Process ID was expected, or vice-versa, if the API is specific.

  Triggering Conditions ("When"):

  • Calling functions like PsLookupProcessByProcessId or PsLookupThreadByThreadId (kernel mode) or their user-mode equivalents (OpenProcess, OpenThread) with a PID/TID that is not currently active or is invalid.
  • When a driver's thread notification callback (PsSetCreateThreadNotifyRoutine) receives a TID for a thread that has already terminated, and then attempts to use PsLookupThreadByThreadId with that TID.^103,129
  • Snippet Integration: [¹⁰³, ¹²⁹, ¹²]

• Error Code Value: 0xC000004B

  Symbolic Name: STATUS_THREAD_IS_TERMINATING

  Originating Module/Component: Kernel Executive Subsystems (Process Manager)

  Associated Error Message Text(s): "{Thread Exiting} An attempt was made to operate on a thread that is exiting."

  Detailed Causation ("Why"):

  • Invalid State/Sequencing: An operation was attempted on a thread object (e.g., suspend, set context, query information) when that thread is already in the process of terminating.
  • Concurrency/Synchronization: Race condition where one thread initiates an operation on another thread just as the target thread begins its termination sequence.
  • Software Bugs: Attempting to manipulate a thread handle after the thread has exited but before the handle is closed, or attempting to revive/reuse a terminating thread.

  Triggering Conditions ("When"):

  • Calling functions like NtSuspendThread (PsSuspendThread in kernel) or NtSetContextThread on a thread that has already started its termination process (e.g., after PsTerminateSystemThread or after the thread function returns/calls ExitThread).¹⁰⁴
  • When a driver or application tries to interact with a thread that is being torn down as part of process termination.
  • Snippet Integration: [¹³⁰ (general context of thread issues), ^{12, 104}]

• Error Code Value: 0xC000010A

  Symbolic Name: STATUS_PROCESS_IS_TERMINATING

  Originating Module/Component: Kernel Executive Subsystems (Process Manager)

  Associated Error Message Text(s): "{Process Exiting} An attempt was made to operate on a process that is exiting."

  Detailed Causation ("Why"):

  • Invalid State/Sequencing: An operation was attempted on a process object (e.g., create thread in process, query process information, write process memory) when that process is already in its termination phase.
  • Concurrency/Synchronization: Race condition where one component attempts an operation on a process just as that process begins to terminate (e.g., due to ExitProcess, TerminateProcess, or all its threads exiting).
  • Software Bugs: Holding onto a process handle and attempting to use it after the process has started exiting.

  Triggering Conditions ("When"):

  • Calling functions like NtCreateThreadEx to create a thread in a process that is already terminating.
  • Attempting to open a handle to a process (NtOpenProcess) or perform operations like NtReadVirtualMemory or NtWriteVirtualMemory when the target process is shutting down.
  • When a debugger tries to attach to or inspect a process that is in the middle of exiting.
  • Snippet Integration: [¹², ¹²]

e. Configuration Manager (CM - Registry)

• Error Code Value: 0xC000014C

  Symbolic Name: STATUS_REGISTRY_CORRUPT

  Originating Module/Component: Kernel Executive Subsystems (Configuration Manager)

  Associated Error Message Text(s): "{Registry Corrupt} The structure of one of the files that contains Registry data is corrupt, or the image of the file in memory is corrupt, or the file could not be recovered because the alternate copy or log was absent or corrupt."

  Detailed Causation ("Why"):

  • Data Integrity/Corruption: Physical corruption of one or more registry hive files (e.g., SYSTEM, SOFTWARE, SAM, SECURITY, DEFAULT located in \System32\config) on disk. This can be caused by disk write errors during hive flushing, sudden power loss, or failing disk hardware.
  • Hardware/Device Issues: Failing hard drive, faulty disk controller, or unstable RAM that corrupts the in-memory image of a registry hive before it's written to disk.
  • Software Bugs: Extremely rare bugs in the Configuration Manager itself. More plausibly, poorly written software that interacts with the registry at a very low level (e.g., some disk utilities, or malware) could cause corruption.
  • Improper Shutdown: If the system is not shut down cleanly (e.g., hard reset), registry changes might not be fully committed to disk from transaction logs, or hives might be left in an inconsistent state.
  • BCD Corruption: While BCD issues often lead to boot file errors, severe BCD corruption affecting hive load parameters could contribute or be co-occurrent.^{105, 106}
  • Third-Party Filter Driver Impact: A registry filter driver that incorrectly modifies registry data structures in memory or interferes with the hive loading/flushing mechanisms could theoretically contribute to corruption, though this is less common than filters simply blocking access.

  Triggering Conditions ("When"):

  • Most commonly during system boot when the Configuration Manager attempts to load the core registry hives into memory. If critical hives like SYSTEM or SOFTWARE are corrupt, this often results in a BSOD or inability to boot.^{105, 106}
  • During runtime if an application or service attempts to access a specific part of a registry hive that is corrupted but was not detected or critical at boot time.
  • When attempting to load or unload a registry hive manually using functions like RegLoadKey or RegUnLoadKey.
  • After an unexpected system shutdown or power failure.¹⁰⁶
  • Snippet Integration: ^{12, 105, 106}

a. KERNEL32.DLL / KERNELBASE.DLL (Core File, Memory, Process/Thread APIs)

• Error Code Value: 0 (Decimal), 0x00000000 (Hex)

  Symbolic Name: ERROR_SUCCESS

  Originating Module/Component: Win32 API Sets (Various)

  Associated Error Message Text(s): "The operation completed successfully."

  Detailed Causation ("Why"):

  • Successful Operation: The API call completed without any errors.

  Triggering Conditions ("When"):

  • Returned by GetLastError() after a successful API call that is documented to set the last error to ERROR_SUCCESS on success, or if no error has occurred on the current thread since the last error-setting API call.
  • Many APIs do not explicitly set ERROR_SUCCESS; they only set an error code on failure. Thus, GetLastError() returning 0 might also mean the last API call succeeded but didn't clear a previous error, or no errorful API has been called. Always check an API's return value (e.g., non-NULL handle, non-zero success indicator) to determine success before calling GetLastError().
  • Snippet Integration: ⁷¹

• Error Code Value: 1 (Decimal), 0x00000001 (Hex)

  Symbolic Name: ERROR_INVALID_FUNCTION

  Originating Module/Component: Win32 API Sets (KERNEL32/KERNELBASE)

  Associated Error Message Text(s): "Incorrect function."

  Detailed Causation ("Why"):

  • Unsupported Operation: The operating system or the specific device/object does not support the requested function or operation. This is a very generic error.
  • Driver Rejection: A device driver may reject an I/O request with an underlying NTSTATUS code that maps to this Win32 error if the request is not valid for the device.
  • Obsolete API: Calling an API function that is obsolete or not implemented on the current version of Windows.

  Triggering Conditions ("When"):

  • Attempting an operation that is fundamentally not supported by the target object or the OS version. For example, trying to call a DOS-era function that has no NT equivalent.
  • Sometimes occurs with DeviceIoControl if the IOCTL is completely unrecognized at a low level, or if a file system control (FSCTL) is sent to a device that is not a file system volume.
  • Snippet Integration: ⁷¹

• Error Code Value: 2 (Decimal), 0x00000002 (Hex)

  Symbolic Name: ERROR_FILE_NOT_FOUND

  Originating Module/Component: Win32 API Sets (KERNEL32/KERNELBASE)

  Associated Error Message Text(s): "The system cannot find the file specified."

  Detailed Causation ("Why"):

  • Object/Entity Non-existence: The primary cause; the file or directory path specified in an API call (e.g., CreateFile, OpenFile, DeleteFile, GetFileAttributes, LoadLibrary) does not exist. This is the Win32 translation of NTSTATUS codes like STATUS_NO_SUCH_FILE or STATUS_OBJECT_NAME_NOT_FOUND.
  • Invalid Parameters: An incorrect or malformed path string, a misspelled file or directory name.
  • Working Directory Issues: If a relative path is used, it's resolved against the current working directory of the process, which might not be what the caller expects.
  • Dependency Failures: For LoadLibrary, if the specified DLL itself is found but one of its statically linked dependent DLLs is missing, this error (or ERROR_MOD_NOT_FOUND - 126) can occur.
  • Search Path Issues: For LoadLibrary or CreateProcess, if the executable/DLL is not in the application's directory, the current directory, system directories, or directories specified in the PATH environment variable.
  • Third-Party Filter Driver Impact: Indirectly. If a file system minifilter causes the underlying NtCreateFile (called by Win32 CreateFile) to fail with STATUS_NO_SUCH_FILE or STATUS_OBJECT_NAME_NOT_FOUND (e.g., by hiding a file or due to a bug corrupting path parsing), this will translate to ERROR_FILE_NOT_FOUND.

  Triggering Conditions ("When"):

  • Calling file I/O functions (CreateFile, GetFileAttributes, CopyFile, DeleteFile, etc.) with a path to a non-existent file or directory.
  • Attempting to load a DLL (LoadLibrary, LoadLibraryEx) that cannot be located.
  • Attempting to start a process (CreateProcess) where the specified executable file is not found.
  • Snippet Integration: ^{12, 71, 107}

• Error Code Value: 3 (Decimal), 0x00000003 (Hex)

  Symbolic Name: ERROR_PATH_NOT_FOUND

  Originating Module/Component: Win32 API Sets (KERNEL32/KERNELBASE)

  Associated Error Message Text(s): "The system cannot find the path specified."

  Detailed Causation ("Why"):

  • Object/Entity Non-existence (Path Component): One or more directory components in the specified path do not exist. For example, in C:\Dir1\Dir2\file.txt, if C:\Dir1 exists but Dir2 does not, attempting to access file.txt will result in this error. This is the Win32 translation of STATUS_OBJECT_PATH_NOT_FOUND.
  • Invalid Drive: The drive letter specified in the path does not exist or is not currently accessible (e.g., a disconnected network drive or an unmounted removable drive).
  • Invalid Parameters: Malformed path string.
  • Network Path Issues: For UNC paths (\\Server\Share\Path), the server or share may be unavailable, or an intermediate directory in the remote path does not exist.
  • Third-Party Filter Driver Impact: Similar to ERROR_FILE_NOT_FOUND, a file system filter could theoretically hide an intermediate directory or interfere with path parsing, leading to this error.

  Triggering Conditions ("When"):

  • Calling file I/O functions or directory manipulation functions (CreateFile, CreateDirectory, SetCurrentDirectory, etc.) with a path where one of the parent directories does not exist.
  • Attempting to access a path on a drive that is not valid or not ready.
  • Snippet Integration: ^{71, 108}

• Error Code Value: 5 (Decimal), 0x00000005 (Hex)

  Symbolic Name: ERROR_ACCESS_DENIED

  Originating Module/Component: Win32 API Sets (KERNEL32/KERNELBASE, ADVAPI32, etc.)

  Associated Error Message Text(s): "Access is denied."

  Detailed Causation ("Why"):

  • Access Control/Permissions: The most common cause. The caller (process/thread security context) lacks the necessary permissions defined by the ACLs on the target object (file, directory, registry key, named pipe, process, service, etc.) for the requested type of access (e.g., read, write, delete, execute, list contents). This is the Win32 translation of STATUS_ACCESS_DENIED.
  • File Attributes: Attempting to write to a file that has the read-only attribute set. Attempting to delete a directory that is not empty (though ERROR_DIR_NOT_EMPTY is more specific).
  • Integrity Levels (MIC): A process running at a lower integrity level attempting to modify an object labeled with a higher integrity level.
  • Privileges: A required privilege for the operation is not held or not enabled in the caller's token (e.g., trying to open certain system processes without debug privileges, or SCM operations without administrator rights).
  • Sharing Conflicts (Less Common): While ERROR_SHARING_VIOLATION is specific, sometimes an attempt to open a file with conflicting access flags when it's already open can result in ERROR_ACCESS_DENIED if the sharing mode doesn't allow even querying attributes.
  • Service Permissions: Attempting to start, stop, or configure a Windows service without sufficient privileges (often requires Administrator rights).¹⁰⁹
  • Third-Party Filter Driver Impact (CRITICAL):
    • Explicit Blocking by Security Software: File system minifilters (antivirus, EDR, DLP), registry filter drivers, or network filters (firewalls) are a very frequent source. These filters intercept the underlying kernel operation (e.g., NtCreateFile, NtOpenKey) and cause it to fail with STATUS_ACCESS_DENIED, which then translates to ERROR_ACCESS_DENIED in user mode. This happens if the operation violates a security policy (e.g., AV blocking an infected file, DLP preventing a write to a USB drive, EDR blocking a suspicious registry modification).^{60, 77, 78, 109, 110, 111, 112}
    • Filter Bugs or Conflicts: A bug in a filter might incorrectly deny access, or conflicts between multiple layered security filters could lead to an unintended denial.

  Triggering Conditions ("When"):

  • Attempting any operation on a securable object (file, directory, registry key, service, process, etc.) for which the caller's effective permissions are insufficient (e.g., CreateFile requesting write access to a file where the user only has read permission; OpenProcess with PROCESS_ALL_ACCESS on a protected system process; OpenService or StartService on a service requiring administrative rights when run as a standard user).
  • When a third-party filter driver (AV, EDR, DLP, firewall) intercepts and explicitly blocks the underlying kernel operation based on its security rules.
  • Trying to write to a read-only file or into a read-only directory.
  • Snippet Integration: ^{60, 71, 77, 78, 109, 110, 111, 112}

• Error Code Value: 6 (Decimal), 0x00000006 (Hex)

  Symbolic Name: ERROR_INVALID_HANDLE

  Originating Module/Component: Win32 API Sets (KERNEL32/KERNELBASE, etc.)

  Associated Error Message Text(s): "The handle is invalid."

  Detailed Causation ("Why"):

  • Object/Entity Non-existence (Handle Context): The handle value supplied to an API function does not refer to a valid, open kernel object of the expected type. The object may have been closed, the handle value may have been corrupted, or it might never have been a valid handle. This is often the Win32 translation of STATUS_INVALID_HANDLE or STATUS_OBJECT_TYPE_MISMATCH.
  • Use After Close: Attempting to use a handle after it has been closed by CloseHandle (or a type-specific close function like RegCloseKey, FindClose).
  • Uninitialized Handle: Using a handle variable that was never initialized by a successful object creation or opening API call.
  • Handle Corruption: Memory corruption overwriting a valid handle variable with an invalid value.
  • Incorrect Handle Type: Passing a handle of one object type (e.g., a file handle) to an API expecting a handle of a different type (e.g., a process handle).
  • Cross-Process Handle Issues: Attempting to use a handle from one process in another process without proper duplication (DuplicateHandle). Handles are process-specific unless explicitly duplicated.
  • Driver Project Settings: In driver development, incorrect KMDF version settings in the project could lead to StartService failing with this error before DriverEntry is even reached, implying an issue with service/driver object creation or registration.¹¹³
  • Smart Card CSP Issues: In multithreaded applications using Microsoft Base Smart Card CSP, if calls releasing context precede other CryptoAPI calls using the transaction manager, this error can occur due to synchronization problems in BaseCSP under high load.¹¹⁴

  Triggering Conditions ("When"):

  • Calling any Win32 API function that takes a handle as a parameter (e.g., ReadFile, WriteFile, GetFileSize, SetEvent, WaitForSingleObject, RegQueryValueEx, GetProcessTimes) with a handle value that is not currently valid in the calling process's handle table or is not of the expected object type.
  • After closing a handle and then inadvertently trying to use it again.
  • In multithreaded scenarios, if one thread closes a handle while another thread is about to use it (a race condition).
  • When starting a service if the service control manager receives an invalid handle related to the service object, potentially due to driver misconfiguration.¹¹³
  • Snippet Integration: ^{71, 113, 114}

• Error Code Value: 8 (Decimal), 0x00000008 (Hex)

  Symbolic Name: ERROR_NOT_ENOUGH_MEMORY

  Originating Module/Component: Win32 API Sets (KERNEL32/KERNELBASE, USER32, GDI32)

  Associated Error Message Text(s): "Not enough memory resources are available to process this command."⁷¹ or "Not enough storage is available to complete this operation."¹¹⁶

  Detailed Causation ("Why"):

  • Resource Scarcity (Virtual Memory): The process has exhausted its available virtual address space, or the system cannot satisfy a memory allocation request due to low system commit charge (RAM + page file). This is often the Win32 translation of STATUS_NO_MEMORY or STATUS_COMMITMENT_LIMIT.
  • Resource Scarcity (Heap): A specific heap (e.g., the process default heap, or a private heap created with HeapCreate) is fragmented or has insufficient free space for the requested allocation (HeapAlloc).
  • Resource Scarcity (User/GDI Objects): For UI-related operations, this error can occur if the per-process or system-wide limits for USER objects (windows, menus, cursors) or GDI objects (pens, brushes, DCs, bitmaps) are exhausted. This is often due to resource leaks in applications that create many UI elements without destroying them. The desktop heap for non-interactive window stations (services) is smaller by default and can be depleted, causing services that create UI elements (even hidden ones) to fail.¹¹⁵
  • Resource Scarcity (Kernel Pools - Indirectly): If kernel pool exhaustion (STATUS_INSUFFICIENT_RESOURCES) prevents the kernel from completing an operation required by a user-mode memory allocation (e.g., allocating page table entries), this can manifest as ERROR_NOT_ENOUGH_MEMORY in user mode.
  • Software Bugs: Memory leaks in the application itself, consuming virtual address space or heap space over time.
  • Atom Table Full: RegisterClass can fail with this error if the global atom table (used for class names, window messages) is full, though this is rare.¹¹⁶
  • Third-Party Filter Driver Impact: Indirectly. A filter driver leaking kernel pool can lead to overall system memory pressure, making user-mode allocations more likely to fail.

  Triggering Conditions ("When"):

  • During memory allocation calls like GlobalAlloc, LocalAlloc, HeapAlloc, VirtualAlloc, new in C++.
  • When creating USER or GDI objects (CreateWindowEx, CreatePen, CreateFont, etc.) if their respective resource limits are hit.
  • When RegisterClass or RegisterWindowMessage is called and system resources like the atom table are exhausted.¹¹⁶
  • When a Windows service running in a non-interactive session attempts to create UI objects and depletes its smaller desktop heap.¹¹⁵
  • During Windows Update or Backup if system resources are constrained, sometimes due to too many language packs installed or interference from security software.¹¹⁷
  • Snippet Integration: ^{71, 115, 116, 117}

• Error Code Value: 15 (Decimal), 0x0000000F (Hex)

  Symbolic Name: ERROR_INVALID_DRIVE

  Originating Module/Component: Win32 API Sets (KERNEL32/KERNELBASE)

  Associated Error Message Text(s): "The system cannot find the drive specified."

  Detailed Causation ("Why"):

  • Object/Entity Non-existence: The drive letter specified in a path (e.g., "X:\path\file.txt") does not correspond to any currently valid local or mapped network drive.
  • Removable Media: The drive is a removable media drive (floppy, CD/DVD, USB) and no media is inserted, or the media is not formatted or recognized.
  • Network Drive Disconnected: The path refers to a mapped network drive that has been disconnected or the remote share is no longer available.
  • Hardware Issues: The physical drive itself has failed or is not properly connected/powered.

  Triggering Conditions ("When"):

  • Attempting to access a file or directory using a path that specifies a non-existent or unavailable drive letter (e.g., in CreateFile, SetCurrentDirectory, GetDiskFreeSpace).
  • When an application tries to enumerate drives or query information about a drive that is not valid.
  • Snippet Integration: ⁷¹

• Error Code Value: 19 (Decimal), 0x00000013 (Hex)

  Symbolic Name: ERROR_WRITE_PROTECT

  Originating Module/Component: Win32 API Sets (KERNEL32/KERNELBASE)

  Associated Error Message Text(s): "The media is write protected."

  Detailed Causation ("Why"):

  • Hardware/Device Issues: An attempt was made to write to a storage medium that is physically write-protected (e.g., a floppy disk with the write-protect tab set, an SD card with the lock switch engaged, some USB drives with a write-protect switch).
  • Media Properties: The media itself is inherently read-only (e.g., a CD-ROM, DVD-ROM).
  • Driver/Controller Issues: In some cases, a disk driver or controller might erroneously report a write-protect status due to a bug or hardware problem.

  Triggering Conditions ("When"):

  • Calling file I/O functions that attempt to modify data (WriteFile, CreateFile with write access, DeleteFile, CreateDirectory) on a volume or file residing on write-protected media.
  • Attempting to format media that is write-protected.
  • Snippet Integration: ⁷¹

• Error Code Value: 32 (Decimal), 0x00000020 (Hex)

  Symbolic Name: ERROR_SHARING_VIOLATION

  Originating Module/Component: Win32 API Sets (KERNEL32/KERNELBASE)

  Associated Error Message Text(s): "The process cannot access the file because it is being used by another process."

  Detailed Causation ("Why"):

  • Access Control/Permissions (Sharing Modes): The primary cause. An attempt was made to open a file with a dwDesiredAccess and/or dwShareMode in CreateFile that conflicts with how the file is already opened by another handle (in the same or a different process). For example, Process A opens a file for exclusive read (e.g., dwShareMode = 0 or dwShareMode = FILE_SHARE_READ but not FILE_SHARE_WRITE), and Process B then attempts to open it for write access. This is the Win32 translation of STATUS_SHARING_VIOLATION.
  • File Locked by System/Application: The operating system or another application has the file open in a way that prevents the requested type of access. Common examples include trying to delete an executable file while it is running, or trying to modify a document that is open in an application that locks it.
  • Third-Party Filter Driver Impact:
    • File system filter drivers (e.g., antivirus scanners inspecting a file, backup software reading it, EDR agents monitoring access, on-access encryption tools) often need to open files. If they open files with restrictive sharing modes (e.g., no sharing allowed during a scan) or hold file handles for extended periods, they can cause ERROR_SHARING_VIOLATION for other applications attempting to access the same file.
    • A filter driver might also incorrectly manage or modify sharing flags in an IRP_MJ_CREATE request, leading to unexpected sharing violations.
    • Security software might effectively cause a sharing violation by holding a file open while it decides whether to block access, sometimes leading to this error if another access attempt occurs concurrently.

  Triggering Conditions ("When"):

  • Calling CreateFile (or other file access APIs like OpenFile, DeleteFile, MoveFile) when the requested access and sharing disposition for the file conflicts with an existing open handle to that file.
  • Frequently occurs when one application attempts to write to or delete a file that is currently open (and locked against such operations) by another application (e.g., trying to delete an EXE while it's running, or a document open in Microsoft Word).
  • During software updates or installations if files to be replaced are in use by running processes.
  • When a file system filter driver has the file open with a conflicting share mode.
  • Snippet Integration: ^{20, 60, 71, 118, 119}

• Error Code Value: 33 (Decimal), 0x00000021 (Hex)

  Symbolic Name: ERROR_LOCK_VIOLATION

  Originating Module/Component: Win32 API Sets (KERNEL32/KERNELBASE)

  Associated Error Message Text(s): "The process cannot access the file because another process has locked a portion of the file."

  Detailed Causation ("Why"):

  • Concurrency/Synchronization (File Locking): An attempt was made to access (read or write) a region of a file that has been locked by another process (or another handle within the same process) using LockFile or LockFileEx. File locking is a cooperative mechanism to prevent simultaneous modification of shared file regions.
  • Conflicting Lock Request: The current process tried to lock a region that overlaps with an existing lock held by another process, and the lock types are incompatible (e.g., both trying for an exclusive lock, or one holding an exclusive lock and another trying for a shared or exclusive lock).
  • Accessing a Locked Region: Attempting to read from or write to a byte range within a file that falls within a region currently locked by another handle with a conflicting lock mode.
  • Third-Party Filter Driver Impact: While less common for direct causation, a file system filter driver that itself uses file locking mechanisms (FSCTL_LOCK_VOLUME, FSCTL_UNLOCK_VOLUME, or byte-range locks via IRPs) could potentially create or exacerbate lock violation scenarios if its locking logic is flawed or interacts poorly with application-level locks. More likely, a filter might hold a file open in a way that prevents another process from acquiring a necessary lock.

  Triggering Conditions ("When"):

  • Calling ReadFile or WriteFile (or their Ex variants) on a file handle to access a region of the file that is currently locked by another process's handle.
  • Calling LockFile or LockFileEx to acquire a lock on a file region that is already locked incompatibly by another handle.
  • Common in database applications or other multi-user applications that use byte-range file locking to manage concurrent access to shared data files.
  • Snippet Integration: [^{131, 132} (general patch context, not specific error), ⁷¹]

• Error Code Value: 87 (Decimal), 0x00000057 (Hex)

  Symbolic Name: ERROR_INVALID_PARAMETER

  Originating Module/Component: Win32 API Sets (Various: KERNEL32/KERNELBASE, ADVAPI32, USER32, etc.)

  Associated Error Message Text(s): "The parameter is incorrect."

  Detailed Causation ("Why"):

  • Invalid Parameters: One or more arguments passed to a Win32 API function are invalid for that function. This could mean a value is out of the allowed range, a required pointer is NULL, a combination of flags is illegal, an enumeration value is undefined, or a string parameter is malformed. This is a very generic error indicating a programmatic mistake by the caller.
  • Object State: Attempting an operation on an object (e.g., file handle, process handle, window handle) that is not in a valid state for that operation, or the handle itself is valid but the operation is not appropriate for the object type or current state.
  • Pointer Issues: Passing a NULL pointer for a buffer that is required to be non-NULL, or a pointer to an invalid memory address.
  • Enumeration/Flag Values: Using undefined, obsolete, or mutually exclusive flag values in API calls that accept bitmask flags or enumerated types.
  • String Formatting: Incorrectly formatted strings, such as paths with invalid characters or incorrect termination.
  • Third-Party Filter Driver Impact: Unlikely to be directly *returned* by a Win32 API due to a filter. However, a filter driver could modify system state or data in such a way that an application subsequently makes an API call with parameters that *become* invalid due to the filter's actions. For example, if a filter renames a file unexpectedly, a subsequent attempt to open it with the old name (now an invalid parameter in that context) might fail differently than ERROR_FILE_NOT_FOUND.

  Triggering Conditions ("When"):

  • Calling almost any Win32 API function with arguments that do not meet the documented requirements for that function (e.g., invalid flags to CreateFile, a NULL pointer for a required output buffer in ReadFile, an invalid process ID to OpenProcess¹²⁰, an invalid service name to OpenService).
  • Occurs if Dr. Watson (error reporting) attempts to attach to a process that has already terminated, as the process ID parameter becomes invalid.¹²¹
  • When OpenProcess is called with a PID that is invalid (e.g., 0 for System Process, or a TID mistaken for a PID), or for a process owned by a different user/desktop/session under certain conditions where access denied isn't the primary failure mode.¹²⁰
  • Snippet Integration: ^{71, 120, 121}

• Error Code Value: 122 (Decimal), 0x0000007A (Hex)

  Symbolic Name: ERROR_INSUFFICIENT_BUFFER

  Originating Module/Component: Win32 API Sets (Various: KERNEL32/KERNELBASE, ADVAPI32, IPHLPAPI, etc.)

  Associated Error Message Text(s): "The data area passed to a system call is too small."

  Detailed Causation ("Why"):

  • Buffer Issues: An API function that writes data to a caller-provided buffer was given a buffer that is too small to hold the entire result. The API typically requires the caller to also pass the size of this buffer.
  • Variable-Length Data: Common with APIs that return variable-length information, such as lists of items (e.g., GetAdaptersAddresses, RegEnumKeyEx, NetShareEnum), strings, or complex structures whose size is not known in advance.
  • Incorrect Size Calculation: The caller underestimated the required buffer size.

  Triggering Conditions ("When"):

  • Calling a Win32 API function that is designed to return data in a caller-supplied buffer, where the provided buffer's size (passed as a parameter) is less than the size of the data the function needs to write.
  • Many APIs that can return this error also provide a mechanism to determine the required buffer size. Typically, the call will fail with ERROR_INSUFFICIENT_BUFFER, and an output parameter (often the same one used to pass the initial buffer size) will be updated with the size needed. The caller should then reallocate a buffer of at least this required size and call the API again.
  • Example APIs: GetUserName, GetComputerNameEx, GetTokenInformation, RegQueryValueEx, GetAdaptersAddresses¹²², LookupPrivilegeValue.
  • Snippet Integration: [^{122, 129} (NTSTATUS context, but conceptually related), ⁷¹]

• Error Code Value: 183 (Decimal), 0x000000B7 (Hex)

  Symbolic Name: ERROR_ALREADY_EXISTS

  Originating Module/Component: Win32 API Sets (KERNEL32/KERNELBASE)

  Associated Error Message Text(s): "Cannot create a file when that file already exists."

  Detailed Causation ("Why"):

  • Object/Entity Existence: An attempt was made to create an object (typically a file or directory, but also named kernel objects like mutexes, events, or semaphores) using a "create new" or "create only if not exists" disposition, but an object with the same name already exists. This is the Win32 translation of STATUS_OBJECT_NAME_COLLISION or similar NTSTATUS codes.
  • File Creation Disposition: Using CREATE_NEW as the dwCreationDisposition parameter in CreateFile when the specified file already exists.
  • Directory Creation: Using CreateDirectory when the directory path already exists.
  • Named Objects: Using CreateMutex, CreateEvent, CreateSemaphore with a name for an object that already exists in the system or session namespace.
  • Registry Key Creation: Using RegCreateKeyEx with certain options if the key already exists and overwrite is not permitted by the options.
  • Third-Party Filter Driver Impact: Unlikely to be a direct cause from a filter for this specific error. Filters might cause the *underlying* STATUS_OBJECT_NAME_COLLISION from the kernel if they interfere with name resolution or object creation in a way that makes the system think an object exists when the caller expects to create it anew. However, if a filter *blocks* creation, it's more likely to use ERROR_ACCESS_DENIED.

  Triggering Conditions ("When"):

  • Calling CreateFile with the CREATE_NEW flag for a file that already exists.
  • Calling CreateDirectory for a directory path that already exists.
  • Calling CreateMutex, CreateEvent, or CreateSemaphore with a specific name if an object with that name already exists and the intent was to create a new one.
  • When installing software or services if they attempt to create files, directories, or registry keys that were not cleaned up from a previous installation.
  • Can occur when starting Windows Process Activation Service (WAS) if it tries to use a file (e.g., for generated keys) that already exists from a previous, possibly failed, attempt.¹²³
  • NTLite or DISM operations failing to mount a WIM image if the temporary mount point or related files already exist due to an incomplete previous operation or interference from security software.¹²⁴
  • Snippet Integration: ^{71, 123, 124}