Share via

procmon leaves something in place that anti hack software detects

Paul Moore 1 Reputation point
2021-10-17T00:39:41.973+00:00

I have licensed software that checks for hacking sw somehow. It got upset when it saw that procmon was running ('monitoring sw running'...) and shut down. When I shutdown procmon and restarted the app it still complained, I had to reboot. Seems like procmon leaves some trace of its monitoring lying around

Sysinternals
Sysinternals
Advanced system utilities to manage, troubleshoot, and diagnose Windows and Linux systems and applications.
1,171 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Klaude 30 Reputation points
    2024-05-01T15:53:30.4533333+00:00

    Process Monitor does not have a straightforward method to remove it completely off of your computer. You'll have to delete it manually via Registry Editor, but make sure to do it carefully because Reg Edit can really wreak havoc on your computer if you don't know what you're doing.

    Here's a step-by-step guide

    1. Check if Procmon is Running:

    • Open Command Prompt as Administrator.
    • Type fltmc and press Enter. If you see PROCMON24 or 23 on the list, it means it is still running on your computer.

    2. Access the Registry Editor:

    • Press Win + R to open the Run dialog.
    • Type regedit and press Enter.

    3. Navigate to the Procmon Key:

    • Inside Registry Editor, go to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PROCMON24

    4. Delete the Procmon Key (Folder):

    • Right-click on the "PROCMON24" folder.
    • Select "Delete" from the context menu.

    5. Delete Procmon Driver File:

    • Open Command Prompt as Administrator.
    • Type del /ah C:\Windows\System32\drivers\PROCMON24.SYS and press Enter.

    6. Restart Your Computer:

    • After deleting the key and file, restart your computer to apply the changes.

    7. Confirm Removal:

    • Open Command Prompt as Administrator again.
    • Type fltmc to confirm that Procmon is no longer listed.

    Procmon24 should now be completely removed from your system!

    2 people found this answer helpful.
    0 comments
  2. jeffery wilkins 6 Reputation points
    2022-01-20T10:37:12.967+00:00

    there is $300 software called SAM Broadcaster made by SpacialAudio that will not run if you have procmon running even if you exit procmon the driver is still loaded into memory and wont unload

    0 comments
  3. Paul Moore 1 Reputation point
    2024-05-01T17:00:51.57+00:00

    thats not the issue. I can keep the anti hack software happy simply by stopping procmon and rebooting. The problem is that after running procmon I have to reboot, thats a pain

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.