I sometimes use Process Monitor for debugging software, and also play games online. Some of these games use BattlEye anti-cheat software, which refuses to allow the game to run after Process Monitor has been started on the system, showing this in the log:
08:06:46: Starting BattlEye Service...
08:06:49: Launching game...
08:07:07: Disallowed driver: "\??\C:\Windows\system32\Drivers\PROCMON23.SYS". Please unload it or reboot your system.
The driver remains loaded after closing Process Monitor, and there doesn't appear to be an option to have it unload.
Several other questions have answers about unloading drivers using net stop
or sc stop
, but the ProcMon driver isn't a service, so this doesn't work. I've also tried looking in Device Manager and enabling 'Show hidden devices', but none of the entries appear related to ProcMon. I can't delete the driver file, as it's not actually present on the filesystem; ProcMon stores the file in its executable and extracts it as needed.
My question is not a duplicate of this question, which is about a similar issue where the driver persists after a reboot. My question is about unloading the driver without rebooting.
del /ah C:\Windows\System32\drivers\PROCMON24.SYS