Security & Process Violation Errors
These errors are triggered when the GCIS system detects unauthorized, malicious, or policy-violating activity on the streaming rig.
Hex Error Codes
| Error Code | Name | Plugin | Example Trigger |
|---|---|---|---|
0x80030013 | NVST_DISCONN_SERVER_TERMINATED_INTENDED_UNAUTHORIZED_PROCESS | ElmPlugin | Executing PowerShell from System32 |
0x80030015 | NVST_DISCONN_SERVER_TERMINATED_INTENDED_MALICIOUS_PROCESS | ElmPlugin | Using certutil for downloading files |
0x80030017 | NVST_DISCONN_SERVER_TERMINATED_INTENDED_MINER_PROCESS | ElmPlugin | Visiting https://www.f2pool.com/ |
0x80030018 | NVST_DISCONN_SERVER_TERMINATED_CODE_INTEGRITY_VIOLATION | GciPlugin | Downloading procexp64.exe from Steam Big Picture |
0x80030019 | NVST_DISCONN_SERVER_TERMINATED_UNAUTHORIZED_ACTIVITY_DETECTED | UadMLPlugin | "Save with" window on Black Desert |
0x8003001A | NVST_DISCONN_SERVER_TERMINATED_INTENDED_UNKNOWN_PROCESS | ElmPlugin | Unknown/unrecognized process detected |
0x8003001B | NVST_DISCONN_SERVER_TERMINATED_BLOCKED_URL | GciPlugin | Accessing blocked website/domain |
0x8003001C | NVST_DISCONN_SERVER_TERMINATED_BLOCKED_FILE_DOWNLOAD | GciPlugin | Blocked file download attempt |
0x8003001D | NVST_DISCONN_SERVER_TERMINATED_REGISTRY_VIOLATION | GciPlugin | Unauthorized registry modification |
0x8003001E | NVST_DISCONN_SERVER_TERMINATED_DRIVER_LOAD_VIOLATION | GciPlugin | Unauthorized driver loading attempt |
SRC_ Equivalents
These are the internal session result codes that map to the hex codes above:
| SRC Code | Description |
|---|---|
SRC_UnauthorizedProcessViolation | Unauthorized process detected |
SRC_MaliciousProcessViolation | Malicious process detected |
SRC_MinerProcessViolation | Cryptocurrency miner detected |
SRC_CodeIntegrityViolation | Code integrity check failed |
SRC_UnauthorizedActivityDetected | Unauthorized activity (ML-detected) |
SRC_UnknownProcessViolation | Unknown/unrecognized process |
SRC_WindowFocusViolation | Window focus violation |
SRC_GssmSessionAnomalyDetected | GSSM session/plugin integrity anomaly detected |
How Detection Works
- ElmPlugin monitors process creation and checks against known-bad lists (PowerShell, certutil, miners)
- GciPlugin uses the GFNMON kernel driver for file integrity, registry, and driver load monitoring
- UadMLPlugin runs ML inference (LightGBM or SageMaker) on collected system metrics to detect anomalous behavior
When a violation is detected, the responsible plugin emits a SecurityTerminationInitiated event over the Bifrost message bus, which triggers session termination.