Windows process monitor create a log code#
The status code passed to ExitThread or TerminateThread. This is the thread that caused the termination. In the case of cross-process termination, this is the ID of the process that caused the termination. In the case of self termination, this is the same as the exiting process. This is the monitored process that exited silently. You can use the following variables in your command line. You can specify a monitor process by entering a process name, along with command line parameters, in the Monitor Process text box. Detect and respond to cross-process termination. Valueĭetect and respond to both self termination and cross-process termination. The IgnoreSelfExits registry entry has one of the following values. You can use the Ignore Self Exits check box to specify whether self exits are ignored. The Ignore Self Exits setting is available as an application setting, but not as a global setting. When silent exit is detected, a pop-up notification is displayed. In the case of cross-process termination, a dump file is also created for the process that caused the termination. When silent exit is detected, a dump file is created for the monitored process. When silent exit is detected, the monitor process (specified in the Monitor Process box) is launched. The ReportingMode registry entry is a bitwise OR of the following flags. Launch monitor process Enable dump collection Enable notification You can use the following check boxes to set the reporting mode. The Reporting Mode setting is available as an application setting, but not as a global setting. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\ ProcessName Reporting Mode HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExitĪpplication settings are stored in the registry under the following key. Global settings are stored in the registry under the following key. Application settings apply to an individual process and override global settings. Global settings apply to all processes that you register for silent exit monitoring. Several of these settings are available both globally and for individual applications. You can specify a process that will be launched when silent exit is detected, and you can specify a list of modules that the monitor will ignore. You can configure notification, event logging, and creation of dump files. In the Silent Process Exit tab of GFlags, you can configure the actions that will take place when a monitored process exits silently. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ ProcessName\GlobalFlagįor more information about this flag, see Enable silent process exit monitoring.įor more information about using the Silent Process Exit tab in GFlags, see Configuring Silent Process Exit Monitoring. This sets the FLG_MONITOR_SILENT_PROCESS_EXIT flag in the following registry entry. Check the Enable Silent Process Exit Monitoring box, and select Apply. Enter the process name as the Image and press the Tab key. To register a process for silent exit monitoring, open the Silent Process Exit tab in GFlags. The monitoring feature does not detect process termination that is initiated by kernel-mode code. The monitoring feature does not detect normal process termination that happens when the last thread of the process exits. The monitored process terminates itself by calling ExitProcess.Ī second process terminates the monitored process by calling TerminateProcess. In the context of this monitoring feature, we use the term silent exit to mean that the monitored process terminates in one of the following ways. Beginning with Windows 7, you can use the Silent Process Exit tab in GFlags to enter the name of a process that you want to monitor for silent exit.