Sysinternals
Advanced system utilities to manage, troubleshoot, and diagnose Windows and Linux systems and applications.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(16, 86%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBR%3C/text%3E%3C/svg%3E)
Any help or suggestion is appreciated.
Process Monitor Error – Capture requires Administrators group membership
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(243.2, 34%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECY%3C/text%3E%3C/svg%3E)
Chandler Yew
16
Reputation points
Hi,
Just would like to find out what will be the best way to allow ProcMon to run correctly without giving the Load an unload device drivers privilege via GPO?
It was found out last week that user with machine administrator right are getting error attached 
when running proc mon (the same error even trying to run procmon as administrator)
Any help or suggestion is appreciated.
Thanks.
Sysinternals
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(259.20000000000005, 57.00000000000001%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMS%3C/text%3E%3C/svg%3E)
Mueller, Stefan 0 Reputation points2025-12-09T13:56:17.2433333+00:00 Same here. Run as Administrator does not sort this issue.
Win11 24H2 Pro
Sign in to comment
2 answers
Sort by: Most helpful
-
-
RLWA32 51,536 Reputation points2025-12-10T22:51:59.26+00:00 @Mueller, Stefan, If you have access to run Sysinternals PsExec you may be able to work around the problem created when the "Load and unload device drivers" right is removed from the Administrators group.
The SYSTEM account has SeLoadDriverPrivilege and consequently is capable of successfully starting Process Monitor. I used PsExec to open a command prompt running as SYSTEM. From that comand prompt I started Process Monitor and it was able to capture events.
Another way would be to use the Task Scheduler to start an instance of Process Monitor running as SYSTEM. Since it will run in non-interactive session 0 specify the /Runtime command line argument to have it terminate after several seconds. After all, its only being used this way to load the PROCMON24.SYS driver
After either of the above workarounds I was able to start it as a user that is a Member of the Administrators group and capture events because the PROCMON24.SYS driver was already loaded.
Edit--
Finally, with come coding the Windows API can be used to have the SCM (Service Control Manager) load the PROCMON24.SYS driver.