{
	"id": "52623f54-18b5-493b-a2cc-ddf8bb341973",
	"created_at": "2026-04-06T00:11:57.769668Z",
	"updated_at": "2026-04-10T13:12:22.809771Z",
	"deleted_at": null,
	"sha1_hash": "b3c269ec871d1f2c91455590a5a33a82c849afa3",
	"title": "Monitoring Silent Process Exit - Windows drivers",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 121551,
	"plain_text": "Monitoring Silent Process Exit - Windows drivers\r\nBy Bradben\r\nArchived: 2026-04-05 20:47:01 UTC\r\nBeginning with Windows 7, you can use the Silent Process Exit tab in GFlags to enter the name of a process that\r\nyou want to monitor for silent exit.\r\nIn the context of this monitoring feature, we use the term silent exit to mean that the monitored process terminates\r\nin one of the following ways.\r\nSelf termination\r\nThe monitored process terminates itself by calling ExitProcess.\r\nCross-process termination\r\nA second process terminates the monitored process by calling TerminateProcess.\r\nThe monitoring feature does not detect normal process termination that happens when the last thread of the\r\nprocess exits. The monitoring feature does not detect process termination that is initiated by kernel-mode code.\r\nTo register a process for silent exit monitoring, open the Silent Process Exit tab in GFlags. Enter the process\r\nname as the Image and press the Tab key. Check the Enable Silent Process Exit Monitoring box, and select\r\nApply. This sets the FLG_MONITOR_SILENT_PROCESS_EXIT flag in the following registry entry.\r\nHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution\r\nOptions\\ProcessName\\GlobalFlag\r\nFor more information about this flag, see Enable silent process exit monitoring.\r\nFor more information about using the Silent Process Exit tab in GFlags, see Configuring Silent Process Exit\r\nMonitoring.\r\nIn the Silent Process Exit tab of GFlags, you can configure the actions that will take place when a monitored\r\nprocess exits silently. You can configure notification, event logging, and creation of dump files. You can specify a\r\nprocess that will be launched when silent exit is detected, and you can specify a list of modules that the monitor\r\nwill ignore. Several of these settings are available both globally and for individual applications. Global settings\r\napply to all processes that you register for silent exit monitoring. Application settings apply to an individual\r\nprocess and override global settings.\r\nGlobal settings are stored in the registry under the following key.\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\r\nApplication settings are stored in the registry under the following key.\r\nhttps://docs.microsoft.com/windows-hardware/drivers/debugger/registry-entries-for-silent-process-exit\r\nPage 1 of 4\n\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\r\nNT\\CurrentVersion\\SilentProcessExit\\ProcessName\r\nThe Reporting Mode setting is available as an application setting, but not as a global setting. You can use the\r\nfollowing check boxes to set the reporting mode.\r\nLaunch monitor process Enable dump collection Enable notification The ReportingMode registry entry is a\r\nbitwise OR of the following flags.\r\nFlag Value Meaning\r\nLAUNCH_MONITORPROCESS 0x1\r\nWhen silent exit is detected, the monitor process (specified in\r\nthe Monitor Process box) is launched.\r\nLOCAL_DUMP 0x2\r\nWhen silent exit is detected, a dump file is created for the\r\nmonitored process. In the case of cross-process termination, a\r\ndump file is also created for the process that caused the\r\ntermination.\r\nNOTIFICATION 0x4 When silent exit is detected, a pop-up notification is displayed.\r\nThe Ignore Self Exits setting is available as an application setting, but not as a global setting. You can use the\r\nIgnore Self Exits check box to specify whether self exits are ignored.\r\nThe IgnoreSelfExits registry entry has one of the following values.\r\nValue Meaning\r\n0x0 Detect and respond to both self termination and cross-process termination.\r\n0x1 Ignore self termination. Detect and respond to cross-process termination.\r\nYou can specify a monitor process by entering a process name, along with command line parameters, in the\r\nMonitor Process text box. You can use the following variables in your command line.\r\nVaraible Meaning\r\n%e ID of the exiting process. This is the monitored process that exited silently.\r\n%i\r\nID of the initiating process. In the case of self termination, this is the same as the exiting process.\r\nIn the case of cross-process termination, this is the ID of the process that caused the termination.\r\n%t ID of the initiating thread. This is the thread that caused the termination.\r\n%c The status code passed to ExitThread or TerminateThread .\r\nFor example, the following value for Monitor Process specifies that on silent exit, WinDbg is launched and\r\nattached to the exiting process.\r\nhttps://docs.microsoft.com/windows-hardware/drivers/debugger/registry-entries-for-silent-process-exit\r\nPage 2 of 4\n\nwindbg -p %e\r\nThe Monitor Process command line is stored in the MonitorProcess registry entry.\r\nYou can use the Dump folder location text box to specify a location for the dump files that are written when a\r\nsilent exit is detected.\r\nThe string that you enter for Dump folder location is stored in the LocalDumpFolder registry entry.\r\nIf you do not specify a dump folder location, dump files are written to the default location, which is\r\n%TEMP%\\Silent Process Exit.\r\nYou can use the Dump folder size text box to specify the maximum number of dump files that can be written to\r\nthe dump folder. Enter this value as a decimal integer.\r\nThe value that you enter for Dump folder size is stored in the MaxNumberOfDumpFiles registry entry.\r\nBy default, there is a limit of ten dump files that can be written.\r\nYou can use the Dump Type drop-down list to specify the type of dump file (Micro, Mini, Heap, or Custom) that\r\nis written when a silent exit is detected.\r\nThe dump type is stored in the DumpType registry entry, which is a bitwise OR of the members of the\r\nMINIDUMP_TYPE enumeration. This enumeration is defined in dbghelp.h, which is included in the Debugging\r\nTools for Windows package.\r\nFor example, suppose you chose a dump type of Micro, and you see that the DumpType registry entry has a value\r\nof 0x88. The value 0x88 is a bitwise OR of the following two MINIDUMP_TYPE enumeration values.\r\nMiniDumpFilterModulePaths: 0x00000080\r\nMiniDumpFilterMemory: 0x00000008\r\nIf you choose a dump type of Custom, enter your own bitwise OR of MINIDUMP_TYPE enumeration values in\r\nthe Custom Dump Type box. Enter this value as a decimal integer.\r\nYou can use the Module Ignore List box to specify a list of modules that will be ignored when a silent exit is\r\ndetected. If the monitored process is terminated by one of the modules in this list, the silent exit is ignored.\r\nThe list of modules that you enter in the Module Ignore List box is stored in the ModuleIgnoreList registry\r\nentry.\r\nWhen a monitored process exits silently, the monitor creates an entry in Event Viewer. To open Event Viewer,\r\nenter the command eventvwr.msc. Navigate to Windows Logs \u003e Application. Look for log entries that have a\r\nSource of Process Exit Monitor.\r\nhttps://docs.microsoft.com/windows-hardware/drivers/debugger/registry-entries-for-silent-process-exit\r\nPage 3 of 4\n\nSource: https://docs.microsoft.com/windows-hardware/drivers/debugger/registry-entries-for-silent-process-exit\r\nhttps://docs.microsoft.com/windows-hardware/drivers/debugger/registry-entries-for-silent-process-exit\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://docs.microsoft.com/windows-hardware/drivers/debugger/registry-entries-for-silent-process-exit"
	],
	"report_names": [
		"registry-entries-for-silent-process-exit"
	],
	"threat_actors": [],
	"ts_created_at": 1775434317,
	"ts_updated_at": 1775826742,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b3c269ec871d1f2c91455590a5a33a82c849afa3.pdf",
		"text": "https://archive.orkl.eu/b3c269ec871d1f2c91455590a5a33a82c849afa3.txt",
		"img": "https://archive.orkl.eu/b3c269ec871d1f2c91455590a5a33a82c849afa3.jpg"
	}
}