≡ Menu

Find out who killed a process in Windows

In this article I will cover a procedure that helps you to find out who has killed a process that you care about.

Often we get this problem. The process we care about closes abruptly and we are not quite sure whether it exited on its own or someone killed it via task manager or using kill (or stop-process). The procedure I am going to discuss will help you in finding out that.

A process in windows environment has 3 possible ways of exit.

  1. Process terminating on its own after completion of its work
  2. Someone terminating it from task manager or using kill.exe like utilities
  3. Process is crashed by OS when it misbehaves

It is easy to determine #3 as we see an application error event in event log when a process crashes. But how to determine the #1 and #2 cases. Process doesn’t log any event in application log when exiting. Also you cannot determine it by using some process trackers like “PowerShell: Track process stop/termination” because it doesn’t tell you who killed the process or it terminated on its own. It just says process exited.

The solution

So what is the solution here? Debugging tool for windows has a nice utility called gflags.exe which can be used to find out this information. After you download and install the Debugging tool for windows, launch gflags.exe from the installation directory. It requires admin privileges to open so be sure to be administrator on the computer where you are launching this.

Follow the below instructions to configure Windows process exit monitoring.

  1. Launch gflags.exe from Windows Debugging tool kit installation directory
  2. Switch to “Silent Process Exit” tab
  3. Type the name of the process that you want to monitor. In my case, I have given notepad.exe
  4. Press tab and check the box “Enable silent process exit monitoring”
  5. Click OK to complete.

gflags enable process exit monitoring

Now open notepad application and close it gracefully (by clicking close button from right top corner) and you will see event log below in Application event log with event ID 3000 from source “Process Exit Monitor

event1

Now open a notepad application and this time kill the process via task manager. Now you will see a 3001 event ID in application log from the same source.

event2

How to download Debugging tools for windows?

Just do a simple google search and you will be taken to a Microsoft download page. Please note that Debugging tools are part of Windows SDK & Windows Driver Kit download package as well. You need to select Debugging tools for windows during the installation.

How to disable the silent process exit monitoring?

Now that you know how enable silent process exit monitoring. You might also want to know how to disable it after the task is accomplished. It is very easy

  1. Launch gflags.exe
  2. Switch to “Silent Process Exit” tab
  3. Type the name of the process for which you want to disable monitoring
  4. Press tab and ensure “Enable silent process exit monitoring” box is unchecked
  5. Click OK to disable the monitoring for that process
{ 5 comments… add one }
  • Kashyap May 14, 2014, 9:27 pm

    That one is a beauty. Had looked around for a while regarding this one.

  • Satya Tippani May 28, 2014, 10:22 am

    Wonderful – Sitaram.
    Im a Windows Administrator for 5Years now – And Never thought this will be possible.
    Thanks -Now Its time for me to do some experiment and research on this..

    Very Helpful Post.. Keep up the Good Work, We are Following this Website.

  • yang October 27, 2015, 9:14 pm

    Thanks.

Leave a Comment