#StackBounty: #windows #windows-10 #process #process-explorer Silent Process Exit: process '?' was terminated by the process &#…

Bounty: 50

We have a serious issue with a C# application being terminated silently at random and infrequent points in time on a Windows 10 32-bit installation.
E.g. it might be a month between occurrences. Or sometimes just a day.

Basic system specifications:

Microsoft Windows 10 Enterprise 2016 LTSB
Version 10.0.14393 Build 14393
32-bit

Using https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/setting-and-clearing-flags-for-silent-process-exit we have configured silent process exit monitoring. And we finally have a few samples of this:

The process 'APPLICATIONPATHAPPLICATIONNAME.exe' was terminated by 
the process 'C:WindowsSystem32svchost.exe' with termination code 1067. 
The creation time for the exiting process was 0x01d43bd8689073eb.

Looking at the dumps for this, which was setup for the monitoring we got a process ID for the svchost. This service was still running at the system, and it shows the following list of services:

Services

Which seems to be a list of “netsvcs” for Windows. Opening the dump from the svchost.exe and looking at this a single thread was found with an interesting call stack:

ntdll.dll!_KiFastSystemCallRet@0 ()
ntdll.dll!_NtWaitForSingleObject@12 ()
ntdll.dll!RtlReportSilentProcessExit()
KERNELBASE.dll!TerminateProcess()
ubpm.dll!_UbpmpTerminateProcessCallback@12 ()
ubpm.dll!UbpmUtilsTimerCallback()
ntdll.dll!TppTimerpExecuteCallback()
ntdll.dll!TppWorkerThread()
kernel32.dll!@BaseThreadInitThunk@12 ()
ntdll.dll!__RtlUserThreadStart()
ntdll.dll!__RtlUserThreadStart@8 ()

UBPM is the Unified Background Process Manager. But how can this be terminating our application? And why? And what does the termination code 1067tell us?

Below is the log entry from Silent Process Monitoring:

Log Name:      Application
Source:        Microsoft-Windows-ProcessExitMonitor
Date:          2018-08-31 15:26:09
Event ID:      3001
Task Category: None
Level:         Information
Keywords:      Classic
User:          SYSTEM
Computer:      PC
Description:
The process 'APPLICATIONPATHAPPLICATIONNAME.exe' was terminated by the process 'C:WindowsSystem32svchost.exe' with termination code 1067. The creation time for the exiting process was 0x01d43ed2aee892ab.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-ProcessExitMonitor" Guid="{FD771D53-8492-4057-8E35-8C02813AF49B}" EventSourceName="Process Exit Monitor" />
    <EventID Qualifiers="16384">3001</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2018-08-31T13:26:09.988216500Z" />
    <EventRecordID>4853</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>Application</Channel>
    <Computer>PC</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData Name="EVENT_PROCESSTERMINATION_CROSSPROCESS">
    <Data Name="param1">APPLICATIONPATHAPPLICATIONNAME.exe</Data>
    <Data Name="param2">C:WindowsSystem32svchost.exe</Data>
    <Data Name="param3">1067</Data>
    <Data Name="param4">01d43ed2aee892ab</Data>
  </EventData>
</Event>

NOTES: The PC is not being shut down at the moment the app terminates nor are there any other indications in event logs as to why the process was terminated.

UPDATE 1: Here a few extra details (trying to answer as many as in comments):

  • Process is (sometimes) started via TaskScheduler when Windows is started yes. Other times by user. Not entirely sure problem only occurs when started via TaskScheduler. But interesting point? Could windows kill a task for some reason? Note that times between process exiting can be up to a month.
  • We have the source for the main program, but would have problems running it inside a debugger since this is running at a customer, but maybe. We can’t run it compiled for Debug though. Not at all, due to performance. This is live production.
  • Application is a normal WPF application without any child processes or any other inter-process communication. It does use a few third party devices e.g. libraries and drivers.
  • We have setup event handling of appdomain exceptions and application exceptions etc. None of these occur. The process exits without any indication of an exception occurring. It is a hard process exit.
  • We have suspected perhaps a third party driver being the source, but how? And how could we determine whether this was the case?


Get this bounty!!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.