How can I unload the Process Monitor driver without restarting?
I sometimes use Process Monitor for debugging software, and also play games online. Some of these games use BattlEye anti-cheat software, which refuses to allow the game to run after Process Monitor has been started on the system, showing this in the log:
08:06:46: Starting BattlEye Service...
08:06:49: Launching game...
08:07:07: Disallowed driver: "\??\C:\Windows\system32\Drivers\PROCMON23.SYS". Please unload it or reboot your system.
The driver remains loaded after closing Process Monitor, and there doesn't appear to be an option to have it unload.
Several other questions have answers about unloading drivers using net stop
or sc stop
, but the ProcMon driver isn't a service, so this doesn't work. I've also tried looking in Device Manager and enabling 'Show hidden devices', but none of the entries appear related to ProcMon. I can't delete the driver file, as it's not actually present on the filesystem; ProcMon stores the file in its executable and extracts it as needed.
My question is not a duplicate of this question, which is about a similar issue where the driver persists after a reboot. My question is about unloading the driver without rebooting.
Standard drivers are services and you can indeed control them via net
and sc
. (For example, take a look at sc query beep
– stopping the 'beep' driver is a common way to shut up the internal PC speaker.)
In earlier Process Monitor versions (probably pre-2.3, when it still had Windows XP support), it would install a "legacy" device driver that was visible via sc
, Device Manager, etc.
Current versions of Process Monitor appear to remove the driver/service configuration from registry immediately after starting the driver. You can see this by monitoring ProcMon with itself. It is possible to manually re-add the service, with type 2 (kernel FS driver) and it will immediately show up as already running.
However, the service will also report "NOT_STOPPABLE" and will refuse any stop attempts.
Additionally, PROCMON23 now registers itself as a filesystem minifilter driver through the Filter Manager (FltDrv). You can see it in the output of fltmc
, but attempting to externally unload it also fails (possibly because the driver doesn't have the unload routine):
C:\WINDOWS\system32>fltmc Filter Name Num Instances Altitude Frame ------------------------------ ------------- ------------ ----- PROCMON23 0 385200 0 WdFilter 4 328010 0 storqosflt 0 244000 0 wcifs 1 189900 0 ... C:\WINDOWS\system32>fltmc unload PROCMON23 Unload failed with error: 0x801f0010 Do not detach the filter from the volume at this time.
Since the "official" CLI tool is unable to remove the filter from FltMgr, and FltMgr itself is a 'critical' driver that cannot be restarted without reboot, it would seem that there's no way to unload PROCMON23 or PROCMON24.
But the most interesting part: After doing the above checks with procmon 3.40, I found that the latest version on the website is 3.50 (which uses a newer PROCMON24 driver). Upon starting the new version, I was informed that an older version of the driver was already on the system and that I should reboot.
So if ProcMon itself cannot unload its own driver without requiring a reboot, I think you can safely assume that you won't be able to unload it either.
The problematic PROCMON23.SYS
filter driver is installed by ProcMon when it is
run. If the file
C:\Windows\system32\Drivers\PROCMON23.SYS
does not exist at the time, then ProcMon will write it.
The PROCMON23.SYS
file itself is included as a binary resource inside the
executable of ProcMon.
You can list all running filter drivers by :
fltmc filters
and on my computer this gives :
As you can see, my version of Process Monitor is newer than yours (24 instead of 23).
Usually a filter driver can be uninstalled by a command such as :
Fltmc unload PROCMON24
However, in this case this gives in an elevated Command Prompt :
Unload error 0x801f0010 is the typical error for a mini-filter driver that has no unload routine.
Conclusion : PROCMON23.SYS and the later PROCMON24.SYS are badly programmed. The developer has not foreseen that anybody would ever wish to unload his driver and has not included the necessary routine in it. Therefore this driver cannot be unloaded.
The bad news for you is that a reboot is required to dispose of it, nothing else will do the job. Your only recourse is to complain to the developer.
In addition to an excellent answer by user1686 which concludes that there is no way to unload it, I'd like to add that normal reboot on Windows 10 does not help either, because Windows 10 nowadays persists some memory and reloads it upon boot up, so the driver ends up in memory even after reboot.
To avoid that, reboot with this command run as admin:
shutdown /r /f /t 0
which will perform proper reboot. Check by running fltmc
as admin, that the driver is no longer there.