There are a number of processes that are started with a fake (non-existent PID). An example of this is a csrss.exe process. It starts up, and the parent process PID assigned doesn't exist. If you look in procexp.exe, "Parent" is listed as "(524)" (524 is the random, non-existent parent PID in this case). Why are these assigned?
Asked
Active
Viewed 636 times
1 Answers
5
Client/Server Runtime Subsystem (CSRSS or csrss.exe) is spawned by the Session Manager Subsystem (SMSS or smss.exe). SMSS is spawned by System (which always has a PID of 4) under Session 0 for OS services. Additionally, SMSS is spawned in Session 1 (the user session) with the sole job of starting CSRSS and WinLogon. Once those two are started, the Session 1 SMSS terminates.
Hence, the phantom parent ID you are seeing is the PID of the Session 1 SMSS process that has already terminated.
Hyppy
- 15,608
- 1
- 38
- 59
-
Thanks! Since the PID is getting reassigned to other processes, it looks like processes started by smss are the children of another process. I can just compare timestamps to see if the children are newer then the parent; if so, I can just ignore them. – EGr May 14 '15 at 12:08