How can I unload the Process Monitor driver without restarting?
I sometimes use Process Monitor for debugging software, and also play games online. Some of these games use BattlEye anti-cheat software, which refuses to allow the game to run after Process Monitor has been started on the system, showing this in the log:
08:06:46: Starting BattlEye Service...
08:06:49: Launching game...
08:07:07: Disallowed driver: "??C:Windowssystem32DriversPROCMON23.SYS". Please unload it or reboot your system.
The driver remains loaded after closing Process Monitor, and there doesn't appear to be an option to have it unload.
Several other questions have answers about unloading drivers using net stop or sc stop, but the ProcMon driver isn't a service, so this doesn't work. I've also tried looking in Device Manager and enabling 'Show hidden devices', but none of the entries appear related to ProcMon. I can't delete the driver file, as it's not actually present on the filesystem; ProcMon stores the file in its executable and extracts it as needed.
My question is not a duplicate of this question, which is about a similar issue where the driver persists after a reboot. My question is about unloading the driver without rebooting.
drivers process-monitor
asked Aug 4 '18 at 13:57
JamesJames
162212
add a comment |
I sometimes use Process Monitor for debugging software, and also play games online. Some of these games use BattlEye anti-cheat software, which refuses to allow the game to run after Process Monitor has been started on the system, showing this in the log:
08:06:46: Starting BattlEye Service...
08:06:49: Launching game...
08:07:07: Disallowed driver: "??C:Windowssystem32DriversPROCMON23.SYS". Please unload it or reboot your system.
The driver remains loaded after closing Process Monitor, and there doesn't appear to be an option to have it unload.
Several other questions have answers about unloading drivers using net stop or sc stop, but the ProcMon driver isn't a service, so this doesn't work. I've also tried looking in Device Manager and enabling 'Show hidden devices', but none of the entries appear related to ProcMon. I can't delete the driver file, as it's not actually present on the filesystem; ProcMon stores the file in its executable and extracts it as needed.
My question is not a duplicate of this question, which is about a similar issue where the driver persists after a reboot. My question is about unloading the driver without rebooting.
drivers process-monitor
asked Aug 4 '18 at 13:57
JamesJames
162212
add a comment |
I sometimes use Process Monitor for debugging software, and also play games online. Some of these games use BattlEye anti-cheat software, which refuses to allow the game to run after Process Monitor has been started on the system, showing this in the log:
08:06:46: Starting BattlEye Service...
08:06:49: Launching game...
08:07:07: Disallowed driver: "??C:Windowssystem32DriversPROCMON23.SYS". Please unload it or reboot your system.
The driver remains loaded after closing Process Monitor, and there doesn't appear to be an option to have it unload.
Several other questions have answers about unloading drivers using net stop or sc stop, but the ProcMon driver isn't a service, so this doesn't work. I've also tried looking in Device Manager and enabling 'Show hidden devices', but none of the entries appear related to ProcMon. I can't delete the driver file, as it's not actually present on the filesystem; ProcMon stores the file in its executable and extracts it as needed.
My question is not a duplicate of this question, which is about a similar issue where the driver persists after a reboot. My question is about unloading the driver without rebooting.
drivers process-monitor
asked Aug 4 '18 at 13:57
JamesJames
162212
I sometimes use Process Monitor for debugging software, and also play games online. Some of these games use BattlEye anti-cheat software, which refuses to allow the game to run after Process Monitor has been started on the system, showing this in the log:
08:06:46: Starting BattlEye Service...
08:06:49: Launching game...
08:07:07: Disallowed driver: "??C:Windowssystem32DriversPROCMON23.SYS". Please unload it or reboot your system.
The driver remains loaded after closing Process Monitor, and there doesn't appear to be an option to have it unload.
Several other questions have answers about unloading drivers using net stop or sc stop, but the ProcMon driver isn't a service, so this doesn't work. I've also tried looking in Device Manager and enabling 'Show hidden devices', but none of the entries appear related to ProcMon. I can't delete the driver file, as it's not actually present on the filesystem; ProcMon stores the file in its executable and extracts it as needed.
My question is not a duplicate of this question, which is about a similar issue where the driver persists after a reboot. My question is about unloading the driver without rebooting.
drivers process-monitor
drivers process-monitor
asked Aug 4 '18 at 13:57
JamesJames
162212
asked Aug 4 '18 at 13:57
JamesJames
162212
asked Aug 4 '18 at 13:57
JamesJames
162212
asked Aug 4 '18 at 13:57
JamesJames
162212
asked Aug 4 '18 at 13:57
JamesJames
162212
162212
add a comment |
add a comment |
3 Answers
3
active
oldest
votes
Standard drivers are services and you can indeed control them via net and sc. (For example, take a look at sc query beep – stopping the 'beep' driver is a common way to shut up the internal PC speaker.)
In earlier Process Monitor versions (probably pre-2.3, when it still had Windows XP support), it would install a "legacy" device driver that was visible via sc, Device Manager, etc.
Current versions of Process Monitor appear to remove the driver/service configuration from registry immediately after starting the driver. You can see this by monitoring ProcMon with itself. It is possible to manually re-add the service, with type 2 (kernel FS driver) and it will immediately show up as already running.
However, the service will also report "NOT_STOPPABLE" and will refuse any stop attempts.
Additionally, PROCMON23 now registers itself as a filesystem minifilter driver through the Filter Manager (FltDrv). You can see it in the output of fltmc, but attempting to externally unload it also fails (possibly because the driver doesn't have the unload routine):
C:WINDOWSsystem32>fltmc
Filter Name Num Instances Altitude Frame
------------------------------ ------------- ------------ -----
PROCMON23 0 385200 0
WdFilter 4 328010 0
storqosflt 0 244000 0
wcifs 1 189900 0
...
C:WINDOWSsystem32>fltmc unload PROCMON23
Unload failed with error: 0x801f0010
Do not detach the filter from the volume at this time.
Since the "official" CLI tool is unable to remove the filter from FltMgr, and FltMgr itself is a 'critical' driver that cannot be restarted without reboot, it would seem that there's no way to unload PROCMON23 or PROCMON24.
But the most interesting part: After doing the above checks with procmon 3.40, I found that the latest version on the website is 3.50 (which uses a newer PROCMON24 driver). Upon starting the new version, I was informed that an older version of the driver was already on the system and that I should reboot.
So if ProcMon itself cannot unload its own driver without requiring a reboot, I think you can safely assume that you won't be able to unload it either.
answered Aug 4 '18 at 15:08
grawitygrawity
241k37508563
Given how much fruitless searching I've already done on this, this is looking more and more like the answer. However, I'm going to wait a while before accepting this, just in case someone knows of a way and happens to see this with no accepted answers and takes a look.
– James
Aug 4 '18 at 16:54
add a comment |
The problematic PROCMON23.SYS filter driver is installed by ProcMon when it is
run. If the file
C:Windowssystem32DriversPROCMON23.SYS
does not exist at the time, then ProcMon will write it.
The PROCMON23.SYS file itself is included as a binary resource inside the
executable of ProcMon.
You can list all running filter drivers by :
fltmc filters
and on my computer this gives :
As you can see, my version of Process Monitor is newer than yours (24 instead
of 23).
Usually a filter driver can be uninstalled by a command such as :
Fltmc unload PROCMON24
However, in this case this gives in an elevated Command Prompt :
Unload error 0x801f0010 is the typical error for a mini-filter driver that has no unload routine.
Conclusion : PROCMON23.SYS and the later PROCMON24.SYS are badly programmed.
The developer has not foreseen that anybody would ever wish to unload his
driver and has not included the necessary routine in it.
Therefore this driver cannot be unloaded.
The bad news for you is that a reboot is required to dispose of it, nothing else
will do the job. Your only recourse is to complain to the developer.
answered Aug 4 '18 at 14:27
harrymcharrymc
262k14271578
Like closing ProcMon normally, this doesn't work. The driver is still loaded according to Battleye and NirSoft's DriverView.
– James
Aug 4 '18 at 14:30
This closes bothProcmon.exeandProcmon64.exe. It seems like you have enabled Boot logging, so undo that and reboot.
– harrymc
Aug 4 '18 at 15:00
No, boot logging is not enabled. I double checked in a VM; downloading and running Process Monitor on a new system and closing it, either normally or with the /terminate flag, results in the driver not unloading.
– James
Aug 4 '18 at 15:07
Try this : Boot in Safe mode, uninstall Process Monitor, renameC:Windowssystem32DriversPROCMON23.SYSif still there then reboot. Does that get rid of it?
– harrymc
Aug 4 '18 at 15:42
It also seems you are not using the latest version.
– harrymc
Aug 4 '18 at 15:50
|
show 4 more comments
It would appear it hooks into the kernel, which you kind of need (the kernel) to keep from rebooting for other reasons (crashed PC).
Dependency Walker
This would explain why you have to reboot... it is the only way it will unhook from the kernel.
answered Nov 10 '18 at 1:05
LeptoidLeptoid
11
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1346125%2fhow-can-i-unload-the-process-monitor-driver-without-restarting%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
Standard drivers are services and you can indeed control them via net and sc. (For example, take a look at sc query beep – stopping the 'beep' driver is a common way to shut up the internal PC speaker.)
In earlier Process Monitor versions (probably pre-2.3, when it still had Windows XP support), it would install a "legacy" device driver that was visible via sc, Device Manager, etc.
Current versions of Process Monitor appear to remove the driver/service configuration from registry immediately after starting the driver. You can see this by monitoring ProcMon with itself. It is possible to manually re-add the service, with type 2 (kernel FS driver) and it will immediately show up as already running.
However, the service will also report "NOT_STOPPABLE" and will refuse any stop attempts.
Additionally, PROCMON23 now registers itself as a filesystem minifilter driver through the Filter Manager (FltDrv). You can see it in the output of fltmc, but attempting to externally unload it also fails (possibly because the driver doesn't have the unload routine):
C:WINDOWSsystem32>fltmc
Filter Name Num Instances Altitude Frame
------------------------------ ------------- ------------ -----
PROCMON23 0 385200 0
WdFilter 4 328010 0
storqosflt 0 244000 0
wcifs 1 189900 0
...
C:WINDOWSsystem32>fltmc unload PROCMON23
Unload failed with error: 0x801f0010
Do not detach the filter from the volume at this time.
Since the "official" CLI tool is unable to remove the filter from FltMgr, and FltMgr itself is a 'critical' driver that cannot be restarted without reboot, it would seem that there's no way to unload PROCMON23 or PROCMON24.
But the most interesting part: After doing the above checks with procmon 3.40, I found that the latest version on the website is 3.50 (which uses a newer PROCMON24 driver). Upon starting the new version, I was informed that an older version of the driver was already on the system and that I should reboot.
So if ProcMon itself cannot unload its own driver without requiring a reboot, I think you can safely assume that you won't be able to unload it either.
answered Aug 4 '18 at 15:08
grawitygrawity
241k37508563
Given how much fruitless searching I've already done on this, this is looking more and more like the answer. However, I'm going to wait a while before accepting this, just in case someone knows of a way and happens to see this with no accepted answers and takes a look.
– James
Aug 4 '18 at 16:54
add a comment |
Standard drivers are services and you can indeed control them via net and sc. (For example, take a look at sc query beep – stopping the 'beep' driver is a common way to shut up the internal PC speaker.)
In earlier Process Monitor versions (probably pre-2.3, when it still had Windows XP support), it would install a "legacy" device driver that was visible via sc, Device Manager, etc.
Current versions of Process Monitor appear to remove the driver/service configuration from registry immediately after starting the driver. You can see this by monitoring ProcMon with itself. It is possible to manually re-add the service, with type 2 (kernel FS driver) and it will immediately show up as already running.
However, the service will also report "NOT_STOPPABLE" and will refuse any stop attempts.
Additionally, PROCMON23 now registers itself as a filesystem minifilter driver through the Filter Manager (FltDrv). You can see it in the output of fltmc, but attempting to externally unload it also fails (possibly because the driver doesn't have the unload routine):
C:WINDOWSsystem32>fltmc
Filter Name Num Instances Altitude Frame
------------------------------ ------------- ------------ -----
PROCMON23 0 385200 0
WdFilter 4 328010 0
storqosflt 0 244000 0
wcifs 1 189900 0
...
C:WINDOWSsystem32>fltmc unload PROCMON23
Unload failed with error: 0x801f0010
Do not detach the filter from the volume at this time.
Since the "official" CLI tool is unable to remove the filter from FltMgr, and FltMgr itself is a 'critical' driver that cannot be restarted without reboot, it would seem that there's no way to unload PROCMON23 or PROCMON24.
But the most interesting part: After doing the above checks with procmon 3.40, I found that the latest version on the website is 3.50 (which uses a newer PROCMON24 driver). Upon starting the new version, I was informed that an older version of the driver was already on the system and that I should reboot.
So if ProcMon itself cannot unload its own driver without requiring a reboot, I think you can safely assume that you won't be able to unload it either.
answered Aug 4 '18 at 15:08
grawitygrawity
241k37508563
Given how much fruitless searching I've already done on this, this is looking more and more like the answer. However, I'm going to wait a while before accepting this, just in case someone knows of a way and happens to see this with no accepted answers and takes a look.
– James
Aug 4 '18 at 16:54
add a comment |
Standard drivers are services and you can indeed control them via net and sc. (For example, take a look at sc query beep – stopping the 'beep' driver is a common way to shut up the internal PC speaker.)
In earlier Process Monitor versions (probably pre-2.3, when it still had Windows XP support), it would install a "legacy" device driver that was visible via sc, Device Manager, etc.
Current versions of Process Monitor appear to remove the driver/service configuration from registry immediately after starting the driver. You can see this by monitoring ProcMon with itself. It is possible to manually re-add the service, with type 2 (kernel FS driver) and it will immediately show up as already running.
However, the service will also report "NOT_STOPPABLE" and will refuse any stop attempts.
Additionally, PROCMON23 now registers itself as a filesystem minifilter driver through the Filter Manager (FltDrv). You can see it in the output of fltmc, but attempting to externally unload it also fails (possibly because the driver doesn't have the unload routine):
C:WINDOWSsystem32>fltmc
Filter Name Num Instances Altitude Frame
------------------------------ ------------- ------------ -----
PROCMON23 0 385200 0
WdFilter 4 328010 0
storqosflt 0 244000 0
wcifs 1 189900 0
...
C:WINDOWSsystem32>fltmc unload PROCMON23
Unload failed with error: 0x801f0010
Do not detach the filter from the volume at this time.
Since the "official" CLI tool is unable to remove the filter from FltMgr, and FltMgr itself is a 'critical' driver that cannot be restarted without reboot, it would seem that there's no way to unload PROCMON23 or PROCMON24.
But the most interesting part: After doing the above checks with procmon 3.40, I found that the latest version on the website is 3.50 (which uses a newer PROCMON24 driver). Upon starting the new version, I was informed that an older version of the driver was already on the system and that I should reboot.
So if ProcMon itself cannot unload its own driver without requiring a reboot, I think you can safely assume that you won't be able to unload it either.
answered Aug 4 '18 at 15:08
grawitygrawity
241k37508563
Standard drivers are services and you can indeed control them via net and sc. (For example, take a look at sc query beep – stopping the 'beep' driver is a common way to shut up the internal PC speaker.)
In earlier Process Monitor versions (probably pre-2.3, when it still had Windows XP support), it would install a "legacy" device driver that was visible via sc, Device Manager, etc.
Current versions of Process Monitor appear to remove the driver/service configuration from registry immediately after starting the driver. You can see this by monitoring ProcMon with itself. It is possible to manually re-add the service, with type 2 (kernel FS driver) and it will immediately show up as already running.
However, the service will also report "NOT_STOPPABLE" and will refuse any stop attempts.
Additionally, PROCMON23 now registers itself as a filesystem minifilter driver through the Filter Manager (FltDrv). You can see it in the output of fltmc, but attempting to externally unload it also fails (possibly because the driver doesn't have the unload routine):
C:WINDOWSsystem32>fltmc
Filter Name Num Instances Altitude Frame
------------------------------ ------------- ------------ -----
PROCMON23 0 385200 0
WdFilter 4 328010 0
storqosflt 0 244000 0
wcifs 1 189900 0
...
C:WINDOWSsystem32>fltmc unload PROCMON23
Unload failed with error: 0x801f0010
Do not detach the filter from the volume at this time.
Since the "official" CLI tool is unable to remove the filter from FltMgr, and FltMgr itself is a 'critical' driver that cannot be restarted without reboot, it would seem that there's no way to unload PROCMON23 or PROCMON24.
But the most interesting part: After doing the above checks with procmon 3.40, I found that the latest version on the website is 3.50 (which uses a newer PROCMON24 driver). Upon starting the new version, I was informed that an older version of the driver was already on the system and that I should reboot.
So if ProcMon itself cannot unload its own driver without requiring a reboot, I think you can safely assume that you won't be able to unload it either.
answered Aug 4 '18 at 15:08
grawitygrawity
241k37508563
answered Aug 4 '18 at 15:08
grawitygrawity
241k37508563
answered Aug 4 '18 at 15:08
grawitygrawity
241k37508563
answered Aug 4 '18 at 15:08
grawitygrawity
241k37508563
241k37508563
Given how much fruitless searching I've already done on this, this is looking more and more like the answer. However, I'm going to wait a while before accepting this, just in case someone knows of a way and happens to see this with no accepted answers and takes a look.
– James
Aug 4 '18 at 16:54
add a comment |
Given how much fruitless searching I've already done on this, this is looking more and more like the answer. However, I'm going to wait a while before accepting this, just in case someone knows of a way and happens to see this with no accepted answers and takes a look.
– James
Aug 4 '18 at 16:54
Given how much fruitless searching I've already done on this, this is looking more and more like the answer. However, I'm going to wait a while before accepting this, just in case someone knows of a way and happens to see this with no accepted answers and takes a look.
– James
Aug 4 '18 at 16:54
Given how much fruitless searching I've already done on this, this is looking more and more like the answer. However, I'm going to wait a while before accepting this, just in case someone knows of a way and happens to see this with no accepted answers and takes a look.
– James
Aug 4 '18 at 16:54
add a comment |
The problematic PROCMON23.SYS filter driver is installed by ProcMon when it is
run. If the file
C:Windowssystem32DriversPROCMON23.SYS
does not exist at the time, then ProcMon will write it.
The PROCMON23.SYS file itself is included as a binary resource inside the
executable of ProcMon.
You can list all running filter drivers by :
fltmc filters
and on my computer this gives :
As you can see, my version of Process Monitor is newer than yours (24 instead
of 23).
Usually a filter driver can be uninstalled by a command such as :
Fltmc unload PROCMON24
However, in this case this gives in an elevated Command Prompt :
Unload error 0x801f0010 is the typical error for a mini-filter driver that has no unload routine.
Conclusion : PROCMON23.SYS and the later PROCMON24.SYS are badly programmed.
The developer has not foreseen that anybody would ever wish to unload his
driver and has not included the necessary routine in it.
Therefore this driver cannot be unloaded.
The bad news for you is that a reboot is required to dispose of it, nothing else
will do the job. Your only recourse is to complain to the developer.
answered Aug 4 '18 at 14:27
harrymcharrymc
262k14271578
Like closing ProcMon normally, this doesn't work. The driver is still loaded according to Battleye and NirSoft's DriverView.
– James
Aug 4 '18 at 14:30
This closes bothProcmon.exeandProcmon64.exe. It seems like you have enabled Boot logging, so undo that and reboot.
– harrymc
Aug 4 '18 at 15:00
No, boot logging is not enabled. I double checked in a VM; downloading and running Process Monitor on a new system and closing it, either normally or with the /terminate flag, results in the driver not unloading.
– James
Aug 4 '18 at 15:07
Try this : Boot in Safe mode, uninstall Process Monitor, renameC:Windowssystem32DriversPROCMON23.SYSif still there then reboot. Does that get rid of it?
– harrymc
Aug 4 '18 at 15:42
It also seems you are not using the latest version.
– harrymc
Aug 4 '18 at 15:50
|
show 4 more comments
The problematic PROCMON23.SYS filter driver is installed by ProcMon when it is
run. If the file
C:Windowssystem32DriversPROCMON23.SYS
does not exist at the time, then ProcMon will write it.
The PROCMON23.SYS file itself is included as a binary resource inside the
executable of ProcMon.
You can list all running filter drivers by :
fltmc filters
and on my computer this gives :
As you can see, my version of Process Monitor is newer than yours (24 instead
of 23).
Usually a filter driver can be uninstalled by a command such as :
Fltmc unload PROCMON24
However, in this case this gives in an elevated Command Prompt :
Unload error 0x801f0010 is the typical error for a mini-filter driver that has no unload routine.
Conclusion : PROCMON23.SYS and the later PROCMON24.SYS are badly programmed.
The developer has not foreseen that anybody would ever wish to unload his
driver and has not included the necessary routine in it.
Therefore this driver cannot be unloaded.
The bad news for you is that a reboot is required to dispose of it, nothing else
will do the job. Your only recourse is to complain to the developer.
answered Aug 4 '18 at 14:27
harrymcharrymc
262k14271578
Like closing ProcMon normally, this doesn't work. The driver is still loaded according to Battleye and NirSoft's DriverView.
– James
Aug 4 '18 at 14:30
This closes bothProcmon.exeandProcmon64.exe. It seems like you have enabled Boot logging, so undo that and reboot.
– harrymc
Aug 4 '18 at 15:00
No, boot logging is not enabled. I double checked in a VM; downloading and running Process Monitor on a new system and closing it, either normally or with the /terminate flag, results in the driver not unloading.
– James
Aug 4 '18 at 15:07
Try this : Boot in Safe mode, uninstall Process Monitor, renameC:Windowssystem32DriversPROCMON23.SYSif still there then reboot. Does that get rid of it?
– harrymc
Aug 4 '18 at 15:42
It also seems you are not using the latest version.
– harrymc
Aug 4 '18 at 15:50
|
show 4 more comments
The problematic PROCMON23.SYS filter driver is installed by ProcMon when it is
run. If the file
C:Windowssystem32DriversPROCMON23.SYS
does not exist at the time, then ProcMon will write it.
The PROCMON23.SYS file itself is included as a binary resource inside the
executable of ProcMon.
You can list all running filter drivers by :
fltmc filters
and on my computer this gives :
As you can see, my version of Process Monitor is newer than yours (24 instead
of 23).
Usually a filter driver can be uninstalled by a command such as :
Fltmc unload PROCMON24
However, in this case this gives in an elevated Command Prompt :
Unload error 0x801f0010 is the typical error for a mini-filter driver that has no unload routine.
Conclusion : PROCMON23.SYS and the later PROCMON24.SYS are badly programmed.
The developer has not foreseen that anybody would ever wish to unload his
driver and has not included the necessary routine in it.
Therefore this driver cannot be unloaded.
The bad news for you is that a reboot is required to dispose of it, nothing else
will do the job. Your only recourse is to complain to the developer.
answered Aug 4 '18 at 14:27
harrymcharrymc
262k14271578
The problematic PROCMON23.SYS filter driver is installed by ProcMon when it is
run. If the file
C:Windowssystem32DriversPROCMON23.SYS
does not exist at the time, then ProcMon will write it.
The PROCMON23.SYS file itself is included as a binary resource inside the
executable of ProcMon.
You can list all running filter drivers by :
fltmc filters
and on my computer this gives :
As you can see, my version of Process Monitor is newer than yours (24 instead
of 23).
Usually a filter driver can be uninstalled by a command such as :
Fltmc unload PROCMON24
However, in this case this gives in an elevated Command Prompt :
Unload error 0x801f0010 is the typical error for a mini-filter driver that has no unload routine.
Conclusion : PROCMON23.SYS and the later PROCMON24.SYS are badly programmed.
The developer has not foreseen that anybody would ever wish to unload his
driver and has not included the necessary routine in it.
Therefore this driver cannot be unloaded.
The bad news for you is that a reboot is required to dispose of it, nothing else
will do the job. Your only recourse is to complain to the developer.
answered Aug 4 '18 at 14:27
harrymcharrymc
262k14271578
edited Aug 4 '18 at 18:14
answered Aug 4 '18 at 14:27
harrymcharrymc
262k14271578
answered Aug 4 '18 at 14:27
harrymcharrymc
262k14271578
answered Aug 4 '18 at 14:27
harrymcharrymc
262k14271578
262k14271578
Like closing ProcMon normally, this doesn't work. The driver is still loaded according to Battleye and NirSoft's DriverView.
– James
Aug 4 '18 at 14:30
This closes bothProcmon.exeandProcmon64.exe. It seems like you have enabled Boot logging, so undo that and reboot.
– harrymc
Aug 4 '18 at 15:00
No, boot logging is not enabled. I double checked in a VM; downloading and running Process Monitor on a new system and closing it, either normally or with the /terminate flag, results in the driver not unloading.
– James
Aug 4 '18 at 15:07
Try this : Boot in Safe mode, uninstall Process Monitor, renameC:Windowssystem32DriversPROCMON23.SYSif still there then reboot. Does that get rid of it?
– harrymc
Aug 4 '18 at 15:42
It also seems you are not using the latest version.
– harrymc
Aug 4 '18 at 15:50
|
show 4 more comments
Like closing ProcMon normally, this doesn't work. The driver is still loaded according to Battleye and NirSoft's DriverView.
– James
Aug 4 '18 at 14:30
This closes bothProcmon.exeandProcmon64.exe. It seems like you have enabled Boot logging, so undo that and reboot.
– harrymc
Aug 4 '18 at 15:00
No, boot logging is not enabled. I double checked in a VM; downloading and running Process Monitor on a new system and closing it, either normally or with the /terminate flag, results in the driver not unloading.
– James
Aug 4 '18 at 15:07
Try this : Boot in Safe mode, uninstall Process Monitor, renameC:Windowssystem32DriversPROCMON23.SYSif still there then reboot. Does that get rid of it?
– harrymc
Aug 4 '18 at 15:42
It also seems you are not using the latest version.
– harrymc
Aug 4 '18 at 15:50
Like closing ProcMon normally, this doesn't work. The driver is still loaded according to Battleye and NirSoft's DriverView.
– James
Aug 4 '18 at 14:30
Like closing ProcMon normally, this doesn't work. The driver is still loaded according to Battleye and NirSoft's DriverView.
– James
Aug 4 '18 at 14:30
This closes both
Procmon.exe and Procmon64.exe. It seems like you have enabled Boot logging, so undo that and reboot.– harrymc
Aug 4 '18 at 15:00
This closes both
Procmon.exe and Procmon64.exe. It seems like you have enabled Boot logging, so undo that and reboot.– harrymc
Aug 4 '18 at 15:00
No, boot logging is not enabled. I double checked in a VM; downloading and running Process Monitor on a new system and closing it, either normally or with the /terminate flag, results in the driver not unloading.
– James
Aug 4 '18 at 15:07
No, boot logging is not enabled. I double checked in a VM; downloading and running Process Monitor on a new system and closing it, either normally or with the /terminate flag, results in the driver not unloading.
– James
Aug 4 '18 at 15:07
Try this : Boot in Safe mode, uninstall Process Monitor, rename
C:Windowssystem32DriversPROCMON23.SYS if still there then reboot. Does that get rid of it?– harrymc
Aug 4 '18 at 15:42
Try this : Boot in Safe mode, uninstall Process Monitor, rename
C:Windowssystem32DriversPROCMON23.SYS if still there then reboot. Does that get rid of it?– harrymc
Aug 4 '18 at 15:42
It also seems you are not using the latest version.
– harrymc
Aug 4 '18 at 15:50
It also seems you are not using the latest version.
– harrymc
Aug 4 '18 at 15:50
|
show 4 more comments
It would appear it hooks into the kernel, which you kind of need (the kernel) to keep from rebooting for other reasons (crashed PC).
Dependency Walker
This would explain why you have to reboot... it is the only way it will unhook from the kernel.
answered Nov 10 '18 at 1:05
LeptoidLeptoid
11
add a comment |
It would appear it hooks into the kernel, which you kind of need (the kernel) to keep from rebooting for other reasons (crashed PC).
Dependency Walker
This would explain why you have to reboot... it is the only way it will unhook from the kernel.
answered Nov 10 '18 at 1:05
LeptoidLeptoid
11
add a comment |
It would appear it hooks into the kernel, which you kind of need (the kernel) to keep from rebooting for other reasons (crashed PC).
Dependency Walker
This would explain why you have to reboot... it is the only way it will unhook from the kernel.
answered Nov 10 '18 at 1:05
LeptoidLeptoid
11
It would appear it hooks into the kernel, which you kind of need (the kernel) to keep from rebooting for other reasons (crashed PC).
Dependency Walker
This would explain why you have to reboot... it is the only way it will unhook from the kernel.
answered Nov 10 '18 at 1:05
LeptoidLeptoid
11
answered Nov 10 '18 at 1:05
LeptoidLeptoid
11
answered Nov 10 '18 at 1:05
LeptoidLeptoid
11
answered Nov 10 '18 at 1:05
LeptoidLeptoid
11
11
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1346125%2fhow-can-i-unload-the-process-monitor-driver-without-restarting%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
