What killed my process?

What killed my process?

  • Comments 9
  • Likes

Hello, world!

We're often challenged with a process that exits unexpectedly, but this doesn't always equate to an application "crash".  Occasionally this behavior is caused by cross-process termination, where one process terminates another one.

Discovering root cause of this behavior used to be just slightly less cumbersome than a barefoot walk to Mordor, but an easy solution called "Silent Process Exit Monitoring" exists Windows 7/2008R2 and later OS's.

The Debugging Tools for Windows includes a GUI utility called GFLAGS.EXE that may be used to enable this monitoring with the following quick steps:

1) Run GFLAGS.EXE and select the Silent Process Exit tab.

2) Type the name of the process that is exiting unexpectedly.

3) Hit the TAB key on the keyboard to refresh the GUI.

4) Check the following boxes:

a. Enable Silent Exit Process Monitoring
This enables the feature and tracks silent process exits in the application event log.
(Event ID: 3001)

b. Enable Notification
This optionally creates a balloon popup with the same information in the event log.

c. Ignore Self Exits
This prevents superfluous logging when the application exits gracefully, such as when File / Exit is selected from a menu.

5) Click OK to save the change and exit the GFLAGS tool.

NOTE: The changes will take effect immediately for any new processes launched after the change.  A reboot is NOT required.

clip_image001

When another process forces termination of the monitored process, the offending process name is listed in a balloon popup and in the application event log. (if this option is selected)

 

clip_image002

 

The following is an example of the event log entry.

Source:        Microsoft-Windows-ProcessExitMonitor
Event ID:      3001
Level:         Information
Description: The process 'calc.exe' was terminated by the process 'I Hate Calculators.exe' with termination code 0.

Silent Process Exit may also be configured through the registry remotely if the machine is not accessible via the console or a remote desktop session.

Example:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\calc.exe]
"GlobalFlag"=dword:00000200

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\calc.exe]
"IgnoreSelfExits"=dword:00000001

Note: Substitute the name of the process you want to monitor for CALC.EXE.

More information on Silent Process Exit Monitoring is available on MSDN.

Keep this in your bag of tricks for the next time you run into this niche scenario.

- Aaron Maxwell

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Amazing - gotta love obscure tools that have specific functions

  • It doesnt work for me.

    I have Windows 7 SP1 x64. Downloaded the Windows 8.1 version of the debug tools, but dont know which architecture I need: x64 because I run 64-bit Windows 7, or x86 because the app I want to silent-exit-monitor is a 32-bit application?
    Anyway, as a test I created a rule for notepad.exe using 64-bit GFLAGS.EXE. I am member of local administrator group using my AD account, but I am not domain admin. The registry keys both created under Image File Execution and SilentProcessExit, I even allowed SelfExit notifications. Still I dont see anything in the application log at all!

    I have no idea what went wrong. Do I need debug program privileges from GPO, or what?

  • Anybody? Somebody?

  • @Richard Pasztor: x64 Debug Tools to debug x64 bit apps. x86 Debug Tools to debug x86 bit apps. As an ADMIN, you should have the correct perms. You might wanted to ping folks over at http://blogs.msdn.com/b/ntdebugging/.

  • @ Blake Morrison - MSFT
    Ok, if you suggest to use x86 gflags.exe for x86 apps: I have already tried that one as well, still without any success.

    As for forwarding me to NTDEBUG guys:
    0.) NTDEBUG blog doesnt reveal any of their contact address, they even dont have any "contact us" webform, they dont respond to emails as per: "http://blogs.msdn.com/b/ntdebugging/about.aspx"

    "We will not respond to direct emails to the blog, however we will use your emails as guidelines for possible content in the future."

    So if I dont convince 100-200 other people to spam from different email accounts to them with my issue, they will hardly respond.

    2.) I couldnt find any topic its relevant to GLFAGS.exe and the "Silent process exit", or any other combination of this topic. If however I post my question in another topic comment section, I will purely be discarded as usual --> useless to try it

    3.) answers.microsoft.com / technet: I already tried them, its made of voluntary members, either one of them becomes interested and will handle this question, or due to lack of interest nobody cares, and will not get any reply in several years. --> not much use of trying to there

    4.) MSDN should document if anything other than membership in the plain good old "normal users" group is needed for any such tool, and also document if any possible Group Policy setting can render the tools useless.
    So yet another team inside MS to contact, if I am lucky they feel voluntarily they are responsible for maintaining the documentation for this product, or if I am unlucky, they forward me to yet another different team. --> pingpong-ing with the customer, wonderful feeling on the customer-side

    So much for the big company reorg I keep hearing from all news channels, MS working as ONE..... aha, definitely.

  • @Richard Pasztor: Please see your support options here: http://support.microsoft.com/

  • @Blake Morrison: dont get me wrong, I am not blaming you for what I experience when trying to find a credible answer for such questions. Its hard to get meaningful feedback, if I dont have the proper insider connections in your company.
    Do you happen to know the generic email address of the NTDEBUG blog, where they collect their readers' feedbacks? I gave up expecting an answer on the short time, but at least in a couple of months maybe they will write an article that may reveal the asnwer to my not-so-unrealistic question: "what permissions are needed or what GPO may break the Silent process exit feature in windows 7"

  • @Richard Pasztor: Unfortunately there is no direct contact with the folks at that blog. As far as your testing goes, notepad.exe most likely does not exit silently. Have you tried following the above example?

  • @Blake: Yes, I have followed all the steps according to the post. This entire thing works perfectly on another machine of mine, but not on my primary one where I would like to debug 1 exiting program. That's the reason I am so hard trying to understand whats the difference between my 2 machines.