I am trying to load Process Monitor (Procmon.exe) from Sysinternals, and I get the following error on startup.
Unable to load Process Monitor device driver
In the Event Viewer, I get the following.
Driver PROCMON11.SYS has been blocked from loading.
What is blocking it from loading?
Background information: I have no anti-virus or malware checker software installed, other than Windows Defender (which I think is part of Windows 7).
It seems that most people on the web who had this problem, solved it by installing a newer version of procmon, or an older version if their's was the latest.
Here's a link for the older version:
https://web.archive.org/web/20190220013755/https://download.sysinternals.com/files/ProcessMonitor.zip
If you ran it successfully before and are having issues now, then most common issue is the procmonXX.sys driver inside of C:\Windows\System32\drivers is locked up by another process, specifically a zombie process of Process Monitor. It probably failed to cleanly exit last time and just got stuck. The solution is to open task manager and kill Process Monitor to solve the issue.
If you want to find out if this is the case, delete that driver file (Process Monitor automatically re-installs it when it runs). If it denies access because it's open in another process, that's definitely the issue. If it deletes it successfully, then it may have been corrupt and the next time you run Process Monitor it'll work by re-installing it.
The reason other solutions here work is because sometimes the filename of the driver will increment (it's at PROCMON24.SYS right now). When you install an older or newer version, it might not used the locked up driver file and install its own instead (depending on the driver version). Restarting your computer also works because all running processes are shut down.
Another potential cause for this error: running procmon.exe rather than procmon64a.exe on ARM64 Windows.
An action that worked for me was to restart the computer (powering it off in the process, if it matters).
Platform:
Evidently, Procmon requires the Workstation service running in order to start. It uses that service to enumerate something and will silently die without it.
This is not documented anywhere and is pretty bogus.
Similar question on Server Fault: https://serverfault.com/a/755869/175310
I was not aware that Procmon.exe even needed a "PROCMON11.SYS". I've been running Process Monitor as a standalone executable just fine. I searched my C drive for a procmon11.sys and it does not exist. Maybe it is packaged with the executable?
Viruses often try to prevent software from running that might alert someone to its presence. It sounds like a virus might be aware that you are trying to start Process Monitor and giving you this obscure error message to throw you off track.
Try installing the free version of AVG... or try installing Spybot Search and Destroy. If I'm right... the installation or update of those programs will probably fail.
Check out this answer.
Try running ProcMon as administrator (right-click ProcMon.exe and select "run as administrator").
By default, it'll pop the "Run as Administrator" dialog (probably triggered by trying to access a kernel-mode driver), but if you turned off UAC, you may not get that dialog, and th app would just fail in accessing the driver.
