1

I wrote a program launching and monitoring and generally manage other programs. In the general case I prepare a System.Diagnostics.ProcessStartInfo and invoke Process.Start. Later I start one thread per program that's checking periodically the resulting Process object.

For testing propuses I configured my programm on my Win 7 machine to launch and monitor some typical Windows tools: Notepad, Paint and the Calculator. That all worked fine.

On a Windows 10 machine however the calculator behaves differently. The process started by Process.Start immediately terminates, and there is no calc.exe child to my launcher, but a win32calc.exe child to explorer.exe. child to a non existing process, the process my launcher created. See the process explorer screenshot here.

Why is that? How do I get a handle to that? What would be a strategy to monitor programs started by my launcher, even if they choose to abandon their parent?

Michael K.
  • 423
  • 1
  • 4
  • 13
  • in Windows 10, calc is "an application from tile world". does it make a difference if you start the host process as administrator? does notepad.exe behave differently than calc.exe? – Cee McSharpface Aug 11 '17 at 14:24
  • could you try something else: start cmd.exe, then start calc.exe from there. is the PPID of calc.exe in this case the PID of cmd.exe, or also that of explorer.exe? – Cee McSharpface Aug 11 '17 at 14:28
  • I'm running it as administrator. "an application from tile world" == UWP? And yes, notepad.exe and mspaint.exe do have differently, as you can see, and as expected. – Michael K. Aug 11 '17 at 14:30
  • Sorry, I was mistaken, they are not children to explorer, but to a non (no longer) existing process. – Michael K. Aug 11 '17 at 14:35
  • 1
    [related](http://answers.elteacher.info/questions/post/2204481/windows-process-abandon-parent-how-to-get-hold-of-them-ask-question.html), and I found [this](https://stackoverflow.com/q/35612194/1132334): "for Store Apps, the parent process that creates the actual app process is svchost.exe" – Cee McSharpface Aug 11 '17 at 14:46
  • in win10 `calc.exe` exec via com `Calculator.exe` (direct parent is `svchost.exe -k DcomLaunch`) and exit. – RbMm Aug 11 '17 at 16:03
  • so calc.exe is some kind of backward-compatibility stub? interesting. care to write an answer? – Cee McSharpface Aug 11 '17 at 19:11
  • 1
    You need to put the child (or your own process) in a job object, that will allow you to monitor all of the descendants. If you need help getting started, there are lots of existing questions and answers on Stack Overflow about using job objects. – Harry Johnston Aug 12 '17 at 02:50
  • another piece of information: http://winaero.com/blog/tip-run-calculator-in-windows-10-directly the calc.exe stub uses [RoActivateInstance](https://msdn.microsoft.com/en-us/library/vs/alm/br224646(v=vs.85).aspx) to invoke a launch handler that obviously signals the metro ui service (which is one of the services that svhost.exe runs) and I'm afraid that bypasses the processes/threads APIs entirely (and so the job objects as well) but I have no proof as yet – Cee McSharpface Aug 14 '17 at 12:31

1 Answers1

0

A sort-of answer:

calc.exe launches the actuall process and then kills itself. Process groups could handle this: I could create a process group and monitor that.

However this was only a test and i monitor only applications that don't do that, I won't do that.

Michael K.
  • 423
  • 1
  • 4
  • 13