What Killed the Windows Process? it comes in mind… Guys this is a big and taunting question for me, when I am working on Problem tickets as we need to get the permanent solution of these sort of issue and also need to provide the root cause analysis.
Once you identify a Root cause and you need to make sure you are also providing good and solid corrective action as well along with RCA.
I have seen there are some occasions where cross process termination taken place, where one affected process kills another process.
Analyzing and identifying these behavior is bit grim but yes there is an easy solution which is called “Silent Process Exit Monitoring” exists Windows 7/2008R2 and later OS’s.
There is a GUI utility called GFlags.exe which includes in Windows Debugging toolkit
And download from
Just before the quick steps Lets discuss about the GFlags a bit
GFlags (Global Flags Editor) gflags.exe, it enables and disables advance debugging, diagnostic and troubleshooting features. It is most often used to turn on indicators that other tools tracks, counts and logs.
New Features of GFlags
a) Page heap verification. GFlags now includes the functions of PageHeap (pageheap.exe), a tool that enables heap allocation monitoring. PageHeap was included in previous versions of Windows.
b) No reboot required for the Special Pool feature. On Windows Vista and later versions of Windows, you can enable, disable, and configure the Special Pool feature without restarting (“rebooting”) the computer. For information, see Special Pool.
c) Object Reference Tracing. A new flag enables tracing of object referencing and object dereferencing in the kernel. This new feature of Windows detects when an object reference count is decremented too many times or not decremented even though an object is no longer used. This flag is supported only in Windows Vista and later versions of Windows.
d) New dialog box design. The GFlags dialog box has tabbed pages for easier navigation.
For more info on GFlags Details
To enable the monitoring with the following quick steps
1) Run GFLAGS.EXE and select the Silent Process Exit tab.
2) Type the name of the process that is exiting unexpectedly.
3) Hit the TAB key on the keyboard to refresh the GUI.
4) Check the following boxes:
a. Enable Silent Exit Process Monitoring
This enables the feature and tracks silent process exits in the application event log.
(Event ID: 3001)
b. Enable Notification
This optionally creates a balloon popup with the same information in the event log.
c. Ignore Self Exits
This prevents superfluous logging when the application exits gracefully, such as when File / Exit is selected from a menu.
5) Click OK to save the change and exit the GFLAGS tool.
Note : This will come to in affect once we click and apply as it not required any reboot of the Server
When another process forces termination of the monitored process, the offending process name is listed in a balloon popup and in the application event log. (If this option is selected)