How do I know that Resource Monitor isn’t just retaining a handle to the terminated process?

A short time ago, I explained that Resource Monitor shows information for terminated processes for a little while, so you can see the results before they go away. it’s not that Resource Monitor is able to go back in time and see processes that are already dead.

Ben Voigt makes the accurate observation that it’s possible that Resource Monitor is retaining a handle to the terminated process, and it’s that handle that allows it to keep asking questions about the process. A newly-launched Resource Monitor never observed the process before it terminated, and therefore never had a chance to obtain a handle to it.

Interesting theory. Let’s test it.

Run Task Manager, Resource Monitor, and Notepad. Close Notepad. It vanishes immediately from Task Manager, which demonstrates that Resource Monitor is not retaining a handle to it. That’s because process objects remain present in the kernel until all handles are closed; if the process has terminated, the process object is in a zombie state: You can use the handle to ask questions about the process (like get its exit code and CPU statistics). But as long as the process object exists, it shows up in the Details page of Task Manager.

Notepad disappeared immediately, which means that its process object is gone for good, which means no active handles.

Okay, but maybe Resource Monitor closes the handle once it detects that the process has terminated.

To test that theory, run Task Manager, Resource Monitor, and Notepad. Connect a debugger to Resource Monitor and freeze it. Now close Notepad. It vanishes immediately from Task Manager, which shows that Resource Monitor didn’t have a handle to it.

The question came from a customer who saw that when their program terminated, it disappeared immediately from Task Manager and all the process enumeration APIs, but their program still appeared in Resource Monitor like a ghost from beyond the grave, and they wanted to know what sort of otherworldly powers Resource Manager has that lets it see processes that no longer exist.

Answer: No otherworldly powers. Just a good memory.