Trapping TerminateProcess

If a user fires up Task Manager and clicks “End Task” on your program, Windows first tries to shut down your program nicely, by sending WM_CLOSE messages to GUI programs and CTRL_CLOSE_EVENT events to console programs. But you don’t get a chance to intercept TerminateProcess?

TerminateProcess is the low-level process killing function. It bypasses DLL_PROCESS_DETACH and anything else in the process. Once you with TerminateProcess, no more user-mode code will run in that process. It’s gone. Do not pass go. Do not collect $200.

Task Manager Process Tab

If you could intercept TerminateProcess, then you would be escalating the arms race between programs and users. Suppose you could intercept it. Well, then if you wanted to make your program unkillable, you would just hang in your TerminateProcess handler.

And then people would be asking for “a way to kill a process that is refusing to be killed by TerminateProcess” and we’d be back where we started.

Tomorrow: About those processes that don’t go away even though you’ve killed them. They’re really dead, but they won’t go away.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s