If the error persists after reboot, the issue has moved beyond transient state and into persistent system corruption: a malformed registry entry, a locked system file, or security software overreach. At that point, methodical removal and reinstallation, as outlined above, will restore function.
handle64.exe -a WinDivert.sys (from Sysinternals) to see if any process has an open handle. Kill the offending process. sc stop WinDivert sc delete WinDivert Then delete the .sys file from C:\Windows\System32\drivers\ and reinstall. Step 4: Clear Pending Rename Operations (Advanced) WARNING : Incorrect editing can break Windows. If the error persists after reboot, the issue
In this zombie state, Windows refuses to load a new instance—even of the same version—because the kernel considers the driver name and service already "in use." Kill the offending process
Open regedit , navigate to: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager Look for a multi-string value named PendingFileRenameOperations . If it contains references to WinDivert.sys , you can delete the entire value (not the key). Reboot immediately after. Exclude the WinDivert installer and C:\Windows\System32\drivers\WinDivert.sys from real-time scanning. Install, then re-enable. When to Avoid Reboot (The Exception) In rare, time-sensitive scenarios—such as a live digital forensics capture or an uptime-critical server—a reboot might be impossible. In these cases, an alternative is to use a different packet capture driver (like the older NPF from WinPcap) or to run the application requiring WinDivert in a lightweight VM where you can freely reboot the guest OS. Neither is ideal, but both avoid breaking uptime. Conclusion The message "WinDivert driver cannot be installed. You must restart your computer" is Windows’ way of saying: “The state required to safely load this driver is corrupted or locked in the current session.” For most users, a single restart is the fastest, safest resolution—not a deferral of the problem, but a deliberate reset of the driver ecosystem. In this zombie state, Windows refuses to load
, clearing any orphaned references. 2. Pending File Rename Operations (The "PendingFileRenameOperations" Key) Many WinDivert installers, when upgrading, attempt to replace the existing WinDivert.sys file. Since the running kernel may have locked the old file, Windows instead schedules a replacement for the next boot using the PendingFileRenameOperations registry key (located under HKLM\SYSTEM\CurrentControlSet\Control\Session Manager ). This is a standard technique for updating in-use system files.
But when installation fails with the message, "WinDivert driver cannot be installed. You must restart your computer," progress grinds to a halt. To the uninitiated, this feels like a bureaucratic error—a digital version of "please turn it off and on again." However, the underlying reality is far more specific, rooted in Windows kernel security, file locking, and driver state management.