You might have to modify the syscall number (above 0x1C6, in negated form). Print from windbg with u ntdll!NtAccessCheckAndAuditAlarm. E.g. on Win 10 Pro it was 0x29 for me. Then calculated negated form (here as example for 0x29):
1
>>> i = 0 - 0x29
2
>>> hex (i & ((1 << 32) - 1))
3
'0xffffffd7'
Copied!
Mona can generate one aswell:
1
0:004> .load pykd.pyd
2
0:004> !py mona egg -wow64 -winver 10
3
...
Copied!
This one is kind of reliable as well (32 bit process on 64 bit system):