technology blog

Wednesday, 12 May 2010

Process ID reuse on Windows

Process IDs are reused on Windows after uptime has been long enough. Probably for compatibility with old applications, Windows tries to use 15 bits process ids for as long as it can and they eventually grow to 31 bits values if you create enough processes simultaneously.

I always though process ids weren't reused until it was unreferenced. I was wrong in how it is referenced. I thought that having a process ID as a parent of another live process was enough but I was wrong, it needs to have a handle alive.

Here's an example screenshot. This kind of behavior can be recreated by having a lot of orphan processes that no process keeps an handle to their parent:

I found this behavior while recreating a process tree tool. Naively checking the process ids is not sufficient. As you can see, Process Explorer already know about that fact and doesn't simply compare the process IDs. It uses another comparison else to discover the real parenthood. PROCESSENTRY32.th32ParentProcessID doesn't give enough data to discriminate. So the only good way is to use GetProcessTimes() and verify the process creation dates.