Get Even More Visitors To Your Blog, Upgrade To A Business Listing >>
Idioma: En

How do I know that Resource Monitor isn’t just retaining a handle to the terminated process?


A short time ago, I explained that
Resource Monitor shows information for terminated processes
for a little while, so you can see the results before they
go away.
it's not that Resource Monitor is able to go back in time and
see processes that are already dead.

Related Articles



Ben Voight
makes the accurate observation that

it's possible that Resource Monitor is retaining a handle to the
terminated process,
and it's that handle that allows it to keep asking questions
about the process.
A newly-launched Resource Monitor never observed the process
before it terminated, and therefore never had a chance to obtain
a handle to it.



Interesting theory. Let's test it.



Run Task Manager, Resource Monitor, and Notepad.
Close Notepad.
It vanishes immediately from Task Manager,
which demonstrates that Resource Monitor is not retaining a handle to it.
That's because process objects remain present in the kernel until all
handles are closed;
if the process has terminated, the process object is in a zombie state:
You can use the handle to ask questions about the process
(like get its exit code and CPU statistics).
But as long as the process object exists, it shows up in the Details
page of Task Manager.



Notepad disappeared immediately,
which means that its process object is gone for good,
which means no active handles.



Okay, but maybe Resource Monitor closes the handle
once it detects that the process has terminated.



To test that theory, run Task Manager, Resource Monitor, and Notepad.
Connect a debugger to Resource Monitor and freeze it.
Now close Notepad.
It vanishes immediately from Task Manager,
which shows that Resource Monitor didn't have a handle to it.



The question came from a customer who saw that
when their program terminated,
it disappeared immediately from Task Manager
and all the process enumeration APIs,
but their program still appeared in Resource Monitor
like a ghost from beyond the grave,
and they wanted to know what sort of
otherworldly powers Resource Manager has that
lets it see processes that no longer exist.



Answer: No otherworldly powers. Just a good memory.

Share the post

How do I know that Resource Monitor isn’t just retaining a handle to the terminated process?

×

Subscribe to Msdn Blogs | Get The Latest Information, Insights, Announcements, And News From Microsoft Experts And Developers In The Msdn Blogs.

Get updates delivered right to your inbox!

Thank you for your subscription

×