Windows 10 Issue with procmon

PaulSp

Member
Joined
Jul 14, 2019
Messages
39
I recently downloaded the procmon tool. I've noticed that after stopping it a subsequent attempt to run a privileged program gets an error dialog saying that a system monitor is running and to remove it. This prevents the privileged program execution. Rebooting cures the problem. The two times that I've run procmon, this has happened. Has anyone else seen this behavior?
 


Solution
Ok. Another data point. I tried running a different program requesting privilege and didn't get the error dialog. So there must be something about the program itself (PokerTracker) that is generating this error. So unless you play poker, you're not likely to encounter this, I suspect. I will report this to the PokerTracker developers and see what they say.
Running procmon should have no impact on anything else running on the system
 


Clearly some remnant of procmon has remained after its termination, else I wouldn't get the error that I did.
 


Never seen such an issue in 18 years and I've used procmon as long as it's existed
 


I will experiment a little further. It has occurred to me that perhaps I clicked the "X" to close it rather than using its "exit" function. This could possibly result in procmon not cleaning up as it should. I will post results after I try this.
 


Exit and clicking the x have the same result. Procmon consists of a single process and a driver both unload when procmon is closed.
 


Ok, I ran procmon and then performed a File-> Exit. Then when I tried to run a privileged program I got the attached error.
 


Attachments

  • errordiaglog.webp
    errordiaglog.webp
    7.6 KB · Views: 123
Ok. Another data point. I tried running a different program requesting privilege and didn't get the error dialog. So there must be something about the program itself (PokerTracker) that is generating this error. So unless you play poker, you're not likely to encounter this, I suspect. I will report this to the PokerTracker developers and see what they say.
 


Solution
Searching the internet has provided other users with similar problems. According to some reports, these tools load a "kernel mode driver" which remains after the program (in this case procmon) exits. WinLicense is apparently a tool used by some developers to manage their software distributions. It apparently detects this driver somehow. I'm not sure who should fix this.
 


It's likely some anti cheat or drm mechanism. So the fix would be on the developers end.
 


Yes. The PokerTracker folks say that it was done on purpose for "security" reasons. I fail to see what I could obtain from PokerTracker using procmon that would be a security problem.
 


Back
Top