• Hello,

    I just started using Process Explorer and when I start the program, my anti-execution program alerts that PE is trying to delete a driver.

    Turning off my AE, Process Exp. seems to load a driver on startup and then deletes it?

    I haven't found a way around this and am just letting the driver remain in /system32/drivers. Process Exp. seems to work OK, unless I'm missing something?


    Tuesday, March 7, 2006 3:48 PM

All replies

  • Hi rjsys,
       You might have a peek here .
    Tuesday, March 7, 2006 6:17 PM
  • Hi, rjsys.

    procexp90.sys is the ProcessExplorer driver of P.E. v9.x and handle.exe v3.11.
    ProcessExplorer 10.x will use procexp100.sys. Cf. here e.g.

    And it is perfectly normal for P.E. and some other Sysinternals utilities to extract a temporary driver on startup, load it and use it.
    When the programme terminates normally, it will unload the driver and remove it from disk again.
    Seems that I was wrong about the point in time of deleting the temporary driver, see Namrehto's message below. If he is right, the driver gets deleted right after it has been loaded by the programme. Anyway, it will be gone.

    So you need not be worried about procexp90.sys.

    Tuesday, March 7, 2006 6:52 PM
  • AFAIK the temp driver file extracted into c:\windows\system32\drivers is actually deleted once it's been loaded (as opposed to waiting until the utility finally exits).
    Tuesday, March 7, 2006 7:37 PM
  • Thanks for the info. On first running, the executable and the driver were added to the white list which is why the driver is blocked from deleting, so it will just stay in the drivers directory until reboot. It doesn't seem to bother anything.

    Wednesday, March 8, 2006 12:23 PM
  • Thanks, Blackstone for that link!

    here .
    Wednesday, March 8, 2006 4:13 PM