{"id":38363,"date":"2004-07-23T07:00:00","date_gmt":"2004-07-23T07:00:00","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/oldnewthing\/2004\/07\/23\/why-do-some-process-stay-in-task-manager-after-theyve-been-killed\/"},"modified":"2004-07-23T07:00:00","modified_gmt":"2004-07-23T07:00:00","slug":"why-do-some-process-stay-in-task-manager-after-theyve-been-killed","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20040723-00\/?p=38363","title":{"rendered":"Why do some process stay in Task Manager after they&#039;ve been killed?"},"content":{"rendered":"<p>When a process ends (either of natural causes or due to something  harsher like  <a href=\"http:\/\/msdn.microsoft.com\/library\/en-us\/dllproc\/base\/terminateprocess.asp\">  TerminateProcess<\/a>),  the user-mode part of the process is thrown away.  But the kernel-mode part can&#8217;t go away until all drivers are  finished with the thread, too.\n  For example, if a thread was in the middle of an I\/O operation,  the kernel signals to the driver responsible for the I\/O that  the operation should be cancelled.  If the driver is well-behaved,  it cleans up the bookkeeping for the incomplete I\/O and releases  the thread.\n  If the driver is not as well-behaved (or if the hardware that the  driver is managing is acting up), it may take a long time for  it to clean up the incomplete I\/O.  During that time,  the driver holds that thread (and therefore the process that the  thread belongs to) hostage.\n  (This is a simplification of what actually goes on.  <a href=\"http:\/\/weblogs.asp.net\/oldnewthing\/archive\/2004\/07\/22\/191123.aspx#191459\">  Commenter Skywing gave a more precise explanation,  for those who like more precise explanations<\/a>.)\n  If you think your problem is a wedged driver, you can drop into  the kernel debugger, find the process that is stuck and look at  its threads to see why they aren&#8217;t exiting.  You can use the !irp  debugger command to view any pending IRPs to see what device is  not completing.\n  After all the drivers have acknowledged the death of the process,  the &#8220;meat&#8221; of the process finally goes away.  All that remains is the  &#8220;process object&#8221;, which lingers until all handles to the process  and all the threads in the process have been closed.  (You did remember to  <a href=\"http:\/\/msdn.microsoft.com\/library\/en-us\/sysinfo\/base\/closehandle.asp\">  CloseHandle<\/a> the handles returned in  <a href=\"http:\/\/msdn.microsoft.com\/library\/en-us\/dllproc\/base\/process_information_str.asp\">  the PROCESS_INFORMATION structure<\/a>  that you passed to  <a href=\"http:\/\/msdn.microsoft.com\/library\/en-us\/dllproc\/base\/createprocess.asp\">  the CreateProcess function<\/a>, didn&#8217;t you?)<\/p>\n<p>  In other words, if a process hangs around after you&#8217;ve terminated it,  it&#8217;s really dead, but its remnants will remain in the system until  all drivers have cleaned up their process bookkeeping, and all  open handles to the process have been closed.  <\/p>\n","protected":false},"excerpt":{"rendered":"<p>When a process ends (either of natural causes or due to something harsher like TerminateProcess), the user-mode part of the process is thrown away. But the kernel-mode part can&#8217;t go away until all drivers are finished with the thread, too. For example, if a thread was in the middle of an I\/O operation, the kernel [&hellip;]<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[25],"class_list":["post-38363","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-code"],"acf":[],"blog_post_summary":"<p>When a process ends (either of natural causes or due to something harsher like TerminateProcess), the user-mode part of the process is thrown away. But the kernel-mode part can&#8217;t go away until all drivers are finished with the thread, too. For example, if a thread was in the middle of an I\/O operation, the kernel [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/38363","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=38363"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/38363\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=38363"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=38363"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=38363"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}