Let's say I started notepad. In a PowerShell window, I run ps notepad | Stop-Process -Force
to kill all notepad session. I captured a procmon trace during these operations. Is it possible to find out it's the PowerShell that caused notepad to exit? I tried, but I failed. All the entries are success and there seems no clue for that. I just want to know if this is even possible. Thanks.
-
Procmon is not going to show you what took place inside the exe when it got the exit message. The message itself came from the kernel and because it was a windowed application, it recieved a WM_QUIT message in it's message queue and the application did what it was told. In the case of notepad, technically, you could watch the window messages using spy++ and see this behavior but I don't understand the point of this exercise. You have me intrigued. Perhaps someone has better info.– Señor CMasMasCommented Jun 12, 2023 at 2:16
-
This is a simplified scenario of my actual problem. I have installed an application. When I start it, it runs, and I can even see its splash windows. But after that, it exits immediately. I suspect it's one of the program on my computer killed it, but I don't have proof.– Fajela TajkiyaCommented Jun 12, 2023 at 3:24
-
1You might be able to create the right filters within procmon to see this behavior by watching what took place when. If you know how to use a proper debugger, you might also be able to debug when the WM_QUIT message comes in a debug the stack. This will be difficult but do-able.– Señor CMasMasCommented Jun 12, 2023 at 3:39
-
The common way is to install the software in a clean environment, e.g. a new Windows VM. Then you will see if it works or not. Or you use you current Windows and step-by-step close all applications and disable all services.– RobertCommented Sep 18, 2023 at 13:26
-
@Robert It's not possible in my case. The software is a commercial one, and it's heavily tested on all supported OSs. The issue only happened on my laptop. I'm sure it will work in clean VMs.– Fajela TajkiyaCommented Sep 19, 2023 at 9:22
Add a comment
|