How does Resource Monitor get information for processes that already terminated?


How does the Resource Monitor program get information for processes that have already terminated?

Try it: Run Task Manager, then go to the Performance tab. From there, click Open Resource Monitor. Now run another program, say, Notepad. Let Notepad run for a while, and then close it. Observe that there is still an entry for notepad.exe in Resource Monitor, labeled Terminated.

What is the function to call to get performance statistics on a program that has terminated?

There is no function to get performance statistics for a program that has terminated. What you're seeing is an optical illusion: Resource Monitor continues to show statistics for processes that have terminated, so that you can see the final results before they go away.

Here's proof that it's an illusion: After exiting Notepad and putting it into the grayed-out Terminated state in Resource Monitor, go back to Task Manager and click Open Resource Monitor again. This will open another instance of Resource Monitor, and in that new instance, you'll see no trace of the terminated Notepad process.

Now you see it. Now you don't.

Comments (6)
  1. Ben Voigt says:

    I would have thought that the new instance of Resource Monitor does not fetch the statistics because it does not have a handle to the process in question (one certainly can have a handle to terminated processes, it’s how you read the exit code).

    And the reason that the new instance of Resource Monitor does not have a handle to the process in question is because it enumerated and opened handles for running processes, which does not include terminated ones.

    Now, you are quite possibly correct that having a handle to a terminated process is insufficient to access the performance statistics, and that the original Resource Manager is displaying cached values from the last successful call. Which would be unfortunate, because it wouldn’t account for usage between the last query and process exit. But your experiment is consistent with your claim, it does not prove your claim because it is also consistent with the kernel-maintains-process-data-until-all-handles-are-closed model.

  2. Ben Hobbs says:

    If you are using ETW, with the kernel process provider, you can watch for process end events. Those events actually include many statistics about the execution of the process including disk I/O, CPU, and more. It can be pretty handy.

  3. Barry Kelly says:

    So, how do you collect statistics on processes that come in and out of existence between polling intervals?

    Linux kernel does it by configuring a file to to write accounting info to determine resource usage by processes, even those that pop in and out of existence very briefly.

    I’m guessing there’s some complex way of wiring up event tracing of some kind to get the same data.

    1. skSdnW says:

      A kernel mode driver can get notifications when a process is started.

      In user mode you can’t really do it to all processes. You can use a job object to have full control over your child processes but that does not work for a Task manager style application. If you are only using documented APIs then you must call OpenProcess to get a handle that can be used to gather data and it is not possible to prevent short lived processes from slipping through the cracks AFAIK.

  4. IanBoyd says:

    It was always intuitive sense to me that Resource Monitor would continue to show a terminated process for 60 seconds.

    The scrolling Disk and Network utilization charts show 60 seconds of history. I would check some misbehaved program so that its resource utilization was highlighted in these charts. After i kill the errant program, its resource use drops to zero, but it’s historical use of resources remains visible as it slowly scrolls out of sight.

    After 60 seconds, even the history of the process is lost from view, there’s no longer any need to continue to show it in the list, and it is pruned.

    Nice work Resource Monitor group. It’s a very powerful built-in tool that gives information not found anywhere else.

  5. torrinj says:

    This just seems logical to me. I wonder why someone would think there is some magic (a function to get statistics on a terminate program) involved?

Comments are closed.

Skip to main content