Which win32 functions used by windows resource monitor to detect both disk and netwrork activties for terminated process?

Question

1.00/5 (1 vote)

See more:

, +

In Windows Resource Monitor there are four tabs - CPU,MEMORY,DISK,NETWORK This program shows us every process with their respective PID(process ID) which are involving with I/O activities with disk drives and network.

Issue
I am using Win32 Programming plus Visual C++(Visual Studio).I created a process(Using CreateProcess function) "VBS3_64.exe",suppose that I don't know it's internal behavior,In my program my only intention was to create that process,let it execute for several minutes and Terminate it using Terminate or SendMessage functions. After I terminate that process progrmatically Windows Resource monitor shown that both CPU and Memory usage on "Terminated" state(gray color) but both Disk activity and Network activity were running(black color) at the moment for several minutes. Even Windows Task Manager did not show that Process.

I used Win32 functions to check whether that the process still running on the system even it get called Terminate or force kill but all of those function given me the same result.But only Resource Monitor detects its clean up -Disk activities and Network activities.

Question
1.How terminated process still Run in background for its cleanup stuff and only Resource Monitor detects it with its respective PID ?
2.Which Win32 functions helps us to detect such Process ? (which Win32 functions is being used by Resource Monitor to detect background/clean up activities of Terminated process).

Please refer following question that I asked on MSDN :- [^]

What I have tried:

I tried to get status of Process and it's I/O activities through following Win32 Functions:

C++

DWORD pid = 14216;
	HANDLE process = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
	HPSS snapShot;
	PSS_PROCESS_INFORMATION info;
	PSS_PERFORMANCE_COUNTERS  traceInfo;
	BOOL status = STILL_ACTIVE;
	do
	{
		auto ret = PssCaptureSnapshot(process, PSS_CAPTURE_HANDLES | PSS_CREATE_MEASURE_PERFORMANCE, NULL, &snapShot);
		if (ret == ERROR_SUCCESS)
		{
			std::cout << "SnapShot okey" << std::endl;
			ret = PssQuerySnapshot(snapShot, PSS_QUERY_PROCESS_INFORMATION, &info, sizeof(info));
			if (ret == ERROR_SUCCESS)
			{
				status = info.ExitStatus;
				std::cout << status << std::endl;
				std::cout << info.PebBaseAddress << std::endl;
			}
			ret = PssQuerySnapshot(snapShot, PSS_QUERY_PERFORMANCE_COUNTERS, &traceInfo, sizeof(traceInfo));
			if (ret == ERROR_SUCCESS)
			{
				std::cout << "Cycles:" << traceInfo.TotalCycleCount << std::endl;
			}
		};

	} while (status == STILL_ACTIVE);

And

C++

IO_COUNTERS counters;
while (process && GetProcessIoCounters(process, &counters))
{
    std::cout << "Read operations: " << counters.ReadOperationCount << std::endl;
    std::cout << "Read Transfers: " << counters.ReadTransferCount << std::endl;
    CloseHandle(process);
    Sleep(1000);
    process = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
}

Posted 26-Jan-17 15:53pm

Buddhi Chaturanga

Updated 16-Mar-17 18:30pm

v2

Add a Solution

Comments

Stefan_Lang 27-Jan-17 1:50am

Can't help with the Win32 functions, but have you tried simply hitting the 'pause' button in your debugger and then switch to that process to see what it's doing?
P.S.: I never tried that with processes, only with threads. But if you can't switch to that process in your debugger, you can try to attach a separate debugger to that process while it is still active and visible in Task Manager

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

**`Randor`** · Answer 1 · 2017-03-16T18:30:00

Hi,

The answers you are getting on the MSDN forum are incorrect.

The Windows Resource Monitor is mostly using Event Tracing for Windows (ETW)[^].

For disk i/o check out the DiskIO class[^] which is what the resource monitor uses. You may need to use the FileIo class[^] to get the filename and calling thread id.

WMI[^] is built on top of ETW. You can also get this data from WMI (which internally reads an ETW trace) by utilizing Get-Counter[^].

Event Tracing MOF Classes[^]

Again... WMI is built on top of ETW and you may prefer to get this data from WMI. Your choice.

Best Wishes,
-David Delaune