<!DOCTYPE html>

Understanding Parent and Child Processes in Windows

Windows Processes

Each process in the Windows operating system points to its parent process, which is basically the creator process. However, if the creator process, or what is called the parent process, is terminated, the information related to that process won't be updated. Therefore, the child process might refer to a non-existent process.

Demonstrating the Parent-Child Process Relationship

We will be conducting an experiment to show the child/parent process relationship in Windows. Let's prove that Windows doesn't keep track of more than one parent process ID.

First, let's demonstrate a simple process list before we dive into the example:

  1. Press "WIN + R".
  2. Type "cmd".
  3. Press "Enter".
  4. Type tasklist /svc.

You should get a long list of running processes, as shown in the following image:

Process List in CMD

As you can see, the list above shows the processes running on your system. Windows maintains processes by assigning Process IDs (PIDs). We have multiple running processes, but Windows won't be able to identify the process of the process creator beyond the immediate parent because it only maintains and identifies the creator process ID. To prove that Windows doesn't keep track of more than just the parent process ID, I will show you an example.

The Experiment

  1. Press "WIN + R".
  2. Type cmd.
  3. Press "Enter".
  4. Type title parent and press "Enter".
  5. Type start cmd and press "Enter".
  6. In the new command prompt window, type title child and press "Enter".
  7. Type mspaint to launch Microsoft Paint and press "Enter".
  8. Close the child command prompt by typing exit and pressing "Enter".

As you can see, we spawned another command prompt from the first one we launched, which we named "parent".

Command Prompt Titled 'parent'

The new command prompt window titled "child" appears:

New Command Prompt Window

We set the title of this command prompt to "child":

Command Prompt Titled 'child'

Then, we launched Microsoft Paint by typing mspaint in the child command prompt:

Microsoft Paint Launched

Now, close the child command prompt by typing exit. After you do that, you will notice that Microsoft Paint remains open even though we have closed the terminal we spawned it from.

Next, launch your Task Manager by pressing "CTRL + Shift + Esc".

Locate the cmd process we have running, which is titled "parent":

Parent Command Prompt in Task Manager

As you can see, the parent process is displayed.

Right-click the Windows Command Processor, then click on "Go to Details".

Go to Details in Task Manager

Right-click the cmd.exe process and select "End process tree". This will terminate all processes in the tree.

As you can see, the "parent" command prompt will disappear, but Microsoft Paint will still be running because it was the grandchild of the process we terminated. Since the intermediate process was killed, there was no link between the parent and the grandchild.

I really hope you enjoyed this basic little article I wrote. This might come in handy for some people out there. I just wanted to share this information about Windows. :)

Hussein A. Muhaisen

<
Blog Archive
Archive of all previous blog posts
>
Next Post
The early ai jailbreak