What killed my process?

  • Article

Hello, world!

We're often challenged with a process that exits unexpectedly, but this doesn't always equate to an application "crash".  Occasionally this behavior is caused by cross-process termination, where one process terminates another one.

Discovering root cause of this behavior used to be just slightly less cumbersome than a barefoot walk to Mordor, but an easy solution called "Silent Process Exit Monitoring" exists Windows 7/2008R2 and later OS's.

The Debugging Tools for Windows includes a GUI utility called GFLAGS.EXE that may be used to enable this monitoring with the following quick steps:

1) Run GFLAGS.EXE and select the Silent Process Exit tab.

2) Type the name of the process that is exiting unexpectedly.

3) Hit the TAB key on the keyboard to refresh the GUI.

4) Check the following boxes:

a. Enable Silent Exit Process Monitoring
This enables the feature and tracks silent process exits in the application event log.
(Event ID: 3001)

b. Enable Notification
This optionally creates a balloon popup with the same information in the event log.

c. Ignore Self Exits
This prevents superfluous logging when the application exits gracefully, such as when File / Exit is selected from a menu.

5) Click OK to save the change and exit the GFLAGS tool.

NOTE: The changes will take effect immediately for any new processes launched after the change.  A reboot is NOT required.

clip_image001

When another process forces termination of the monitored process, the offending process name is listed in a balloon popup and in the application event log. (if this option is selected)

 

clip_image002

 

The following is an example of the event log entry.

Source:        Microsoft-Windows-ProcessExitMonitor
Event ID:      3001
Level:         Information
Description: The process 'calc.exe' was terminated by the process 'I Hate Calculators.exe' with termination code 0.

Silent Process Exit may also be configured through the registry remotely if the machine is not accessible via the console or a remote desktop session.

Example:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\calc.exe]
"GlobalFlag"=dword:00000200

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\calc.exe]
"IgnoreSelfExits"=dword:00000001

Note: Substitute the name of the process you want to monitor for CALC.EXE.

More information on Silent Process Exit Monitoring is available on MSDN.

Keep this in your bag of tricks for the next time you run into this niche scenario.

- Aaron Maxwell