A forum for reverse engineering, OS internals and malware analysis 

What happens when a process killed from task manager

Ask your beginner questions here.

What happens when a process killed from task manager

 #9567  by lorddoskias
 Sun Nov 06, 2011 5:39 pm
How can I gain insight into what chain of event (that is what functions) are called when a particular event happens e.g. a process is killed from the process explorer. Precisely, how do I know which function should I set a breakpoint on so that the bp gets triggered when a process is killed?

Re: What happens when a process killed from task manager

 #9571  by rkhunter
 Sun Nov 06, 2011 7:33 pm
If you want to look actually termination of the kernel object _EPROCESS (cleaning address space of specified process and etc.), look PspProcessDelete - destruction method of all processes.
Code: Select all
VOID
PspProcessDelete(
    IN PEPROCESS Object
    )
If you want to look chain of functions that called process termination from user mode, look NtTerminateProcess.
 Return to “Newbie Questions”