How does Task Manager categorize processes as App, Background Process, or Windows Process?


When you go to the Processes tab in Task Manager, you see the processes grouped into three categories: App, Background Process, and Windows Process. How does it decide which process goes into which category?

These are terms that Task Manager simply made up. The system itself doesn't really care what kind of processes they are.

If the process has a visible window, then Task Manager calls it an "App".

If the process is marked as critical, then Task Manager calls it a "Windows Process".

Otherwise, Task Manager calls it a "Background Process".

That's all. Nothing fancy. And completely arbitrary.

Comments (18)
  1. SimonRev says:

    Wow, and that link to IsProcessCritical is a perfect example of what happens in MSDN too often. The documentation explains in great detail how to use the function, what security permissions are needed, how to handle errors — but includes no discussion or link that explains what a critical process is. How do I know if I should be calling that function? How do I interpret the results?

    1. DWalker07 says:

      Yes, it’s unfortunate that much of the documentation goes into great detail in the mechanics of the trees, and doesn’t explain the forest (or the context). I also claim that every time a SET parameter is described, the same doc should tell you how to QUERY for that same setting. And, when you would want to use that setting, and what the ramifications are, and all of that.

    2. David-T says:

      It appears to indicate that the ProcessBreakOnTermination flag is set on the process — in other words, the kernel will break (into the debugger?) or BSOD in the event the process is terminated.

    3. Antonio Rodríguez says:

      It doesn’t talk about it because it’s completely obvious. A critical process is one that is critical for the system – for some value of “critical”. Oh, wait, now we need an MSDN article on what “critical” means…

      A bit more of information can be found at https://msdn.microsoft.com/en-us/library/windows/desktop/aa373646%28v=vs.85%29.aspx . It would be nice if the article on IsProcessCritical linked to it, and that the linked article were a bit more extensive.

      No wonder people are turning to blogs like The Old New Thing looking for light on the most obscure corners of Windows. The Old New Thing may not be official documentation, but at least it is documentation, and has a fair amount of detail.

      1. Paul Topping says:

        +1 This page has a good definition for “critical” in this context. However, assuming that “cannot be stopped and restarted by the Restart Manager without a system restart” is, in fact, the only condition this flag is meant to indicate, IsProcessCritical should be called IsProcessRestartable. In short, either the definition is incomplete or the function is poorly named. Which further begs the question, how many processes are marked “critical” for some other reason?

      2. DWalker07 says:

        @Antonio R: Yes, that’s definitely a “bit” more information. As you said, the linked article could be a bit more extensive.

    4. Brian says:

      My understanding, which may be inaccurate:
      1) A process is critical if it was set to critical by the kernel (or by malware as a means of making a process harder to kill).
      2) If a critical process crashes or is terminated, the operating system will crash.

      So, the main usage I would imagine for IsProcessCritical is for a task manager type utility, as a means of determining which processes are critical (e.g., recommend that the the user not to kill them and mark them as system processes).

      1. Falcon says:

        Probably to address the shortcomings of the previous strategy, which was for Task Manager to simply have a hard coded list of names, such as csrss.exe and winlogon.exe.

        1. cheong00 says:

          I guess that the “shortcoming” of the strategy is that when you have virus/Trojan marked itself as critical, task manager would not be able to kill it that way. So Microsoft decided to implement it the current way.

          1. Falcon says:

            Yes, that’s exactly the kind of trick I was talking about.

    5. Dave says:

      It’s actually quite easy: A critical process is one that handles Facebook, Youtube, and email. A super-critical process does Snapchat and Instagram.

      1. Tanveer Badar says:

        How can I like your comment?

      2. Peter Doubleday says:

        If only there were such a category as a “Snarky Process,” which would deal with useless gibberish that just gets in your way …

  2. Jan Ringoš says:

    Is it really IsProcessCritical? For me, even conhost.exes are categorized as Windows Processes and one can kill them all they want.

    1. conhost.exe inherits from its parent — if it’s csrss.exe, then it’s going to be marked as critical, even though it doesn’t need to be.

  3. Gee Law says:

    The characterisation of “Windows processes” is inaccurate… Actually even sihost.exe is a Windows process. It also does not matter whether the process in from the system folder — COM Surrogate is NOT a Windows process.

    1. McBucket says:

      ?? Where does it say anything about system folders?

      From the article: “If the process is marked as critical, then Task Manager calls it a “Windows Process”.”

      1. GL says:

        Shouldn’t have used “also”. Didn’t mean it was in the article, just another random observation by me.

Comments are closed.

Skip to main content