{"id":98035,"date":"2018-02-16T07:00:00","date_gmt":"2018-02-16T22:00:00","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/oldnewthing\/?p=98035"},"modified":"2019-03-13T01:01:17","modified_gmt":"2019-03-13T08:01:17","slug":"20180216-00","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20180216-00\/?p=98035","title":{"rendered":"So what is a Windows “critical process” anyway?"},"content":{"rendered":"

I noted some time ago that Task Manager applies three somewhat arbitrary criteria<\/a> for dividing processes into three categories: App, Background Process, and Windows Process. In particular, a Windows Process is one for which Is­Process­Critical<\/code> reports TRUE<\/code>. <\/p>\n

SimonRev<\/a> quite rightly calls out the documentation for being useless due to the fact that it merely states a tautology<\/a>. <\/p>\n

\n

IsProcessCritical<\/b> <\/p>\n

Determines whether the specified process is considered critical. <\/p>\n

\nBOOL WINAPI IsProcessCritical(\n  _In_  HANDLE hProcess,\n  _Out_ PBOOL  Critical\n);\n<\/pre>\n
hProcess<\/i> [in] A handle to the process to query. The process must have been opened with PROCESS_<\/code>LIMITED_<\/code>QUERY<\/code>INFORMATION<\/code> access. <\/p>\n
Critical<\/i> [out] A pointer to the BOOL<\/b> value this function will use to indicate whether the process is considered critical.  <\/p>\n
Return value<\/b>: This routine returns FALSE<\/b> on failure. Any other value indicates success. Call GetLastError<\/b> to query for the specific error reason on failure. <\/p>\n<\/blockquote>\n
Great, so we learn that the Is­Process­Critical<\/code> function tells you whether the process is critical. But nowhere does it say what it means for a process to be critical or how a process becomes critical in the first place. <\/p>\n
A critical process is one that forces a system reboot if it terminates. (More precisely, it forces a bluescreen error, which captures a memory dump before rebooting, so that the cause for termination can be investigated.) <\/p>\n
How does a process get itself marked critical? <\/p>\n
A few system processes do this on their own. For example, processes related to enforcing system security do this so that if one of them crashes, it stops the system immediately before any more damage can occur. <\/p>\n
But most of the time, the way this happens if you create a service and set its recovery option<\/a> to Restart the Computer<\/b>. <\/p>\n
Bonus chatter<\/b>: Wait a second, there are some processes in the Windows processes<\/i> list that aren’t critical system processes. Like Console Window Host<\/i>. How did they get there? <\/p>\n
In addition to putting all critical system processes in the list, Task Manager also keeps a hard-coded list of processes that it puts in the Windows processes<\/i> list whenever it sees them. That’s why you see things like Console Window Host<\/i> and Desktop Window Manager<\/i>. So a more accurate list of what goes into Windows processes<\/i> is <\/p>\n