2

I am trying to understand the ways in which an unmanaged user-mode Windows process can "crash" (which is really too much of a catch-all term).

Here are the ways I know of so far:

  • Unhandled Structured Exception
    • Default UnhandledExceptionFilter: postmortem debugger in pre-Vista; WerFault in Vista+
    • Custom UnhandledExceptionFilter: may do whatever it likes, including exiting quietly?
  • "Hard" crash (not sure if there's a technical term for this)
    • E.g. hitting the stack overflow guard page while handling a stack overflow: the OS simply makes the process disappear without a trace?
  • "Normal" exit:
    • E.g. where the language provides its own error handling mechanism that makes a fatal crash look to the OS like the application has shut down normally.

Is this roughly right? Are there any other ways for a user-mode Windows process to die?

Roman Starkov
  • 59,298
  • 38
  • 251
  • 324
  • 1
    I'm not sure what you mean by "crash", but external forces can also kill your process (i.e. TerminateProcess). This is different from what people typically mean by "crash" as your process doesn't get any kind of chance to handle it. – Luke Aug 31 '10 at 21:16
  • @Luke agreed. To give you a better feel of what I mean, this was prompted when I was [experimenting with Windows Error Reporting](http://stackoverflow.com/questions/3561545) and found that even when WER is disabled, a program can still crash with a different error message, via UnhandledExceptionFilter->NtRaiseHardError, which shows something like this: http://i.imgur.com/fBsTI.png – Roman Starkov Sep 03 '10 at 17:03

1 Answers1

2
  • Unhandled exception - this is usually what people would call "crash"
  • Exception with corrupted stack - if the stack is corrupted and the exception chain cannot be walked, the process is silently killed.
  • Explicit termination
    • From another process (e.g. TaskManager, kill.exe) calling TerminateProcess,
    • C/C++ runtime fatal error, /GS stack cookie corruption, etc.
  • Attaching a debugger and quiting the debugger without detaching
  • Console application will terminate if you kill the corresponding conhost.exe process
John
  • 5,561
  • 1
  • 23
  • 39