#StackBounty: #windows #windows-10 #process #process-explorer Silent Process Exit: process '?' was terminated by the process &#…

Bounty: 50

We have a serious issue with a C# application being terminated silently at random and infrequent points in time on a Windows 10 32-bit installation.
E.g. it might be a month between occurrences. Or sometimes just a day.

Basic system specifications:

Microsoft Windows 10 Enterprise 2016 LTSB
Version 10.0.14393 Build 14393
32-bit

Using https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/setting-and-clearing-flags-for-silent-process-exit we have configured silent process exit monitoring. And we finally have a few samples of this:

The process 'APPLICATIONPATHAPPLICATIONNAME.exe' was terminated by 
the process 'C:WindowsSystem32svchost.exe' with termination code 1067. 
The creation time for the exiting process was 0x01d43bd8689073eb.

Looking at the dumps for this, which was setup for the monitoring we got a process ID for the svchost. This service was still running at the system, and it shows the following list of services:

Services

Which seems to be a list of “netsvcs” for Windows. Opening the dump from the svchost.exe and looking at this a single thread was found with an interesting call stack:

ntdll.dll!_KiFastSystemCallRet@0 ()
ntdll.dll!_NtWaitForSingleObject@12 ()
ntdll.dll!RtlReportSilentProcessExit()
KERNELBASE.dll!TerminateProcess()
ubpm.dll!_UbpmpTerminateProcessCallback@12 ()
ubpm.dll!UbpmUtilsTimerCallback()
ntdll.dll!TppTimerpExecuteCallback()
ntdll.dll!TppWorkerThread()
kernel32.dll!@BaseThreadInitThunk@12 ()
ntdll.dll!__RtlUserThreadStart()
ntdll.dll!__RtlUserThreadStart@8 ()

UBPM is the Unified Background Process Manager. But how can this be terminating our application? And why? And what does the termination code 1067tell us?

Below is the log entry from Silent Process Monitoring:

Log Name:      Application
Source:        Microsoft-Windows-ProcessExitMonitor
Date:          2018-08-31 15:26:09
Event ID:      3001
Task Category: None
Level:         Information
Keywords:      Classic
User:          SYSTEM
Computer:      PC
Description:
The process 'APPLICATIONPATHAPPLICATIONNAME.exe' was terminated by the process 'C:WindowsSystem32svchost.exe' with termination code 1067. The creation time for the exiting process was 0x01d43ed2aee892ab.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-ProcessExitMonitor" Guid="{FD771D53-8492-4057-8E35-8C02813AF49B}" EventSourceName="Process Exit Monitor" />
    <EventID Qualifiers="16384">3001</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2018-08-31T13:26:09.988216500Z" />
    <EventRecordID>4853</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>Application</Channel>
    <Computer>PC</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData Name="EVENT_PROCESSTERMINATION_CROSSPROCESS">
    <Data Name="param1">APPLICATIONPATHAPPLICATIONNAME.exe</Data>
    <Data Name="param2">C:WindowsSystem32svchost.exe</Data>
    <Data Name="param3">1067</Data>
    <Data Name="param4">01d43ed2aee892ab</Data>
  </EventData>
</Event>

NOTES: The PC is not being shut down at the moment the app terminates nor are there any other indications in event logs as to why the process was terminated.


Get this bounty!!!

#StackBounty: #windows #windows-10 #process #process-explorer Silent Process Exit: process '?' was terminated by the process &#…

Bounty: 50

We have a serious issue with a C# application being terminated silently at random and infrequent points in time on a Windows 10 32-bit installation.
E.g. it might be a month between occurrences. Or sometimes just a day.

Basic system specifications:

Microsoft Windows 10 Enterprise 2016 LTSB
Version 10.0.14393 Build 14393
32-bit

Using https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/setting-and-clearing-flags-for-silent-process-exit we have configured silent process exit monitoring. And we finally have a few samples of this:

The process 'APPLICATIONPATHAPPLICATIONNAME.exe' was terminated by 
the process 'C:WindowsSystem32svchost.exe' with termination code 1067. 
The creation time for the exiting process was 0x01d43bd8689073eb.

Looking at the dumps for this, which was setup for the monitoring we got a process ID for the svchost. This service was still running at the system, and it shows the following list of services:

Services

Which seems to be a list of “netsvcs” for Windows. Opening the dump from the svchost.exe and looking at this a single thread was found with an interesting call stack:

ntdll.dll!_KiFastSystemCallRet@0 ()
ntdll.dll!_NtWaitForSingleObject@12 ()
ntdll.dll!RtlReportSilentProcessExit()
KERNELBASE.dll!TerminateProcess()
ubpm.dll!_UbpmpTerminateProcessCallback@12 ()
ubpm.dll!UbpmUtilsTimerCallback()
ntdll.dll!TppTimerpExecuteCallback()
ntdll.dll!TppWorkerThread()
kernel32.dll!@BaseThreadInitThunk@12 ()
ntdll.dll!__RtlUserThreadStart()
ntdll.dll!__RtlUserThreadStart@8 ()

UBPM is the Unified Background Process Manager. But how can this be terminating our application? And why? And what does the termination code 1067tell us?

Below is the log entry from Silent Process Monitoring:

Log Name:      Application
Source:        Microsoft-Windows-ProcessExitMonitor
Date:          2018-08-31 15:26:09
Event ID:      3001
Task Category: None
Level:         Information
Keywords:      Classic
User:          SYSTEM
Computer:      PC
Description:
The process 'APPLICATIONPATHAPPLICATIONNAME.exe' was terminated by the process 'C:WindowsSystem32svchost.exe' with termination code 1067. The creation time for the exiting process was 0x01d43ed2aee892ab.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-ProcessExitMonitor" Guid="{FD771D53-8492-4057-8E35-8C02813AF49B}" EventSourceName="Process Exit Monitor" />
    <EventID Qualifiers="16384">3001</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2018-08-31T13:26:09.988216500Z" />
    <EventRecordID>4853</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>Application</Channel>
    <Computer>PC</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData Name="EVENT_PROCESSTERMINATION_CROSSPROCESS">
    <Data Name="param1">APPLICATIONPATHAPPLICATIONNAME.exe</Data>
    <Data Name="param2">C:WindowsSystem32svchost.exe</Data>
    <Data Name="param3">1067</Data>
    <Data Name="param4">01d43ed2aee892ab</Data>
  </EventData>
</Event>

NOTES: The PC is not being shut down at the moment the app terminates nor are there any other indications in event logs as to why the process was terminated.


Get this bounty!!!

#StackBounty: #windows #windows-10 #process #process-explorer Silent Process Exit: process '?' was terminated by the process &#…

Bounty: 50

We have a serious issue with a C# application being terminated silently at random and infrequent points in time on a Windows 10 32-bit installation.
E.g. it might be a month between occurrences. Or sometimes just a day.

Basic system specifications:

Microsoft Windows 10 Enterprise 2016 LTSB
Version 10.0.14393 Build 14393
32-bit

Using https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/setting-and-clearing-flags-for-silent-process-exit we have configured silent process exit monitoring. And we finally have a few samples of this:

The process 'APPLICATIONPATHAPPLICATIONNAME.exe' was terminated by 
the process 'C:WindowsSystem32svchost.exe' with termination code 1067. 
The creation time for the exiting process was 0x01d43bd8689073eb.

Looking at the dumps for this, which was setup for the monitoring we got a process ID for the svchost. This service was still running at the system, and it shows the following list of services:

Services

Which seems to be a list of “netsvcs” for Windows. Opening the dump from the svchost.exe and looking at this a single thread was found with an interesting call stack:

ntdll.dll!_KiFastSystemCallRet@0 ()
ntdll.dll!_NtWaitForSingleObject@12 ()
ntdll.dll!RtlReportSilentProcessExit()
KERNELBASE.dll!TerminateProcess()
ubpm.dll!_UbpmpTerminateProcessCallback@12 ()
ubpm.dll!UbpmUtilsTimerCallback()
ntdll.dll!TppTimerpExecuteCallback()
ntdll.dll!TppWorkerThread()
kernel32.dll!@BaseThreadInitThunk@12 ()
ntdll.dll!__RtlUserThreadStart()
ntdll.dll!__RtlUserThreadStart@8 ()

UBPM is the Unified Background Process Manager. But how can this be terminating our application? And why? And what does the termination code 1067tell us?

Below is the log entry from Silent Process Monitoring:

Log Name:      Application
Source:        Microsoft-Windows-ProcessExitMonitor
Date:          2018-08-31 15:26:09
Event ID:      3001
Task Category: None
Level:         Information
Keywords:      Classic
User:          SYSTEM
Computer:      PC
Description:
The process 'APPLICATIONPATHAPPLICATIONNAME.exe' was terminated by the process 'C:WindowsSystem32svchost.exe' with termination code 1067. The creation time for the exiting process was 0x01d43ed2aee892ab.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-ProcessExitMonitor" Guid="{FD771D53-8492-4057-8E35-8C02813AF49B}" EventSourceName="Process Exit Monitor" />
    <EventID Qualifiers="16384">3001</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2018-08-31T13:26:09.988216500Z" />
    <EventRecordID>4853</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>Application</Channel>
    <Computer>PC</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData Name="EVENT_PROCESSTERMINATION_CROSSPROCESS">
    <Data Name="param1">APPLICATIONPATHAPPLICATIONNAME.exe</Data>
    <Data Name="param2">C:WindowsSystem32svchost.exe</Data>
    <Data Name="param3">1067</Data>
    <Data Name="param4">01d43ed2aee892ab</Data>
  </EventData>
</Event>

NOTES: The PC is not being shut down at the moment the app terminates nor are there any other indications in event logs as to why the process was terminated.


Get this bounty!!!

#StackBounty: #windows #windows-10 #process #process-explorer Silent Process Exit: process '?' was terminated by the process &#…

Bounty: 50

We have a serious issue with a C# application being terminated silently at random and infrequent points in time on a Windows 10 32-bit installation.
E.g. it might be a month between occurrences. Or sometimes just a day.

Basic system specifications:

Microsoft Windows 10 Enterprise 2016 LTSB
Version 10.0.14393 Build 14393
32-bit

Using https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/setting-and-clearing-flags-for-silent-process-exit we have configured silent process exit monitoring. And we finally have a few samples of this:

The process 'APPLICATIONPATHAPPLICATIONNAME.exe' was terminated by 
the process 'C:WindowsSystem32svchost.exe' with termination code 1067. 
The creation time for the exiting process was 0x01d43bd8689073eb.

Looking at the dumps for this, which was setup for the monitoring we got a process ID for the svchost. This service was still running at the system, and it shows the following list of services:

Services

Which seems to be a list of “netsvcs” for Windows. Opening the dump from the svchost.exe and looking at this a single thread was found with an interesting call stack:

ntdll.dll!_KiFastSystemCallRet@0 ()
ntdll.dll!_NtWaitForSingleObject@12 ()
ntdll.dll!RtlReportSilentProcessExit()
KERNELBASE.dll!TerminateProcess()
ubpm.dll!_UbpmpTerminateProcessCallback@12 ()
ubpm.dll!UbpmUtilsTimerCallback()
ntdll.dll!TppTimerpExecuteCallback()
ntdll.dll!TppWorkerThread()
kernel32.dll!@BaseThreadInitThunk@12 ()
ntdll.dll!__RtlUserThreadStart()
ntdll.dll!__RtlUserThreadStart@8 ()

UBPM is the Unified Background Process Manager. But how can this be terminating our application? And why? And what does the termination code 1067tell us?

Below is the log entry from Silent Process Monitoring:

Log Name:      Application
Source:        Microsoft-Windows-ProcessExitMonitor
Date:          2018-08-31 15:26:09
Event ID:      3001
Task Category: None
Level:         Information
Keywords:      Classic
User:          SYSTEM
Computer:      PC
Description:
The process 'APPLICATIONPATHAPPLICATIONNAME.exe' was terminated by the process 'C:WindowsSystem32svchost.exe' with termination code 1067. The creation time for the exiting process was 0x01d43ed2aee892ab.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-ProcessExitMonitor" Guid="{FD771D53-8492-4057-8E35-8C02813AF49B}" EventSourceName="Process Exit Monitor" />
    <EventID Qualifiers="16384">3001</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2018-08-31T13:26:09.988216500Z" />
    <EventRecordID>4853</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>Application</Channel>
    <Computer>PC</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData Name="EVENT_PROCESSTERMINATION_CROSSPROCESS">
    <Data Name="param1">APPLICATIONPATHAPPLICATIONNAME.exe</Data>
    <Data Name="param2">C:WindowsSystem32svchost.exe</Data>
    <Data Name="param3">1067</Data>
    <Data Name="param4">01d43ed2aee892ab</Data>
  </EventData>
</Event>

NOTES: The PC is not being shut down at the moment the app terminates nor are there any other indications in event logs as to why the process was terminated.


Get this bounty!!!

#StackBounty: #windows #windows-10 #process #process-explorer Silent Process Exit: process '?' was terminated by the process &#…

Bounty: 50

We have a serious issue with a C# application being terminated silently at random and infrequent points in time on a Windows 10 32-bit installation.
E.g. it might be a month between occurrences. Or sometimes just a day.

Basic system specifications:

Microsoft Windows 10 Enterprise 2016 LTSB
Version 10.0.14393 Build 14393
32-bit

Using https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/setting-and-clearing-flags-for-silent-process-exit we have configured silent process exit monitoring. And we finally have a few samples of this:

The process 'APPLICATIONPATHAPPLICATIONNAME.exe' was terminated by 
the process 'C:WindowsSystem32svchost.exe' with termination code 1067. 
The creation time for the exiting process was 0x01d43bd8689073eb.

Looking at the dumps for this, which was setup for the monitoring we got a process ID for the svchost. This service was still running at the system, and it shows the following list of services:

Services

Which seems to be a list of “netsvcs” for Windows. Opening the dump from the svchost.exe and looking at this a single thread was found with an interesting call stack:

ntdll.dll!_KiFastSystemCallRet@0 ()
ntdll.dll!_NtWaitForSingleObject@12 ()
ntdll.dll!RtlReportSilentProcessExit()
KERNELBASE.dll!TerminateProcess()
ubpm.dll!_UbpmpTerminateProcessCallback@12 ()
ubpm.dll!UbpmUtilsTimerCallback()
ntdll.dll!TppTimerpExecuteCallback()
ntdll.dll!TppWorkerThread()
kernel32.dll!@BaseThreadInitThunk@12 ()
ntdll.dll!__RtlUserThreadStart()
ntdll.dll!__RtlUserThreadStart@8 ()

UBPM is the Unified Background Process Manager. But how can this be terminating our application? And why? And what does the termination code 1067tell us?

Below is the log entry from Silent Process Monitoring:

Log Name:      Application
Source:        Microsoft-Windows-ProcessExitMonitor
Date:          2018-08-31 15:26:09
Event ID:      3001
Task Category: None
Level:         Information
Keywords:      Classic
User:          SYSTEM
Computer:      PC
Description:
The process 'APPLICATIONPATHAPPLICATIONNAME.exe' was terminated by the process 'C:WindowsSystem32svchost.exe' with termination code 1067. The creation time for the exiting process was 0x01d43ed2aee892ab.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-ProcessExitMonitor" Guid="{FD771D53-8492-4057-8E35-8C02813AF49B}" EventSourceName="Process Exit Monitor" />
    <EventID Qualifiers="16384">3001</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2018-08-31T13:26:09.988216500Z" />
    <EventRecordID>4853</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>Application</Channel>
    <Computer>PC</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData Name="EVENT_PROCESSTERMINATION_CROSSPROCESS">
    <Data Name="param1">APPLICATIONPATHAPPLICATIONNAME.exe</Data>
    <Data Name="param2">C:WindowsSystem32svchost.exe</Data>
    <Data Name="param3">1067</Data>
    <Data Name="param4">01d43ed2aee892ab</Data>
  </EventData>
</Event>

NOTES: The PC is not being shut down at the moment the app terminates nor are there any other indications in event logs as to why the process was terminated.


Get this bounty!!!

#StackBounty: #windows #windows-10 #process #process-explorer Silent Process Exit: process '?' was terminated by the process &#…

Bounty: 50

We have a serious issue with a C# application being terminated silently at random and infrequent points in time on a Windows 10 32-bit installation.
E.g. it might be a month between occurrences. Or sometimes just a day.

Basic system specifications:

Microsoft Windows 10 Enterprise 2016 LTSB
Version 10.0.14393 Build 14393
32-bit

Using https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/setting-and-clearing-flags-for-silent-process-exit we have configured silent process exit monitoring. And we finally have a few samples of this:

The process 'APPLICATIONPATHAPPLICATIONNAME.exe' was terminated by 
the process 'C:WindowsSystem32svchost.exe' with termination code 1067. 
The creation time for the exiting process was 0x01d43bd8689073eb.

Looking at the dumps for this, which was setup for the monitoring we got a process ID for the svchost. This service was still running at the system, and it shows the following list of services:

Services

Which seems to be a list of “netsvcs” for Windows. Opening the dump from the svchost.exe and looking at this a single thread was found with an interesting call stack:

ntdll.dll!_KiFastSystemCallRet@0 ()
ntdll.dll!_NtWaitForSingleObject@12 ()
ntdll.dll!RtlReportSilentProcessExit()
KERNELBASE.dll!TerminateProcess()
ubpm.dll!_UbpmpTerminateProcessCallback@12 ()
ubpm.dll!UbpmUtilsTimerCallback()
ntdll.dll!TppTimerpExecuteCallback()
ntdll.dll!TppWorkerThread()
kernel32.dll!@BaseThreadInitThunk@12 ()
ntdll.dll!__RtlUserThreadStart()
ntdll.dll!__RtlUserThreadStart@8 ()

UBPM is the Unified Background Process Manager. But how can this be terminating our application? And why? And what does the termination code 1067tell us?

Below is the log entry from Silent Process Monitoring:

Log Name:      Application
Source:        Microsoft-Windows-ProcessExitMonitor
Date:          2018-08-31 15:26:09
Event ID:      3001
Task Category: None
Level:         Information
Keywords:      Classic
User:          SYSTEM
Computer:      PC
Description:
The process 'APPLICATIONPATHAPPLICATIONNAME.exe' was terminated by the process 'C:WindowsSystem32svchost.exe' with termination code 1067. The creation time for the exiting process was 0x01d43ed2aee892ab.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-ProcessExitMonitor" Guid="{FD771D53-8492-4057-8E35-8C02813AF49B}" EventSourceName="Process Exit Monitor" />
    <EventID Qualifiers="16384">3001</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2018-08-31T13:26:09.988216500Z" />
    <EventRecordID>4853</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>Application</Channel>
    <Computer>PC</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData Name="EVENT_PROCESSTERMINATION_CROSSPROCESS">
    <Data Name="param1">APPLICATIONPATHAPPLICATIONNAME.exe</Data>
    <Data Name="param2">C:WindowsSystem32svchost.exe</Data>
    <Data Name="param3">1067</Data>
    <Data Name="param4">01d43ed2aee892ab</Data>
  </EventData>
</Event>

NOTES: The PC is not being shut down at the moment the app terminates nor are there any other indications in event logs as to why the process was terminated.


Get this bounty!!!

#StackBounty: #windows #windows-10 #process #process-explorer Silent Process Exit: process '?' was terminated by the process &#…

Bounty: 50

We have a serious issue with a C# application being terminated silently at random and infrequent points in time on a Windows 10 32-bit installation.
E.g. it might be a month between occurrences. Or sometimes just a day.

Basic system specifications:

Microsoft Windows 10 Enterprise 2016 LTSB
Version 10.0.14393 Build 14393
32-bit

Using https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/setting-and-clearing-flags-for-silent-process-exit we have configured silent process exit monitoring. And we finally have a few samples of this:

The process 'APPLICATIONPATHAPPLICATIONNAME.exe' was terminated by 
the process 'C:WindowsSystem32svchost.exe' with termination code 1067. 
The creation time for the exiting process was 0x01d43bd8689073eb.

Looking at the dumps for this, which was setup for the monitoring we got a process ID for the svchost. This service was still running at the system, and it shows the following list of services:

Services

Which seems to be a list of “netsvcs” for Windows. Opening the dump from the svchost.exe and looking at this a single thread was found with an interesting call stack:

ntdll.dll!_KiFastSystemCallRet@0 ()
ntdll.dll!_NtWaitForSingleObject@12 ()
ntdll.dll!RtlReportSilentProcessExit()
KERNELBASE.dll!TerminateProcess()
ubpm.dll!_UbpmpTerminateProcessCallback@12 ()
ubpm.dll!UbpmUtilsTimerCallback()
ntdll.dll!TppTimerpExecuteCallback()
ntdll.dll!TppWorkerThread()
kernel32.dll!@BaseThreadInitThunk@12 ()
ntdll.dll!__RtlUserThreadStart()
ntdll.dll!__RtlUserThreadStart@8 ()

UBPM is the Unified Background Process Manager. But how can this be terminating our application? And why? And what does the termination code 1067tell us?

Below is the log entry from Silent Process Monitoring:

Log Name:      Application
Source:        Microsoft-Windows-ProcessExitMonitor
Date:          2018-08-31 15:26:09
Event ID:      3001
Task Category: None
Level:         Information
Keywords:      Classic
User:          SYSTEM
Computer:      PC
Description:
The process 'APPLICATIONPATHAPPLICATIONNAME.exe' was terminated by the process 'C:WindowsSystem32svchost.exe' with termination code 1067. The creation time for the exiting process was 0x01d43ed2aee892ab.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-ProcessExitMonitor" Guid="{FD771D53-8492-4057-8E35-8C02813AF49B}" EventSourceName="Process Exit Monitor" />
    <EventID Qualifiers="16384">3001</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2018-08-31T13:26:09.988216500Z" />
    <EventRecordID>4853</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>Application</Channel>
    <Computer>PC</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData Name="EVENT_PROCESSTERMINATION_CROSSPROCESS">
    <Data Name="param1">APPLICATIONPATHAPPLICATIONNAME.exe</Data>
    <Data Name="param2">C:WindowsSystem32svchost.exe</Data>
    <Data Name="param3">1067</Data>
    <Data Name="param4">01d43ed2aee892ab</Data>
  </EventData>
</Event>

NOTES: The PC is not being shut down at the moment the app terminates nor are there any other indications in event logs as to why the process was terminated.


Get this bounty!!!

#StackBounty: #windows #windows-10 #process #process-explorer Silent Process Exit: process '?' was terminated by the process &#…

Bounty: 50

We have a serious issue with a C# application being terminated silently at random and infrequent points in time on a Windows 10 32-bit installation.
E.g. it might be a month between occurrences. Or sometimes just a day.

Basic system specifications:

Microsoft Windows 10 Enterprise 2016 LTSB
Version 10.0.14393 Build 14393
32-bit

Using https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/setting-and-clearing-flags-for-silent-process-exit we have configured silent process exit monitoring. And we finally have a few samples of this:

The process 'APPLICATIONPATHAPPLICATIONNAME.exe' was terminated by 
the process 'C:WindowsSystem32svchost.exe' with termination code 1067. 
The creation time for the exiting process was 0x01d43bd8689073eb.

Looking at the dumps for this, which was setup for the monitoring we got a process ID for the svchost. This service was still running at the system, and it shows the following list of services:

Services

Which seems to be a list of “netsvcs” for Windows. Opening the dump from the svchost.exe and looking at this a single thread was found with an interesting call stack:

ntdll.dll!_KiFastSystemCallRet@0 ()
ntdll.dll!_NtWaitForSingleObject@12 ()
ntdll.dll!RtlReportSilentProcessExit()
KERNELBASE.dll!TerminateProcess()
ubpm.dll!_UbpmpTerminateProcessCallback@12 ()
ubpm.dll!UbpmUtilsTimerCallback()
ntdll.dll!TppTimerpExecuteCallback()
ntdll.dll!TppWorkerThread()
kernel32.dll!@BaseThreadInitThunk@12 ()
ntdll.dll!__RtlUserThreadStart()
ntdll.dll!__RtlUserThreadStart@8 ()

UBPM is the Unified Background Process Manager. But how can this be terminating our application? And why? And what does the termination code 1067tell us?

Below is the log entry from Silent Process Monitoring:

Log Name:      Application
Source:        Microsoft-Windows-ProcessExitMonitor
Date:          2018-08-31 15:26:09
Event ID:      3001
Task Category: None
Level:         Information
Keywords:      Classic
User:          SYSTEM
Computer:      PC
Description:
The process 'APPLICATIONPATHAPPLICATIONNAME.exe' was terminated by the process 'C:WindowsSystem32svchost.exe' with termination code 1067. The creation time for the exiting process was 0x01d43ed2aee892ab.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-ProcessExitMonitor" Guid="{FD771D53-8492-4057-8E35-8C02813AF49B}" EventSourceName="Process Exit Monitor" />
    <EventID Qualifiers="16384">3001</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2018-08-31T13:26:09.988216500Z" />
    <EventRecordID>4853</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>Application</Channel>
    <Computer>PC</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData Name="EVENT_PROCESSTERMINATION_CROSSPROCESS">
    <Data Name="param1">APPLICATIONPATHAPPLICATIONNAME.exe</Data>
    <Data Name="param2">C:WindowsSystem32svchost.exe</Data>
    <Data Name="param3">1067</Data>
    <Data Name="param4">01d43ed2aee892ab</Data>
  </EventData>
</Event>

NOTES: The PC is not being shut down at the moment the app terminates nor are there any other indications in event logs as to why the process was terminated.


Get this bounty!!!

#StackBounty: #windows #windows-10 #process #process-explorer Silent Process Exit: process '?' was terminated by the process &#…

Bounty: 50

We have a serious issue with a C# application being terminated silently at random and infrequent points in time on a Windows 10 32-bit installation.
E.g. it might be a month between occurrences. Or sometimes just a day.

Basic system specifications:

Microsoft Windows 10 Enterprise 2016 LTSB
Version 10.0.14393 Build 14393
32-bit

Using https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/setting-and-clearing-flags-for-silent-process-exit we have configured silent process exit monitoring. And we finally have a few samples of this:

The process 'APPLICATIONPATHAPPLICATIONNAME.exe' was terminated by 
the process 'C:WindowsSystem32svchost.exe' with termination code 1067. 
The creation time for the exiting process was 0x01d43bd8689073eb.

Looking at the dumps for this, which was setup for the monitoring we got a process ID for the svchost. This service was still running at the system, and it shows the following list of services:

Services

Which seems to be a list of “netsvcs” for Windows. Opening the dump from the svchost.exe and looking at this a single thread was found with an interesting call stack:

ntdll.dll!_KiFastSystemCallRet@0 ()
ntdll.dll!_NtWaitForSingleObject@12 ()
ntdll.dll!RtlReportSilentProcessExit()
KERNELBASE.dll!TerminateProcess()
ubpm.dll!_UbpmpTerminateProcessCallback@12 ()
ubpm.dll!UbpmUtilsTimerCallback()
ntdll.dll!TppTimerpExecuteCallback()
ntdll.dll!TppWorkerThread()
kernel32.dll!@BaseThreadInitThunk@12 ()
ntdll.dll!__RtlUserThreadStart()
ntdll.dll!__RtlUserThreadStart@8 ()

UBPM is the Unified Background Process Manager. But how can this be terminating our application? And why? And what does the termination code 1067tell us?

Below is the log entry from Silent Process Monitoring:

Log Name:      Application
Source:        Microsoft-Windows-ProcessExitMonitor
Date:          2018-08-31 15:26:09
Event ID:      3001
Task Category: None
Level:         Information
Keywords:      Classic
User:          SYSTEM
Computer:      PC
Description:
The process 'APPLICATIONPATHAPPLICATIONNAME.exe' was terminated by the process 'C:WindowsSystem32svchost.exe' with termination code 1067. The creation time for the exiting process was 0x01d43ed2aee892ab.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-ProcessExitMonitor" Guid="{FD771D53-8492-4057-8E35-8C02813AF49B}" EventSourceName="Process Exit Monitor" />
    <EventID Qualifiers="16384">3001</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2018-08-31T13:26:09.988216500Z" />
    <EventRecordID>4853</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>Application</Channel>
    <Computer>PC</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData Name="EVENT_PROCESSTERMINATION_CROSSPROCESS">
    <Data Name="param1">APPLICATIONPATHAPPLICATIONNAME.exe</Data>
    <Data Name="param2">C:WindowsSystem32svchost.exe</Data>
    <Data Name="param3">1067</Data>
    <Data Name="param4">01d43ed2aee892ab</Data>
  </EventData>
</Event>

NOTES: The PC is not being shut down at the moment the app terminates nor are there any other indications in event logs as to why the process was terminated.


Get this bounty!!!

#StackBounty: #windows #windows-10 #process #process-explorer Silent Process Exit: process '?' was terminated by the process &#…

Bounty: 50

We have a serious issue with a C# application being terminated silently at random and infrequent points in time on a Windows 10 32-bit installation.
E.g. it might be a month between occurrences. Or sometimes just a day.

Basic system specifications:

Microsoft Windows 10 Enterprise 2016 LTSB
Version 10.0.14393 Build 14393
32-bit

Using https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/setting-and-clearing-flags-for-silent-process-exit we have configured silent process exit monitoring. And we finally have a few samples of this:

The process 'APPLICATIONPATHAPPLICATIONNAME.exe' was terminated by 
the process 'C:WindowsSystem32svchost.exe' with termination code 1067. 
The creation time for the exiting process was 0x01d43bd8689073eb.

Looking at the dumps for this, which was setup for the monitoring we got a process ID for the svchost. This service was still running at the system, and it shows the following list of services:

Services

Which seems to be a list of “netsvcs” for Windows. Opening the dump from the svchost.exe and looking at this a single thread was found with an interesting call stack:

ntdll.dll!_KiFastSystemCallRet@0 ()
ntdll.dll!_NtWaitForSingleObject@12 ()
ntdll.dll!RtlReportSilentProcessExit()
KERNELBASE.dll!TerminateProcess()
ubpm.dll!_UbpmpTerminateProcessCallback@12 ()
ubpm.dll!UbpmUtilsTimerCallback()
ntdll.dll!TppTimerpExecuteCallback()
ntdll.dll!TppWorkerThread()
kernel32.dll!@BaseThreadInitThunk@12 ()
ntdll.dll!__RtlUserThreadStart()
ntdll.dll!__RtlUserThreadStart@8 ()

UBPM is the Unified Background Process Manager. But how can this be terminating our application? And why? And what does the termination code 1067tell us?

Below is the log entry from Silent Process Monitoring:

Log Name:      Application
Source:        Microsoft-Windows-ProcessExitMonitor
Date:          2018-08-31 15:26:09
Event ID:      3001
Task Category: None
Level:         Information
Keywords:      Classic
User:          SYSTEM
Computer:      PC
Description:
The process 'APPLICATIONPATHAPPLICATIONNAME.exe' was terminated by the process 'C:WindowsSystem32svchost.exe' with termination code 1067. The creation time for the exiting process was 0x01d43ed2aee892ab.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-ProcessExitMonitor" Guid="{FD771D53-8492-4057-8E35-8C02813AF49B}" EventSourceName="Process Exit Monitor" />
    <EventID Qualifiers="16384">3001</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2018-08-31T13:26:09.988216500Z" />
    <EventRecordID>4853</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>Application</Channel>
    <Computer>PC</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData Name="EVENT_PROCESSTERMINATION_CROSSPROCESS">
    <Data Name="param1">APPLICATIONPATHAPPLICATIONNAME.exe</Data>
    <Data Name="param2">C:WindowsSystem32svchost.exe</Data>
    <Data Name="param3">1067</Data>
    <Data Name="param4">01d43ed2aee892ab</Data>
  </EventData>
</Event>

NOTES: The PC is not being shut down at the moment the app terminates nor are there any other indications in event logs as to why the process was terminated.


Get this bounty!!!