Why doesn’t the End Task button end my task immediately?


Commenter littleguru asks, "Why does the End Now button not kill the process immediately?"

When you click the End Now button, the process really does end now, but not before a brief message from our sponsor.

When you kill a hung application, Windows Error Reporting steps in to record the state of the hung application so it can be submitted to the mother ship (with your permission). If you are running Windows XP or Windows Vista, you can briefly see a process called dumprep.exe or WerFault.exe; these are the guys who are doing the data collection.

After being uploaded to Microsoft, these failure reports are studied to determine why the application stopped responding and what could be done to fix it. I've been asked to do quite a few of these analyses myself, and sometimes it's something pretty mundane (an application sends a cross-thread message while holding a critical section, and the thread can't receive the message because it's stuck waiting for the critical section that the sender is holding—classic deadlock), and sometimes it's something pretty weird (application has a bug if the number of sound output devices is not equal to one). Whatever the reason, I write up my analysis, and the people who are in charge of such things make arrangements for the information to be sent back to the vendors who wrote the application (assuming the vendors are registered with Winqual).

If you don't want Windows Error Reporting to collect application crash and hang reports, you can disable it from the Group Policy Editor under Windows Error Reporting. Of course, if you do this, then you don't get to vote on which program crashes and failures Microsoft should work on fixing.

Note: This entry is an experiment: I mentioned Windows Error Reporting and WHQL. If people complain about digital certificate authorities, that'll just confirm my bias against returning to those old debugging stories.

Update: Experimental results obtained. No more stories involving Windows Error Reporting and WHQL.

Comments (64)
  1. SimonRev says:

    Raymond, I suspect it is part of human nature to complain.  Certainly it is your blog – your rules, but it does seem contrary to human nature.

    Part of me has often wondered why a Visual Studio license doesn't just come with some sort of limited use certificate, which would probably stem most of the complaints.

    Back to the topic, I had often wondered what was going on when you press End Now.  Thanks for the info

  2. stevex says:

    Sometimes it doesn't kill the process at all.  It just hangs around.  That's the one that really bugs me.

  3. Joshua Ganes says:

    I understand why this is the default action. It makes good sense.

    On rare occasions, I really just want to force kill a task that has obviously run amok. Maybe it's my own code running an infinite busy loop. Is there a Windows equivalent of the "kill -9" I would send to a Linux process to force it to stop immediately?

  4. Diffuse says:

    Sometimes I only want to kill a process because it's hogging system resources on a very busy machine, and I end up with a situation where dumprep.exe is hogging even more system resources :)

  5. Leo Davidson says:

    It the process stays around forever then it's probably stuck inside a kernel/driver call and really killing it would risk making the whole system unstable.

    (Still happens to me every so often on my laptop, I think due to a bug in its network drivers.)

  6. catbert says:

    @Joshua Ganes

    Just kill it from the "Processes" tab :-) Right-click it and do "End Process"

  7. Alex Grigoriev says:

    @stevex:

    A process only goes away when all I/O requests it issued are completed or canceled. A buggy driver can hold an I/O request indefinitely and not support CLEANUP. This will prevent the process' address space from being destroyed.

    @Joshua Ganes, Diffuse:

    WinDbg includes kill.exe.

  8. Alex Grigoriev says:

    @SimonRev:

    Doesn't Raymont himself complain here often about lazy programmers and ISVs with over-inflated sense of importance?

    [It's not the complaining that I object to. it's the off-topic complaining. -Raymond]
  9. John says:

    I would complain about cert authorities, but I am too lazy.  For the sake of discussion can we just pretend that I complained about them?

  10. Jake says:

    If you are running Windows XP or Windows Vista, you can briefly see a process called dumprep.exe or WerFault.exe

    So, Windows 7 does something different?

  11. Cherry says:

    Sometimes it happens after waking up from hibernation that svchost.exe crashes. I don't know which services were stopped, because services.msc shows alls services "Running" and trying to restart any of them results in a freeze of the mmc.

    When this happened to me, I tried to kill mmc.exe using task manager -> processes, but it didn't work. Nothing happened. So I opened Process Explorer and tried to look at the stack of the hanging thread. As soon as I clicked the "Stack" button, the whole system locked up. Even the mouse cursor stopped responding.

    After a reboot using the power switch, Windows had no explanation for that in the event log… Just that it was shut down unexpectedly.

  12. Skip says:

    On a semi-related topic, when an IE 8 tab is hung and needs to be killed, is there any way tell which of the potentially several dozen iexplore.exe*32 processes is the one in question?  I usually start with the ones that have larger private working sets, but that doesn't always get it.    Invariably if I've left IE running for a week or two without completely killing it this will happen.

  13. Joshua says:

    @Cherry: it was probably RPCSS that died. Neither the Windows shell nor MMC correctly handle a dead RPCSS.

    Next time try C:>net start rpcss

  14. Cyrill says:

    Some developers implemented own application-specific analogs of Windows Error Reporting. For example, Opera and FireFox did it. Is it good or bad thing?

  15. Dan Bugglin says:

    @Skip Nope.  Though Google Chrome has a feature like that, if you're interested.

    I never use End Task anymore because it simply takes too long.  I suspect it tries to send WM_CLOSE or WM_QUIT to a window before forcefully killing the process when that message times out (if I am using End Task, I have already tried unsuccessfully to close the window myself, so chances are it will).  On the other hand End Process works immediately; thus I have trained myself to use it exclusively.

  16. Yuhong Bao says:

    "Update: Experimental results obtained. No more stories involving Windows Error Reporting and WHQL. "

    If you are still interested, there is a WER blog here:

    http://blogs.msdn.com/b/wer/

  17. Dan Bugglin says:

    @Cyrill Microsoft does offer third parties the ability to use Windows Error Reporting, but I'm not sure if it costs anything (IIRC it does) or what control they have over it.

    On the other hand any app can implement their own crash handler and cut out the middleman (Microsoft).  I believe Chrome has it's own crash reporter which is transparent to the user (all you see is a prompt to restart Chrome).

    I would say it is a good thing since specific apps know what data is important to upload, while WER has no way of knowing (unless there's an API for excluding variables/memory addresses from the report).  If you enter personal information into an app and it crashes, WER could accidentally upload that information to Microsoft as part of the crash dump (though to be fair I don't know EXACTLY what is included; if it is just a stack trace it could be OK, but WER does allow you to preview the dump, and IIRC it does warn you of the possibility).  It has no way of knowing what data is relevant to the crash.

    At the very least third-party crash handlers allow apps to customize their crash behavior more than WER can, since they can build everything themselves.  It's probably a case of "WER is good enough for us and we don't have time to make our own handler" vs "WER doesn't do what we need and we have the time to code our own handler".

  18. James Curran says:

    Which bring up I question I've had for a while:

    Frequently, when I'm writing a new application, it will crash and I'll get the WER dialog.  Now, do you have any use the these reports which are from a) a program which exists only on my hard disk, and b) almost certainly caused by a bug in my code?

  19. frymaster says:

    "Microsoft does offer third parties the ability to use Windows Error Reporting, but I'm not sure if it costs anything (IIRC it does)"

    no and yes; the only requirement is that the .exe be signed with a code-signing certificate.  That way, Microsoft can be sure they're giving the crash data out to the right people.  Frankly, NOT signing code that's got a wide distribution is like running an https site with a self-signed certificate.

    "Update: Experimental results obtained. No more stories involving Windows Error Reporting and WHQL. "

    Nooooooooo! Why should we all lose out because of internet trolls? Just think of them as background interference and pretend they don't exist, please :(

  20. Mike Spainhower says:

    "Why should we all lose out because of internet trolls?"  

    I strongly concur.  The rationale to why WER and WHQL work they way they do is particularly interesting possibly /because/ of all the bias that exists against them.  It is rare and illuminating to find good anecdotes about them.

  21. fahadsadah says:

    ZamesCurran, I suspect not. He's previously said it was a popularity count – if only you 'vote', noone will even look at the report.

  22. Mark says:

    And Windows XP and above include tskill.

  23. Mark says:

    "Just think of them as background interference and pretend they don't exist, please"

    This is a good point.  The ultimatum in the post is like writing "no graffiti" on a freshly painted wall.  Trolls are a fact of the public internet.

  24. TaskKiller says:

    Why does the task manager Applications tab not have a simple "Close" in the context menu when you right click an app? It has Maximize, Minimize and End Task. No Close to close multiple selected apps.

  25. James Curran says:

    @fahadsadah.  On the other hand, I could generate a lot of them……

  26. ThermoNuke says:

    Touchy, I only saw two complaints which could be taken in jest and that is enough to ban the topic. Boom!

  27. AustinSpafford says:

    I am saddened to read that there will not be more articles of this nature. I found this article to be very interesting, and would like to see more of them in the future.

    It indeed seems to be the case that one ethylene gas generator prematurely ripens the many.

  28. Stephen Cleary - Nito Programs says:

    @Dan –

    I disagree. Having each application run its own crash handler/reporter is like having each application run its own updater. It's a way of doing things that will hopefully pass away soon.

    WER has a comprehensive API that allows applications to add their own pertinent information. Regarding personal information, it is up to the user whether to report or not; and if your company has a privacy policiy then there shouldn't be a problem.

  29. Oddball says:

    "Update: Experimental results obtained. No more stories involving Windows Error Reporting and WHQL. "

    Awwww, man!  That was really interesting, though.

  30. dalek says:

    I would like to know the answer to ZamesCurran's questions as well.

  31. James Schend says:

    Thermonuke, it probably doesn't help that the one was:

    1) Posted first in the comments (only 8 minutes after the post went live)

    2) Made it clear that he read the disclaimer, and STILL posted an off-topic complaint

    3) Even made it clear that he understands what a jerk he's being by complaining

    SimonRev is the reason we can't have nice things.

  32. Carl C. Longnecker says:

    @ZamesCurran: windows can't tell the difference between an application that you just complied vs. one you have not. besides, they wouldn't want to make that distinction anyway. microsoft uses the WER data to identify new malware and viruses (specifically, the ones that crash computers) or bugs that can lead to attacks such as privilege escalation. if they attempted to guess if an app was just compiled before deciding to generate/send a report, then a virus author could just exploit that detection to make sure their virus is never reported.

    and since your applications would have such a low crash count, it's likely never even seen by anyone and just filtered out from reports.

  33. JoeWoodbury says:

    In a related vein, one issue that drives me crazy is when you have a runaway application consuming 100% system resources, but you don't want to reboot, it may take a long time for task manager to come up, be able to select the offending application and kill it successfully. I've had various ideas like monitoring the panic state of the user by how many times he/she presses Ctrl-Alt-Delete and/or if an application has 100% CPU resources to halt it (or slow it down) and let task manager run.

  34. Leo Davidson says:

    @joewoodbury: I find that happens really rarely on dual-CPU systems, FWIW. If something gets into an infinite loop it only eats one of the CPU cores, leaving the other free to launch Task Manager.

    Of course, some things consume some other resource, not the CPU, and that's still a problem, but a rare one. Ditto multi-threaded apps that go crazy and manage to consume multiple CPUs (I've had it happen, but only a couple of times). Mostly, though, it's solved (aside from cheap/mobile CPUs with only one core).

  35. Rescator says:

    Code signing cert isn't that expensive any more, especially after StartSSL certs now being fully supported by MicroSoft.

    Their email and server certs (class 1) are FREE, you only need to renew once a year (which is also free),

    and the code signing cert (class 2) costs just 50 bucks at https://www.startssl.com/

    And you are not really paying for the cert, but the validation, as once validated you can make as many certs as you want.

    With class 2 certs your name etc. is displayed in the cert and you can make wildcards and code signing certs.

    The philosophy of StartSSL is that it is the yearly (or so) validation you pay for and not the actual certificates.

  36. Wladimir Palant says:

    I also occasionally have a process stay around for quite a while after killing it. Typically this happens if the process hangs because of accessing a network drive that went away – I guess that the process issued a sync read request which needs to complete even to terminate the process.

  37. Nick says:

    "Update: Experimental results obtained. No more stories involving Windows Error Reporting and WHQL."

    Wait, did I miss something?  Were some comments deleted? If this updated was posted around when yuhong2 posted, it doesn't seem like much real complaining about either topic had happened…

    Raymond, for what it's worth, I would much rather you just preemptively disable commenting on stories you worry about complaining than completely dump any topics.

  38. @Leo Davidson: the end of this kind of problems has indeed been one of the joys of going from a single-core Athlon64 to a quad-core Phenom X4. Non multithread-enabled applications sometimes are better. :)

    @Raymond: this stuff is interesting, don't let the many readers of your blog be punished for the idiot act of just few people.

    I understand that receiving off-topic/plain stupid comments as a response to a post that surely cost you time and energy is frustrating, but keep in mind that there are tons of readers who really appreciate your work.

    As others said, since morons won't stop by themselves, just disable comments on "sensible" posts; it's sad, but it's the only way you can stop these people without damaging all your audience.

  39. Joshua says:

    Look, just give me an option to save all error reports locally and it would suffice. Probably for most of the others too. There, no more reason to gripe about certificates. No more asking Microsoft for copies of error reports generated by test exes either. Less work for everyone.

  40. nine says:

    Please keep doing error reporting things! It's fascinating seeing how the 'hidden machine' works, and in 7 I have seen the benefits myself with it providing several actionable suggestions for my own problems.

  41. Random832 says:

    Just to clarify [it took me a while to figure out], the button in question is labeled "End Now" in XP and below, and "Close the Program" in Win7. The "End Task" button is in the task manager and what it does with a hung program is pops up that dialog, rather than closing the program.

  42. Gabe says:

    If only signed apps can make use of WER, why does WER offer to upload crash results from my unsigned apps (i.e. the ones I just compiled)?

  43. Cheong says:

    @Matteo Italia: I think disable comment on sensitive articles won't be enough. The trolls will just post troll comments on next day's article.

  44. John Muller says:

    @Gabe

    My guess would be that validating the signature requires checking with the signer; which might disclose information you don't want disclosed; so before it even checks, it asks permission.

    As a contract software tester for … a large software company I've gone as far as running the install/uninstall for a complex application with a packet sniffer running, and verifying that when the user says don't upload information, nothing is uploaded.

  45. d says:

    @Gabe: You need to sign your apps if you (as a third party developer) want to get access to crash reports generated by your application via WER. Windows will upload everything because even though the crash occurred in your (unsigned) app, it could still be a result of a Windows bug. Once the automated system has determined that the crash was isolated to your app, and it was unsigned, I would imagine it just discards it.

  46. ender says:

    @Roger Hågensen: you need a VeriSign certificate for WinQual (although you do get a significant discount if you get it through the WinQual site).

    BTW, why do I always have to post each comment twice before it appears?

  47. Neil says:

    I often wonder which is the strongest way of killing a process. For instance, pressing Ctrl+C on a console app still allows DLLs to unload (but in a random thread, which is not a great idea for my purposes).

    I've disabled WER for the process that I compile, but the JIT dialog still takes almost as much time to appear as it did with WER enabled, so I wonder what's going on there.

    @Cherry: I think Process Explorer requires the "main" svchost process (-k netsvcs) to be running. (I once made the mistake of attaching to it with WinDbg. Oops.)

    @ender: I used to find that the comment submission process is really slow, and if I'm not watching I think it hasn't actually processed and click Post again by mistake. But this time it didn't seem to submit. Let's see which version of the comment you actually get to see.

  48. Dave says:

    I work with PKI every day (not necessarily by choice) and I do find it rather amusing that this is a technology so strongly associated with failure and suckage that mere mention of it is proscribed in advance…

  49. ender says:

    @Nell: for me the page actually reloads when I click Post the first time, though this time with my text entered in the Comment field. When I then click Post again, the comment actually gets posted.

  50. which is the strongest way of killing a process

    I'm torn between:

    1) windbg -p <PID> -c "q"

    2) take a sledgehammer to the machine

  51. Alex Grigoriev says:

    "It indeed seems to be the case that one ethylene gas generator prematurely ripens the many."

    I think those were methane gas generators posting around here.

  52. zzz says:

    … winqual / whql … (infers certs)

    … digital certificate authorities … (derived from above)

    It works like court (atleast in Law & Order!), if you bring them up, then they're in for the opponents to use as well!

    Have you tried writing about killing processes without mentioning those?

  53. benjamin says:

    No more stories involving Windows Error Reporting and WHQL.

    You people are the worst. Thanks, jerks.

  54. benjamin says:

    No more stories involving Windows Error Reporting and WHQL.

    You people are the worst. Thanks, jerks.

  55. Rescator says:

    @ender

    Actually you only need a code signing certificate.

    You can get this from Verisign, Commodo, whomever, and now StartSSL.

    Now as I said, with StartSSL you pay for the validation, once validated, if you should ever need to generate 100 certificates it doesn't cost a dime as the validation period is still valid.

    StartSSL also provides a timestamp service (just like Verisign etc.) so that the cert for an app will still "work" even past it's expiration. (i.e. it won't show a red or orange warning stripe in Windows etc after the expired date.) and AFAIK StartSSL code signing certs are Authenticode compatible.

    VeriSign and Commodo and others charges per certificate, which is why most find it kinda expensive. (me included)

    So StartSSL simply charging only for the validation of you or your company combined with the free email and domain certs I'm really impressed and hope Verisign and Commodo follow suit on their pricing scheme.

    In any case, if you ever log into a site/forum/whatever and you grit your teeth because the password is sent as plaintext, then think of the free server certs from StartSSL next time you yourself make a login for your own website projects.

    There is a open cert org out there but they still haven't met various criteria, so StartSSL is the only way to get free email and domain certs that Windows and all major browsers support.

    There is no way currently that I know of to get a free code signing cert, but StartSSL is as close as you get, after all if you already have a Class 2 cert you can simply genereate a code signing cert, no extra charge.

  56. 640k says:

    Wouldn't it be better if windows didn't "phoned home" at all? Or at least made it a non-default semi-hidden feature.

  57. ender says:

    @Roger Hågensen: I just checked, and winqual.microsoft.com/SignUp still says "To obtain a Winqual account for your company (a prerequisite for creating user accounts), you must establish your company’s identity through a VeriSign Certificate."

    As for getting a free code signing certificate, Certum offers them to open-source projects.

  58. Danny says:

    @Raymond

    Update: Experimental results obtained. No more stories involving Windows Error Reporting and WHQL

    Cool Ray very cool, then do the same for next topic and next topic and so on until you'll run out of topics and your blog will cease to exist.</sarcasm>

    Doh

  59. frymaster says:

    @640k

    how would it be better?

    end-users would gain absolutely nothing, and developers would lose the ability to get crash dumps of their programs

  60. Aneurin Price says:

    So did the offending post get deleted? I can't see anything that could plausibly be interpreted as a complaint about digital certificate authorities until well after the update, and even then it's a bit of a stretch.

    I've never heard any mention of posts being deleted before though, so I'm kind of confused.

  61. Aneurin Price says:

    Oh wait, I get it.

    I would complain about cert authorities, but I am too lazy.  For the sake of discussion can we just pretend that I complained about them?

    I don't think he intended that to be taken entirely literally.

  62. Falcon says:

    @Aneurin Price:

    Raymond's Ground Rules page states that he promises to make significant edits clear, with the exception of repairing broken links and typos.

    A recent example of this is a comment on the Aero Peek post which, apparently, mentioned undocumented functions for invoking the feature – Raymond left none of the original text behind and added his own comment mentioning the deletion.

    Based on all of the above, I would guess that there were no "offending posts" that got deleted.

    [Deletions do occur, usually when a thread has gotten out of control. I just delete all comments starting from the one that started the trouble. -Raymond]
  63. fish taco says:

    @Joshua Gaines:

    "taskkill /f /im program.exe"  (Although that's more accurately "killall -9 program".  "taskkill /f /pid 1234" would be the exact equivalent.)

  64. Cherry says:

    @Joshua: Thanks, I'll try that next time.

    Some days ago, a friend showed my program and was very proud because it could "terminate so fast".

    Well it used:

    __asm {

       mov eax, 101

       mov edx, esp

       sysenter

    }

    I assume that's a bad way to terminate – directly calling NtTerminateProcess… Does anybody know if this can cause any "dangerous" things, or is it just the "most unclean way" to terminate?

Comments are closed.