Suppose you have some service in services(d).exe on your CE device that is so critical that you don't anyone ever unloading it. This would be a paranoid play, since most users never mess around with loading and unloading services directly. But say that your service is doing something so critical to say the security of the device that even trusted applications shouldn't be able to unload it. Maybe something DRM-ish you wouldn't want anyone to hack around? In CE 5.0 and CE 6.0, there are mechanisms for your service to mark itself as non-unloadable.
In CE 5.0, your service can implement IOCTL_SERVICE_QUERY_CAN_DEINIT as described here.
In CE 6.0 and above, both your service and device drivers can be marked as non-unloadable by setting their "Flags"=
DEVFLAGS_NOUNLOAD (0x00000020). (EG HKLM\Services\<YourService>\Flags:REG_DWORD bit mask).
In general I'd recommend against doing this. You can protect your service from being accessed by untrusted application by DEVFLAGS_TRUSTEDCALLERONLY. Using the no-unload mechanisms block even trusted processes, which may have legitimate reasons for unloading your service, from doing so.
[Author: John Spaith]