November 10th, 2016

Under what circumstances will GetProcessTimes report that a process exited before it was created?

Raymond Chen
Raymond Chen

A customer reported that their automation started reporting strange values: 

HANDLE process = ...;
FILETIME creation, exit, kernel, user;
if (GetProcessTimes(process, &creation,
                    &exit, &kernel, &user))
{
   // use the values of creation, exit, kernel, and user
}

Their test automation reported that the process had an exit time earlier than its creation time. How is this even possible? This apparent violation of causality was causing their automation to stop working.

If you take a closer look at the documentation for Get­Process­Times, it says for the lpExit­Time parameter:

If the process has not exited, the content of this structure is undefined.

What probably is happening is that the process being monitored has not yet exited, so the exit time is undefined. The undefined value might be less than the creation time. It might be greater than the creation time. Heck, if you’re really (un)lucky, it might even be equal to the creation time.

My guess is that the “undefined” result is coming from uninitialized stack garbage, and the nature of uninitialized stack garbage is that while it is unpredictable, it can also often be consistent over short stretches.

Category
Old New Thing
Topics
Code

Author

Raymond Chen

Raymond has been involved in the evolution of Windows for more than 30 years. In 2003, he began a Web site known as The Old New Thing which has grown in popularity far beyond his wildest imagination, a development which still gives him the heebie-jeebies. The Web site spawned a book, coincidentally also titled The Old New Thing (Addison Wesley 2007). He occasionally appears on the Windows Dev Docs Twitter account to tell stories which convey no useful information.

0 comments

Discussion are closed.

Read next