NtUnloadDriver - NtDoc

Native API online documentation, based on the System Informer (formerly Process Hacker) phnt headers 
#ifndef _NTIOAPI_H

/**
 * The NtUnloadDriver function unloads a driver specified by the DriverServiceName parameter.
 * 
 * \param DriverServiceName A pointer to a UNICODE_STRING structure that specifies the name of the driver service to unload.
 * \return NTSTATUS Successful or errant status.
 */
NTSYSCALLAPI
NTSTATUS
NTAPI
NtUnloadDriver(
    _In_ PCUNICODE_STRING DriverServiceName
    );

#endif

View code on GitHub
#ifndef _NTZWAPI_H

NTSYSCALLAPI
NTSTATUS
NTAPI
ZwUnloadDriver(
    _In_ PCUNICODE_STRING DriverServiceName
    );

#endif

View code on GitHub
// wdm.h

NTSYSAPI NTSTATUS ZwUnloadDriver(
  [in] PUNICODE_STRING DriverServiceName
);

View the official Windows Driver Kit DDI reference

NtDoc

No description available.

Edit description on GitHub

Windows Driver Kit DDI reference (nf-wdm-zwunloaddriver)

Description

The ZwUnloadDriver routine unloads a driver from the system. Use this routine with extreme caution (see the Remarks section below).

Parameters

DriverServiceName [in]

Pointer to a counted Unicode string that specifies a path to the driver's registry key, \Registry\Machine\System\CurrentControlSet\Services\, where DriverName is the name of the driver.

Return value

ZwUnloadDriver returns STATUS_SUCCESS or an error NTSTATUS value such as STATUS_INVALID_DEVICE_REQUEST.

If the driver specified in DriverServiceName has no DriverUnload callback routine set in its DRIVER_OBJECT structure, ZwUnloadDriver returns STATUS_INVALID_DEVICE_REQUEST.

Remarks

ZwUnloadDriver dynamically unloads a device or file system driver from the currently running system. It is not recommended that a driver call ZwUnloadDriver on itself.

A file system filter driver cannot safely be unloaded from a running system. Thus a filter should only use ZwUnloadDriver for debugging purposes. It should not call this routine in a retail version of the filter.

If DriverName is the name of a PnP device driver, ZwUnloadDriver returns STATUS_INVALID_DEVICE_REQUEST and does not unload the driver.

A minifilter should use FltUnloadFilter instead of ZwUnloadDriver to unload a supporting minifilter.

If the call to the ZwUnloadDriver function occurs in user mode, you should use the name "NtUnloadDriver" instead of "ZwUnloadDriver".

For calls from kernel-mode drivers, the NtXxx and ZwXxx versions of a Windows Native System Services routine can behave differently in the way that they handle and interpret input parameters. For more information about the relationship between the NtXxx and ZwXxx versions of a routine, see Using Nt and Zw Versions of the Native System Services Routines.

See also

FltUnloadFilter

RtlInitUnicodeString

UNICODE_STRING

Using Nt and Zw Versions of the Native System Services Routines

View the official Windows Driver Kit DDI reference

Edit description on GitHub

NTinternals.net (undocumented.ntinternals.net)

This function is documented in Windows Driver Kit.

DriverServiceName

Registry path in system format.

Requirements

Privilege: SeLoadDriverPrivilege

See also

Edit description on GitHub