Muokkaa

Jaa


Monitoring Silent Process Exit

Beginning with Windows 7, you can use the Silent Process Exit tab in GFlags to enter the name of a process that you want to monitor for silent exit.

In the context of this monitoring feature, we use the term silent exit to mean that the monitored process terminates in one of the following ways.

Self termination

The monitored process terminates itself by calling ExitProcess.

Cross-process termination

A second process terminates the monitored process by calling TerminateProcess.

The monitoring feature does not detect normal process termination that happens when the last thread of the process exits. The monitoring feature does not detect process termination that is initiated by kernel-mode code.

To register a process for silent exit monitoring, open the Silent Process Exit tab in GFlags. Enter the process name as the Image and press the Tab key. Check the Enable Silent Process Exit Monitoring box, and select Apply. This sets the FLG_MONITOR_SILENT_PROCESS_EXIT flag in the following registry entry.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessName\GlobalFlag

For more information about this flag, see Enable silent process exit monitoring.

For more information about using the Silent Process Exit tab in GFlags, see Configuring Silent Process Exit Monitoring.

In the Silent Process Exit tab of GFlags, you can configure the actions that will take place when a monitored process exits silently. You can configure notification, event logging, and creation of dump files. You can specify a process that will be launched when silent exit is detected, and you can specify a list of modules that the monitor will ignore. Several of these settings are available both globally and for individual applications. Global settings apply to all processes that you register for silent exit monitoring. Application settings apply to an individual process and override global settings.

Global settings are stored in the registry under the following key.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit

Application settings are stored in the registry under the following key.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\ProcessName

Reporting Mode

The Reporting Mode setting is available as an application setting, but not as a global setting. You can use the following check boxes to set the reporting mode.

Launch monitor process Enable dump collection Enable notification The ReportingMode registry entry is a bitwise OR of the following flags.

Flag Value Meaning
LAUNCH_MONITORPROCESS 0x1 When silent exit is detected, the monitor process (specified in the Monitor Process box) is launched.
LOCAL_DUMP 0x2 When silent exit is detected, a dump file is created for the monitored process. In the case of cross-process termination, a dump file is also created for the process that caused the termination.
NOTIFICATION 0x4 When silent exit is detected, a pop-up notification is displayed.

Ignore Self Exits

The Ignore Self Exits setting is available as an application setting, but not as a global setting. You can use the Ignore Self Exits check box to specify whether self exits are ignored.

The IgnoreSelfExits registry entry has one of the following values.

Value Meaning
0x0 Detect and respond to both self termination and cross-process termination.
0x1 Ignore self termination. Detect and respond to cross-process termination.

Monitor Process

You can specify a monitor process by entering a process name, along with command line parameters, in the Monitor Process text box. You can use the following variables in your command line.

Varaible Meaning
%e ID of the exiting process. This is the monitored process that exited silently.
%i ID of the initiating process. In the case of self termination, this is the same as the exiting process. In the case of cross-process termination, this is the ID of the process that caused the termination.
%t ID of the initiating thread. This is the thread that caused the termination.
%c The status code passed to ExitThread or TerminateThread .

For example, the following value for Monitor Process specifies that on silent exit, WinDbg is launched and attached to the exiting process.

windbg -p %e

The Monitor Process command line is stored in the MonitorProcess registry entry.

Dump Folder Location

You can use the Dump folder location text box to specify a location for the dump files that are written when a silent exit is detected.

The string that you enter for Dump folder location is stored in the LocalDumpFolder registry entry.

If you do not specify a dump folder location, dump files are written to the default location, which is %TEMP%\Silent Process Exit.

Dump Folder Size

You can use the Dump folder size text box to specify the maximum number of dump files that can be written to the dump folder. Enter this value as a decimal integer.

The value that you enter for Dump folder size is stored in the MaxNumberOfDumpFiles registry entry.

By default, there is a limit of ten dump files that can be written.

Dump Type

You can use the Dump Type drop-down list to specify the type of dump file (Micro, Mini, Heap, or Custom) that is written when a silent exit is detected.

The dump type is stored in the DumpType registry entry, which is a bitwise OR of the members of the MINIDUMP_TYPE enumeration. This enumeration is defined in dbghelp.h, which is included in the Debugging Tools for Windows package.

For example, suppose you chose a dump type of Micro, and you see that the DumpType registry entry has a value of 0x88. The value 0x88 is a bitwise OR of the following two MINIDUMP_TYPE enumeration values.

MiniDumpFilterModulePaths: 0x00000080

MiniDumpFilterMemory: 0x00000008

If you choose a dump type of Custom, enter your own bitwise OR of MINIDUMP_TYPE enumeration values in the Custom Dump Type box. Enter this value as a decimal integer.

Module Ignore List

You can use the Module Ignore List box to specify a list of modules that will be ignored when a silent exit is detected. If the monitored process is terminated by one of the modules in this list, the silent exit is ignored.

The list of modules that you enter in the Module Ignore List box is stored in the ModuleIgnoreList registry entry.

Reading Process Exit Reports in Event Viewer

When a monitored process exits silently, the monitor creates an entry in Event Viewer. To open Event Viewer, enter the command eventvwr.msc. Navigate to Windows Logs > Application. Look for log entries that have a Source of Process Exit Monitor.

Event properties dialog box with General tab, displaying the source as Process Exit Monitor.