When A Process Does Not Exit Normally
Posted by William Diaz on November 28, 2011
i.e., it crashes.
When processes exit, they should exit with a status code that indicates whether or not it exited gracefully or abnormally. This comes in helpful when you need to examine large Process Monitor logs and want to isolate the time of the crash. Simply filter for Process Exit:
Processes that exit normally have an Exit Status equal to 0. All others usually display a status as –1#########. Often times, you can use the status code to look up the error. There are several ways to do this, just convert the exit status code to hex and then look it up. There are also several utilities available that can do this. A favorite of mine is the Windows Error Lookup Tool. In the above example –1073741819:
This sounds somewhat vague but is actually a memory access violation, or c0000005. You usually see these as application error windows like this:
Or in user dumps as: ERROR_CODE: (NTSTATUS) 0xc0000005 – The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
In another example:
Exit Status –1073740771 equals:
Windows Explored 
Unraveling and Resolving An Outlook Crash with Process Monitor « Windows Explored said
[…] Outlook was crashing: (You might notice that when applications fail to exit gracefully that the Exit Status will be a number other than 0, which would otherwise indicate a normal […]