If a user fires up Task Manager and clicks “End Task” on your program, Windows first tries to shut down your program nicely, by sending
WM_CLOSE messages to GUI programs and
CTRL_CLOSE_EVENT events to console programs. But you don’t get a chance to intercept TerminateProcess?
TerminateProcess is the low-level process killing function. It bypasses DLL_PROCESS_DETACH and anything else in the process. Once you with TerminateProcess, no more user-mode code will run in that process. It’s gone. Do not pass go. Do not collect $200.
If you could intercept TerminateProcess, then you would be escalating the arms race between programs and users. Suppose you could intercept it. Well, then if you wanted to make your program unkillable, you would just hang in your TerminateProcess handler.
And then people would be asking for “a way to kill a process that is refusing to be killed by TerminateProcess” and we’d be back where we started.
Tomorrow: About those processes that don’t go away even though you’ve killed them. They’re really dead, but they won’t go away.