0

Let's say I started notepad. In a PowerShell window, I run ps notepad | Stop-Process -Force to kill all notepad session. I captured a procmon trace during these operations. Is it possible to find out it's the PowerShell that caused notepad to exit? I tried, but I failed. All the entries are success and there seems no clue for that. I just want to know if this is even possible. Thanks.

Improve this question
5
  • Procmon is not going to show you what took place inside the exe when it got the exit message. The message itself came from the kernel and because it was a windowed application, it recieved a WM_QUIT message in it's message queue and the application did what it was told. In the case of notepad, technically, you could watch the window messages using spy++ and see this behavior but I don't understand the point of this exercise. You have me intrigued. Perhaps someone has better info.
    – Señor CMasMas
    Commented Jun 12, 2023 at 2:16
  • This is a simplified scenario of my actual problem. I have installed an application. When I start it, it runs, and I can even see its splash windows. But after that, it exits immediately. I suspect it's one of the program on my computer killed it, but I don't have proof.
    – Fajela Tajkiya
    Commented Jun 12, 2023 at 3:24
  • 1
    You might be able to create the right filters within procmon to see this behavior by watching what took place when. If you know how to use a proper debugger, you might also be able to debug when the WM_QUIT message comes in a debug the stack. This will be difficult but do-able.
    – Señor CMasMas
    Commented Jun 12, 2023 at 3:39
  • The common way is to install the software in a clean environment, e.g. a new Windows VM. Then you will see if it works or not. Or you use you current Windows and step-by-step close all applications and disable all services.
    – Robert
    Commented Sep 18, 2023 at 13:26
  • @Robert It's not possible in my case. The software is a commercial one, and it's heavily tested on all supported OSs. The issue only happened on my laptop. I'm sure it will work in clean VMs.
    – Fajela Tajkiya
    Commented Sep 19, 2023 at 9:22

0

Reset to default

You must log in to answer this question.

Browse other questions tagged .