View on GitHub

Monitoring Silent Process Exit


HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\<ProcessName>

HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<ProcessName>\


Criteria Value
Permissions Admin
Security context User; System1
Persistence type Registry
Code type EXE
Launch type User initiated
Impact None
OS Version Windows 7 and newer
Dependencies OS only
Toolset Scriptable


Monitoring Silent Process Exit mechanism allows executing an application or script (monitor application), when a process terminates after result of ExitProcess call or TerminateProcess called by another process. To achieve that, few conditions have to by met:

For example, to execute Powershell script that runs calculator after Notepad exit, we could use Powershell itself like this:

$monitoredApp = "notepad.exe"
$monitor = "powershell -c calc.exe #"

New-Item -Force -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$monitoredApp" | Out-Null
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$monitoredApp" -Name GlobalFlag -Value 512

New-Item -Force -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\$monitoredApp" | Out-Null
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\$monitoredApp" -Name ReportingMode -Value 1
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\$monitoredApp" -Name MonitorProcess -Value $monitor



See also:


  1. Depends on the image being hijacked