为什么OpenProcess给了我一个非现有pid的非NULL HANDLE？

Question

I reduced the code as much as I could to keep it sscce What this code does:

• Launch windows notepad with CreateProcess
• Pause. So windows got some time to init notepad
• Kill notepad with TerminateProcess on the Handle we got from CreateProcess .
• Wait for the process handle to terminate, because TerminateProcess is async
• Call OpenProcess on the dead pid
• Play with my zombie...

You can easily check (before OpenProcess) in debug that the given Pid is nowhere to be found in either the task manager or processExplorer. But no other windows API functions seems to accept this Pid

#include "stdafx.h"
#include <windows.h>
#include "Psapi.h"
#include <TlHelp32.h>
#include <iostream>
#include <cassert>

typedef unsigned long PID;
typedef const std::string& P_PATH;

// Launch an executable given by a path and set a few infomatives stuffs passed as ref parameters
bool launch_process(P_PATH path, STARTUPINFO& info, PROCESS_INFORMATION& processInfo, HANDLE& hProcess, PID& pid)
{
    setlocale(LC_ALL, "en_US.utf8");
    std::wstring widestr = std::wstring(path.begin(), path.end());
    const wchar_t* widecstr = widestr.c_str();

    LPTSTR szCmdline = _tcsdup(widecstr);

    if (CreateProcess(szCmdline, NULL, NULL, NULL, false, NULL, NULL, NULL, &info, &processInfo))
    {
        hProcess = processInfo.hProcess;
        pid = processInfo.dwProcessId;
        return true;
    }
    return false;
}

int main(int argc, char* argv[])
{
    // Setup
    // -----
    bool OK = false;

    STARTUPINFO info = { sizeof(info) };
    PROCESS_INFORMATION processInfo;
    HANDLE hProcess;
    PID pid = 0;

    // launch notepad
    // --------------
    OK = launch_process("C:\\WINDOWS\\System32\\notepad.exe", info, processInfo, hProcess, pid);
    assert(OK);

    // wait a bit
    // ----------
    system("PAUSE");
    SetLastError(0);

    // get Handle on notepad
    // ---------------------
    hProcess = OpenProcess(PROCESS_TERMINATE | SYNCHRONIZE, false, static_cast<DWORD>(pid));
    std::cout << "Error: " <<  GetLastError() << std::endl;

    // Kill notepad
    // ------------
    UINT exitCode = 0;
    DWORD dwWaitResult = 0;

    SetLastError(0);
    OK = TerminateProcess(hProcess, exitCode);
    std::cout << "Error: " << GetLastError() << std::endl;

    // ensure everything went well ( we need to wait because TerminateProcess is asynchronous )
    if (!OK || (dwWaitResult != WaitForSingleObject(hProcess, INFINITE)))
        return -1;

    // Cleanup
    CloseHandle(hProcess);
    CloseHandle(processInfo.hProcess);
    CloseHandle(processInfo.hThread);
    hProcess = nullptr;
    processInfo.hProcess = nullptr;

    // Ya know what let's reopen the pid I just killed 
    // ( you can see that notepad was started then killed, you can check the pid does not exist in either the task manager or processExplorer )
    SetLastError(0);
    hProcess = OpenProcess(PROCESS_TERMINATE | SYNCHRONIZE, false, static_cast<DWORD>(pid));
    std::cout << "Error: " << GetLastError() << std::endl;

    // Yeah I can speak to the deads! 
    if (hProcess != nullptr)
    {
        LPWSTR szProcessName = L"";
        GetModuleFileNameEx(hProcess, NULL, szProcessName, sizeof szProcessName);

        char c_szText[MAX_PATH];
        wcstombs(c_szText, szProcessName, wcslen(szProcessName) + 1);

        // But the deads have no names
        std::cout << "Error: " << GetLastError() << std::endl;
        std::cout << "Zombie Name: " << c_szText << std::endl;
    }
    return 0;
}

Answer 1

1. It's not appearing in the list of processes in Task Manager because it has terminated. Task Manager doesn't show zombies (this behaviour differs from eg Linux ps -Af f which does show zombies).

2. It's still there and accessible to OpenProcess because the process object has not been destroyed, ie it is in the zombie state. This will be because another process has an open handle to it. For example,

   • an antivirus, which may call OpenProcess to get information to assess if the application is malicious, or
   • Process Monitor, which gets all sorts of information, probably some of which it calls OpenProcess to get, or
   • the DWM, which I imagine, but do not know, calls OpenProcess to get information on whether the application supports eg high DPI mode and so forth, or
   • any number of other applications may have called OpenProcess previously and have a still open handle.

Morals:

• Don't expect the process object to be destroyed as soon as you close your handle, because yours is not the only handle.

• Zombie state is a perfectly legitimate state for a process to be in. All processes will be in the zombie state if they have terminated, and someone is waiting to read their exit code with GetExitCodeProcess , or have any other interest in the state of the process. Typically once the exit code has been read, interest in the process wanes, handles are closed, and finally the process will be destroyed.

• The PID can be reused once the process is destroyed. (Conversely, the PID cannot be reused until all handles are closed). In Windows, the kernel prefers low numbered PIDs and will reuse them quite quickly. This behaviour differs from Linux which prefers incrementing PIDs and won't reuse them until the maximum value is reached.

• If you want the handle to the process, don't close it.