I assume it is because the xml registers the sys file as a provider, but even after doing a wevtutil um on the xml file, a disable/enable of the device in device manager results in a STATUS_SHARING_VIOLATION in windbg in response to the .kdfiles overwrite.
Prior to adding ETW tracing to the driver, the sys file copied over from the build machine OK.
Oh, and dont to a disable on the device and then do a wevtutil um, it results in a BSOD.
Anyway, an interesting bug, means you need to do a reboot to get the new sys file on the machine.
Any chance you’re missing a call to EventUnregisterXxx in driver unload?
1 Like
Damn, you are right! It is often the obvious! 
1 Like
Actually I was wrong, it is still happening:
KdPullRemoteFile(FFFFB70B3C8F3080): About to overwrite \SystemRoot\System32\drivers\xxxxxxx.sys and preallocate to 13740
KdPullRemoteFile(FFFFB70B3C8F3080): Return from ZwCreateFile with status c0000043
Doresnt matter if you do a wevtutil um on thr xml either, the sys file is STATUS_SHARING_VIOLATION
Only happens with ETW
I just had this happen to me with a driver that has ETW…In my case it turned out I had Event Viewer opened and that’s what was holding the SYS file open.