Can process IDs be greater than 64000? Because we're seeing process IDs greater than 64000

A customer asked what to me was a very strange question.

Can process IDs be greater than 64000? Because we’re seeing process IDs greater than 64000.

This is a strange question because the answer is right there: You’re seeing process IDs greater than 64000 with your very own eyes. Do you doubt the evidence right there in front of you?

It’s like asking, “Is it possible to have an orange with no seeds? Because I have an orange with no seeds.”

We saw some time ago that process IDs can get very high indeed, although the kernel tries to keep the numbers small purely for cosmetic reasons.

The customer explained why they were asking this question.

Our application is crashing when the process ID gets too large. Here is the code:

int eventId = System.Diagnostics.Process.GetCurrentProcess().Id;
EventLog.WriteEntry("Contoso",
                    message,
                    EventLogEntryType.Information,
                    eventId);

Okay, um, that code makes no sense.

The code uses the process ID as the event ID. But event IDs are static; they are references to messages in your event source’s message table. It’s not like your message table contains 65535 entries like this:

MessageId=1
Severity=Informational
SymbolicName=MSG_PROCESSID_1
Language=English
An event occurred in Process ID 1: %1
.
MessageId=2
Severity=Informational
SymbolicName=MSG_PROCESSID_2
Language=English
An event occurred in Process ID 2: %1
.
MessageId=3
Severity=Informational
SymbolicName=MSG_PROCESSID_3
Language=English
An event occurred in process ID 3: %1
.
… and so on until …
MessageId=3
Severity=Informational
SymbolicName=MSG_PROCESSID_65535
Language=English
An event occurred in process ID 65535: %1
.

The event ID describes what happened, and the process ID and other information goes into the payload.

You can see from the format of event IDs that the event number can be at most 65535 because the upper bits of the event ID are used to encode other information.

And the code crashes because the WriteEntry method specifically checks for absurd event IDs and rejects them with an ArgumentException.

The fix is therefore to put the process ID in the payload of your event and let the event number describe what actually happened, like “A multi-part print job was created.”

Author

Raymond Chen

Raymond has been involved in the evolution of Windows for more than 30 years. In 2003, he began a Web site known as The Old New Thing which has grown in popularity far beyond his wildest imagination, a development which still gives him the heebie-jeebies. The Web site spawned a book, coincidentally also titled The Old New Thing (Addison Wesley 2007). He occasionally appears on the Windows Dev Docs Twitter account to tell stories which convey no useful information.

Can process IDs be greater than 64000? Because we're seeing process IDs greater than 64000

Author

0 comments

Read next

Non-psychic debugging: If somebody's complaining that a collection should be empty but isn't, you might want to see what's in there

How can I make a WNDPROC or DLGPROC a member of my C++ class?

Author

0 comments

Read next

Non-psychic debugging: If somebody's complaining that a collection should be empty but isn't, you might want to see what's in there

How can I make a WNDPROC or DLGPROC a member of my C++ class?

Stay informed