I got this error, presumably from Roblox’s anticheat, when trying to start Roblox a few days ago. After some investigation, the new anticheat seems to be detecting the PROCMON24.sys driver and refusing to start the game when it is present.
However, this is really annoying, because PROCMON24.sys cannot be unloaded without a reboot, meaning that even if someone uses Procmon for a legitimate reason and then closes it before starting Roblox, the driver will still be loaded and prevent the game from starting. The only way to fix it right now is to reboot the whole computer.
Roblox should probably unblacklist the driver so that it doesn’t require a reboot to play games again. I don’t particularly care if Procmon.exe is blacklisted, but PROCMON24.sys shouldn’t be.
Unfortunately this didn’t work. Procmon loads a kernel driver when you run it, this is so that it can monitor the system calls made by other processes. The problem is that killing Procmon doesn’t unload the kernel driver. The kernel driver can’t be unloaded at all without a reboot. See here.
Oh I see. Roblox app fortunately has a worse anticheat than the roblox application from the website. If you are unbothered to restart your pc, you can always play roblox from the microsoft app.
I think you’re talking about the UWP / Microsoft Store version of Roblox, which doesn’t have an anticheat at all yet. Presumably the UWP sandbox doesn’t allow for it, or maybe it’s still 32-bit or something.
you can unload drivers by using “Process hacker 2”
I did that once to delete some drivers (it ended up badly had to reinstall windows so watch out what drivers you are uninstalling!)
nothing bad will happen if you unload some system driver you can just reboot your PC and its probably gonna reload again (unless you deleted the driver)
Not this one. This isn’t a device driver, this is a kernel driver. Kernel drivers can’t be unloaded unless they specify an unload routine, which this one doesn’t.
This behavior is intentional. We don’t plan on changing it on our end.
I know it’s a hassle to reboot, but the issue is with the actual third party software. It does not allow the driver to gracefully be unloaded. I would reach out to the vendor for support.
The “third party software” (that is actually published by Microsoft themselves) does not stop Roblox from running. It is entirely Roblox’s fault that it proactively checks for this driver and refuses to start. There is absolutely no reason that Process Monitor, of all things should be blacklisted like this. It is entirely harmless.
I agree that this was mildly annoying, particularly when Byfron first came out, but I still blame Microsoft here. They don’t seem to want to update their barely updated closed-source SysInternal tools to add this feature, despite many requests over the years. I would suggest finding an alternative open-source program for this, which includes support for unloading the driver at runtime or even better, doesn’t require the use of a driver at all.
One such tool would be GitHub - zodiacon/ProcMonXv2: Process Monitor X v2, but I’m sure there are others. I don’t expect this to change from Roblox’s end, and this is a thing in many other game’s anti-cheats, however I don’t fully get the true justification for attempting to hide this data, because there are other ways to get this data from Windows without this or any other kernel driver, that are literally built into Windows, like Event Tracing for Windows logs, which is what the project I linked uses.
It’s Roblox’s issue for refusing to start with this completely benign driver loaded. They should have included in their risk assessment that this driver ends up loaded for completely normal reasons on all sorts of developer machines and has absolutely nothing to do with any kind of cheating or exploitation.
That clearly must not be the case. I trust that they know what they’re doing. This DLL may be a very obvious flag from certain cheating software, reverse engineering efforts, or contain some other flagged signature, otherwise it wouldn’t be an issue.
We did include unsigned drivers in our risk assessment and deemed them too risky, especially because there are alternatives that are signed. Also, what responsible developer would load their machine with unsigned third-party software and run the risk of causing issues for their clientele?
Considering that the procmon driver is from Microsoft, signed or not, I would think it’s safe. It wasn’t originally. It was part of the Sysinternals tools then Microsoft acquired them some time ago.
I was surprised to see that popup since I had Procmon closed several hours ago and didn’t even open Roblox.
It would show up PROCMON24, when you run fltmc in the cmd.exe with Administrator. Indicating that this filesystem minifilter thing was still loaded.
It’s really questionable if it does anything, since there’s no loaded Instances that were using it…
Unlike when I discovered some classic crashes where opening a folder similar to the ones that Visual Studio would generate, e.g. luau\out\build\x64-debug. If you’d have a Windows Explorer Folder named x64dbg, Roblox would close, but only if you focus on the Window, it’s a bit strange.
So I don’t know what 0 Instances of PROCMON24 mean security wise but I didn’t even know that this was loaded, not sure if 0 Instances actually impact performance in any way in-general.
You can’t unload it, at least not Procmon23 or Procmon24, you have to reboot unfortunately. And that’s all you need to do. You only have to reboot.
You DON’T have to run any cmd or something to remove “drivers”, they’re not there, and I don’t think they’ll start up on their own.
It’s Procmon24’s fault that there’s no official manual way to unload it (with official I mean something like fltmc unload procmon24).
Procmon.exe /Terminate wouldn’t solve it either
I do wish though that the Roblox Error Message would have mentioned the word “reboot” as well. Because you can’t unload it, and Searching the Internet on how to strictly unload can only lead to misleads.
You DON’T have to delete registry things either. Nor should one ever tamper with certain areas in the registry, because if you do, you will bluescreen and eventually are forced to re-install the Operating System.
