| viewer9 documentation | Index Home |
ProcessExit PML Operation
Interestingly, this operation has the same fields as ProcessStatistics.
ExitStatus is a 32-bit signed integer.
UserTime and KernelTime are durations. Duration values are stored in PML files as 64-bit integers representing 1/10000000ths of a second (we call them "microtenths"). Durations are displayed in seconds with 7 decimal places, but you query them as integer microtenths.
WorkingSet, PeakWorkingSet, PrivateBytes, and PeakPrivateBytes are numbers of bytes.
Example from 64-bit PML
Hover over field values like Time, ResultCode, and bytes of evdata in this example to see tooltips as they appear in viewer9. The tooltip of the first byte of a color patch tells the field name.
ProcessExit opcode=1,2
ev=54074
| Time: | 2022-05-17 19:41:50.4324762 |
| Duration: | 0.0000000 |
| ResultCode: | SUCCESS |
| Tid: | 9060 |
| ExitStatus: | 0 |
| UserTime: | 0.0156250 |
| KernelTime: | 0.0937500 |
| WorkingSet: | 13410304 |
| PeakWorkingSet: | 15036416 |
| PrivateBytes: | 2236416 |
| PeakPrivateBytes: | 2650112 |
evdata[0-51] file offset 27059198
| 0 | 00 00 00 00 1c 4e 0e 00 | .....N.. |
| 8 | 00 00 00 00 5a 62 02 00 | ....Zb.. |
| 16 | 00 00 00 00 00 a0 cc 00 | ........ |
| 24 | 00 00 00 00 00 70 e5 00 | .....p.. |
| 32 | 00 00 00 00 00 20 22 00 | ..... ". |
| 40 | 00 00 00 00 00 70 28 00 | .....p(. |
| 48 | 00 00 00 00 | .... |
Call Stack stacksize=5
| StackAddress | mod | ModName | ModPath |
|---|---|---|---|
| 0xfffff80438037a8f | 174 | ntoskrnl.exe + 0x637a8f | C:\WINDOWS\system32\ntoskrnl.exe |
| 0xfffff80438062d84 | 174 | ntoskrnl.exe + 0x662d84 | C:\WINDOWS\system32\ntoskrnl.exe |
| 0xfffff80438106a52 | 174 | ntoskrnl.exe + 0x706a52 | C:\WINDOWS\system32\ntoskrnl.exe |
| 0xfffff80438109f8e | 174 | ntoskrnl.exe + 0x709f8e | C:\WINDOWS\system32\ntoskrnl.exe |
| 0xfffff80437e077b5 | 174 | ntoskrnl.exe + 0x4077b5 | C:\WINDOWS\system32\ntoskrnl.exe |
ProcessExit is "Process Exit" with a space in Procmon. And likewise, these corresponding detail field names have spaces in Procmon: Exit Status, User Time, Kernel Time, Private Bytes, Peak Private Bytes, Working Set, Peak Working Set.
See also
Posted 4 Jul 2022 last updated 15 Nov 2022 As viewer9 is just starting out, discussion is invited via email. Please send questions and comments to forum@viewer9.com directly. Threads that might be valuable to other users will be posted as part of the documentation. Posted messages will not include your address or your full name, and might be shortened for brevity.
Copyright 2022, bryantlite, Inc.