How to monitor a silent process exit using GFlags
Do you observe arbitrary terminations of one of your applications or windows services without any error messages? And are you unable to identify the reason for this until now? If so, then this blog will show you one possible way of identifying the reason for the arbitrary process terminations using the built-in debugging, diagnostic, and troubleshooting features of your Windows operating system.
These features can easily be configured using the Global Flags Editor (GFlags) offered by Microsoft: https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/gflags
In this blog, we will focus on only one feature available with GFlags: The configuration of the monitoring of silent process exits. This feature is available on Windows Server 2008 R2 and later.
One word of caution: For some reason we found that the silent process exit was not detected on all systems. For example, we had several hosts running Windows 10 that were not able to detect silent process exits. Possible reasons for this can be the installed antivirus software or other security-related applications that break this operating system mechanism.
To monitor a silent process exit using GFlags you first must download and install GFlags. This tool is part of the debugging tools for Windows, so you should get the latest available version for your Windows operating system version from Microsoft:
- Windows debugging tools: https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/debugger-download-tools
- Windows 10 SDK: https://developer.microsoft.com/en-us/windows/downloads/windows-10-sdk
Instead of installing the software on the target computer, you can also install the debugging tools on a different computer (your workstation, for example) and just copy the installed executables to the target machine where you want to run GFlags. For GFlags you must copy the files gflags.exe and gflagsui.dll. For more information, see SAP Note 1708040 – How to download and install the Windows-Debugging-Tools.
To start GFlags, use the executable for the correct processor architecture (x86, x64, or maybe also ARM or ARM64). Run the executable as administrator.
- If you want to monitor an application compiled for x86 processors (32-bit), start the “Global Flags (x86)” executable, also on an x64 operating system.
- If you want to monitor an application compiled for x64 processors (64-bit), start the “Global Flags (x64)” executable.
In our example, we configure silent process exit monitoring for the application disp+work.exe on a system running Windows Server 2019. As disp+work.exe is a 64-bit application on Windows Server 2019 we start the “Global Flags (x64)” executable.
You can identify the architecture (32-bit or 64-bit) of your application on a 64-bit operating system using the Windows task manager:
If your application is compiled for a 32-bit processor, the task manager will add the suffix “(32 bit)” to the application name. If this suffix is missing, it is a 64-bit application.
Configure Monitoring for a Silent Process Exit
In the GFlags main window, switch to the tab “Silent Process Exit”.
A detailed description for all the available configuration options can be found here:
The following example shows the recommended configuration for disp+work.exe:
The name of the executable of the application that you want to monitor (including the file extension, but not the filepath). In our example we use disp+work.exe.
After you have typed the executable name and pressed the TAB key, GFlags checks if there is already a configuration for this application and automatically loads this configuration.
- Enable silent process exit monitoring: Select this option to avoid unnecessary notifications for irrelevant process exits.
- Enable dump collection: As we want to get a dump for each process exit, we select this option.
- Enable notification: We select this option to receive a desktop notification for each detected silent process exit.
- Ignore self exits: We enable this option as we do not want to get notified if the process terminates itself.
Dump Folder Location
The created dumps will be stored at this location. Therefore you should choose a drive with enough free space for the memory dump. The default location is %TEMP%\Silent Process Exit.
To get the most detailed debugging information, choose Heap Dump.
If a silent process exit was detected, you always receive an event in the Windows application event log. This event contains the following information:
- If available: The name of the user who caused the silent process exit
- The name (including the full path) of the terminated process
- The name (including the full path) of the terminating process, if available.
- The user who initiated the process exit
Additionally, you will receive a desktop notification like the following:
And these are the notifications that you would expect and need to identify a silent process exit. The created heap dumps enable you to do a more detailed analysis.
This blog post concludes that the GFlags utility from Microsoft is very useful to identify the reason for arbitrary process terminations of your applications. Using the shown configuration for disp+work.exe you can easily setup the silent process exit monitoring for other applications running on Windows Server as well as Windows Clients. However, there are several reasons like installed antivirus software or other security-related applications that break the operating system mechanism for monitoring a silent process exit.