1

I install NT service and add info about 'message.dll' file into registry for EvenLog. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\MyApp EventMessageFile = C:\message.dll

Start service and view service's logging info messages in EventLog viewer. Works fine.

Next, uninstall service and try to remove message.dll file. Failed! I receive 'Access deny' messagebox because this DLL is loaded.

My question: How can I properly remove/unload/uninstall message.dll in my case?

Thanks a lot, Dmitry

Dmitry
  • 877
  • 1
  • 16
  • 30

2 Answers2

1

Do you stop your service before uninstall it? Do you close EventLog viewer before uninstall your serive? These are two typical errors which can follow that the message.dll stay in use.

If you will have the problem after all I would you recommend to use Process Explorer to find the process which hold the dll in use. Ctrl + F or menu "Find" / "Find Handle or DLL..." can be used to find processes used the DLL.

Oleg
  • 220,925
  • 34
  • 403
  • 798
0

The Windows Event Viewer holds the dll open for reading messages.

However - it's not the only thing that may be reading the Event Log. RMM software such as ConnectWise, Naverisk etc also monitor the event log, and can prevent your software from upgrading a locked EventMessageFile dll file.

When third-party software is involved it's not feasible to just close MMC.exe as in the accepted answer.

I have found two workarounds for this:

  1. Stop using the EventMessageFile system and just use the built-in EventCreate.exe as the source instead

  2. Use the Restart Manager subsystem to agressively restart the third-party RMM service, as discussed in Windows Event Viewer holds a lock on my EXE file

mappu
  • 329
  • 2
  • 16