procmon : fix “Another version of the Process Monitor driver is already loaded. A reboot is required to run this version” error

I unfortunately had multiple copies of procmon in my machine and after running an older version of the procmon, any attempt to run a newer version resulted in an error message saying “Another version of the Process Monitor driver is already loaded. A reboot is required to run this version”. I tried running procmon /terminate without any avail.

The solution is simple. Navigate to HKCU\SysInternals\Process Monitor registry key. Delete the Process Monitor node or delete all the keys and values under the node. Before doing this you may want to make sure procmon is not running. Running procmon /terminate command is a good option to consider. Restart the machine and you should be able to run the new version of the procmon.

registry

The reason behind the error is because the procmon*.sys driver was always held by the OS kernel after you first execute the procmon.exe. This looks life a bug because the newer versions of the procmon.exe doesn’t seem to do this. You can find out whether the driver is loaded by the kernel by running the pocexp tool.

procexp

From the above image you can see that PROCMON23.SYS driver is loaded by System process. If you would like to check this in proxexp, make sure you enable the lower pane by pressing Ctrl+L key and customize the content displayed in the lower pane to DLL using the Ctrl+D key. Alternatively you can perform both these operations from the View menu in proxexp

Hope this helps!!!

Leave a Reply

Your email address will not be published. Required fields are marked *