Is there a known way to force ProcMon v4.01 to avoid starting 'Boot Logging' at next boot after selecting Enable Boot Logging from the Options menu ?

Question

Is there a known way to force ProcMon v4.01 to avoid starting 'Boot Logging' at next boot after selecting Enable Boot Logging from the Options menu ?

SwimmeRM 1

In another question/answer I already created last week (pls see 'Any other way to solve ProcMon already known issue(s) when loading (or reloading) already previously saved filters ?' contents) I found out that after using ProcMon v3.83 on my Windows 7 SP1 x64 Ultimate PC (and probably after enabling 'Enable Advanced Output' in Options menu, or in Filter menu when using ProcMon v4.01, and/or also after confirming 'Enable Boot Logging' selection made from Options menu with [ OK ] and I'm almost sure that right before I temporarily switched enabled 'Generate thread profiling events' from 'Every second' (default setting) to 'Every 100 milliseconds' to then revert that setting back to its 'Every second' (same initial default setting)) and after that I also found I was even also able to properly start ProcMon v4.01 to overcome older v3.83 limitation to unsuccessfully re-load same filters I already saved on disk while using v3.83 (this was needed to continue an investigation I was doing after properly capturing events with v3.83 and saving filtered results on disk before I also made very wrong decision to 'Reset Filter' from Filter menu of v3.83).

All this happened last week after I was initially able to just load 'C:\Windows\system32\Drivers\PROCMON24.SYS' into memory while using v3.83 (also yesterday in System Event Log I found an Event ID 6 [Source: FilterManager] displayed message "Loading file system filter 'PROCMON24' (0.0, ‎2021‎-‎06‎-‎22T12:41:40.000000000Z) and registering with Filter Manage succeeded." also confirming this) and still having it in memory also continued with v4.01 (even if at that time I was initially unsure if v4.01 was still only using older v3.83 version because already loaded into memory), but then all this situation changed yesterday morning when I also found that after just selecting 'Enable Boot Logging' in v4.01 Options menu and then simply choosing [ Cancel ] then I could find same PROCMON24.SYS driver also saved into C:\Windows\system32\drivers folder but this time from its file properties I'm also sure that it's v4.01 version (during past days I always checked that it was never saved there and that driver only remained loaded into memory).

Because of my initial past attempts to load ProcMon v4.01 without previously using v3.83, I also know that current release wasn't loading and displaying error message "Unable to load Processor Monitor device driver: The specified procedure could not be found." (while in System Log a new related Event ID 26 [Source: Application Popup] saying "Application Popup: : ??\C:\Windows\system32\Drivers\PROCMON24.SYS cannot find ntoskrnl.exe KeInitializeSpinLock") was also added) because of such known missing API from Windows 7 SP1 x64 NTOSKRNL.EXE (and probably at least also KeAcquireSpinLockRaiseToDpc and KeReleaseSpinLock APIs I identified while using latest Process Explorer v17.06), so now main reason behind this question 'Is there a known way to force ProcMon v4.01 to avoid starting 'Boot Logging' at next boot after selecting Enable Boot Logging from the Options menu ?' is that I'd really like to try to find a way to force avoiding ProcMon v4.01 Boot Logging to remain unneedingly enabled, while also contemporarily avoid my OS to unsuccessfully start at next boot, since my very strong understanding is that trying such never before tested and totally unsupported configuration would very likely always fail, and so I'd really also like to ensure to avoid my OS to Blue Screen as much as possible.

Thus, many thanks to you all in advance for your attention (further replies with even more related ideas or suggestions will be welcome too).

Best Regards

Rob

2 answers

Your answer

Answer 1

P.S. Please note that due to urgency I had same day I created my own question above I decided to try to implement this workaround: simply rename C:\Windows\System32\drivers\PROCMON24.SYS as PROCMON24_.SYS_ while also hoping that it might have been enough to avoid Windows 7 SP1 x64 Ultimate to Blue Screen, and luckily enough it worked because 2 days later my OS became unstable and then for unclear reasons (even if I do have some ideas, i.e. I may have lowered too many services or apps Priority to Below Normal or even Background) it stopped working properly and after about 30 minutes it Blue Screened with a Stop 0x0000007a ***KERNEL_DATA_INPAGE_ERROR ***(0xfffff6fc500082b0, 0xffffffffc0000185, 0x00000000938da880, 0xfffff8a001056000) that later I also found reported as Event ID 1001 [Source: Error control] into System Event Log and that from its quick dump analysis I completed was found as "Probably caused by : memory_corruption ( nt!MiWaitForInPageComplete+63e )" just like another last previous Blue Screen I experienced on April 29 2025 (so I guess I'll need to be even much more careful while changing services or some other apps Priority to Below Normal or even Background). :-o :-s

But anyway, at least after that I was also able to verify that my extremely basic workaround indeed worked perfectly. So, I luckily avoided PROCMON24.SYS driver from ProcMon v4.01 to unsuccessfully try to load (and then also certainly Blue Screen because only built & supported for Windows 10) during my next unexpected reboot. 0:-)

Once more, many thanks to you all for your attention (further replies with even other related ideas or suggestions will still be welcomed too).

Best Regards

Rob

Answer 2

MotoX80 36,416

When I launch procmon, I see these registry entries being defined.

User's image

When I enable boot logging, I see additional values added so that the service starts at boot time.

User's image

Most sites say that to remove procmon you can just delete the driver.

del /ah C:\Windows\system32\Drivers\PROCMON24.SYS

If the driver is already loaded, then that will fail with an access denied error.

You can then delete the service, reboot, and then delete the procmon24.sys file.

reg delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PROCMON24 /f

Deleting the service will also prevent boot logging from starting.

I did the testing on Win10 with procmon 3.91.

More info: https://superuser.com/questions/1346125/how-can-i-unload-the-process-monitor-driver-without-restarting/1559047#1559047

SwimmeRM 1 Reputation point

2025-06-02T14:08:25.17+00:00

Hi @MotoX80 ,

many thanks indeed for your update, as well as for sharing all your previous and precious more expert knowledge on ProcMon (and your past related investigations) & also for your idea and all additional test results you provided that indeed provided me a confirmation that even my simpler PROCMON24.SYS renaming approach as PROCMON24_.SYS_ was indeed already a valid solution.

Please however keep in mind that during all previous tests I did with v3.83 and latest/current v4.01 I never really enabled Boot Logging. I simply entered that menu and just confirmed on [ Cancel ] button and all that was indeed enough to let C:\Windows\System32\drivers\PROCMON24.SYS from v4.01 be written on disk.

Thanks to a nice & helpful contact I reached via Sysinternals Blog MS TechCommunity now I've been able to get ProcMon v3.86 which was latest official version fully supporting my Windows 7 SP1 x64 Ultimate client, and so once again I repeated same steps I also followed initially (temporarily let ProcMon capture some events to ensure its PROCMON24.SYS gets loaded into memory, then simply enter Options -> Enable Boot Logging but then once again simply confirm with [ Cancel ] to exit that dialog and then voilà (sorry for this frenchesism) once again PROCMON24.SYS got written on disk inside C:\Windows\System32\drivers folder, but this time was from v3.86, and so if still leaving it there (which I obviously avoided anyway) I'm sure it would have been a minor concern.

Now because from all that How can I unload the Process Monitor driver without restarting? discussion result is that so far ProcMon has been intentionally written without any real intent to ensure that its latest PROCMON24.SYS might be unloaded from memory, I can say that even my simpler file renaming solution would have been valid, but at least now, also thanks to your additional test results I'm sure that PROCMON24 (together with its PROCMON23 ancestor) registry entry is also lacking any proper additional details that would be involved and really needed if Boot Logging option would have been enabled, and so without such required parameters you evidenced with your test results, there's no way for that driver to be loaded and start at next reboot.

So here are all related screenshots confirming this evidence:

P.S. I'm also avoiding to also add more screenshots for HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PROCMON23

and HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PROCMON24 registry contents that also because not really referring to any existing device driver I'm also quite sure should not do any harm if left there anyway.

So many thanks indeed anyway for all your so kind help reference. 0:-)

Best Regards

Rob

Share via

Is there a known way to force ProcMon v4.01 to avoid starting 'Boot Logging' at next boot after selecting Enable Boot Logging from the Options menu ?

2 answers

Your answer