Log in

View Full Version : explorer parent process

Hero
November 17th, 2004, 12:50
Hi all
I have a simple question.What is the parent process of
"explorer.exe" ?
I use a simple algorithm (perhaps strange) to find parent
process filename of current one.
I use CreateToolhelp32Snapshot,Process32First,Process32Next
too find this.But when I try to find explorer.exe parent process,
I get an strange result:The parent process of explorer.exe
has an ProcessID but has no process!!!!????
I do as following:
search all processes snapshots to find explorer.exe .
from data that I get I can find parent processID.
now I search all processes snapshot for this processID
But there is no process with processID!

Is there nessecery that parents chain get to "[System Process]" ?

sincerely yours
TBone
November 17th, 2004, 13:35
I always assumed that it was parented by winlogon.exe, but after playing around with getpids (hxxp://http://www.scheibli.com/v3/projects/getpids), I see that's not the case. Apparently the process that starts explorer.exe as the shell when you log in is killed before you get a chance to see it. Windows has no objection to killing parent processes and leaving the child processes orphaned. Play around with tlist and you'll see what I mean.

All the applications that you're running are listed as children of explorer.exe. Now start up the proess manager and kill explorer.exe. Leave the process manager running. Run tlist again, and your applications are all orphaned. Start a new explorer from the process manager. Run getpids from a command line. You'll see that getpids is a child of CMD.EXE, which is a child of Explorer.exe, which is a child of taskmgr.exe, which is a child of the PID for your old explorer app. But now getpids has lost the record of the PID that originally started *that* explorer process, because it can't query a dead app for it's parent.

I'd need to dig around a bit more to find any definitive answers about what process actually starts explorer.exe. But for application programming, I think it's safe to say that you should consider explorer.exe as having no direct parent process.
0rp
November 19th, 2004, 11:50
winlogon.exe starts userinit.exe which starts the shell