Not all processes are linked into a list that some commands traverse such as !process 0 0. A process may unlink itself or be in an initialization stage. However, a process structure is allocated from nonpaged pool and such pool can be searched for ”Proc” pool tag (unless a process changes that in memory). For example:
0: kd> !poolfind Proc
Searching NonPaged pool (83c3c000 : 8bc00000) for Tag: Proc
*87b15000 size: 298 previous size: 0 (Free) Pro. *87b18370 size: 298 previous size: 98 (Allocated) Proc (Protected) [...] *8a35e900 size: 298 previous size: 30 (Allocated) Proc (Protected) *8a484000 size: 298 previous size: 0 (Allocated) Proc (Protected) *8a4a2d68 size: 298 previous size: 28 (Allocated) Proc (Protected) [...]
One such structure is missing from active process linked list (note that it has a parent PID):
0: kd> !process 8a484000+20 PROCESS 8a484020 SessionId: 0 Cid: 05a0 Peb: 00000000 ParentCid: 0244 DirBase: bffc2200 ObjectTable: e17e6a78 HandleCount: 0. Image: AppChild.exe VadRoot 8a574f80 Vads 4 Clone 0 Private 3. Modified 0. Locked 0. DeviceMap e1002898 Token e1a36030 ElapsedTime 00:00:00.000 UserTime 00:00:00.000 KernelTime 419 Days 13:24:16.625 QuotaPoolUsage[PagedPool] 7580 QuotaPoolUsage[NonPagedPool] 160 Working Set Sizes (now,min,max) (12, 50, 345) (48KB, 200KB, 1380KB) PeakWorkingSetSize 12 VirtualSize 1 Mb PeakVirtualSize 1 Mb PageFaultCount 5 MemoryPriority BACKGROUND BasePriority 8 CommitCharge 156 No active threads
We may think that this process is zombie (note that unlike terminated processes it has a non-zero data such as VAD and object table and zero PEB and elapsed time) but inspection of its parent process thread stacks reveals that it was in the process of creation (note an attached process field):
THREAD 8a35dad8 Cid 0244.0248 Teb: 7ffdd000 Win32Thread: bc3aa688 WAIT: (Unknown) KernelMode Non-Alertable ba971608 NotificationEvent Impersonation token: e2285030 (Level Impersonation) DeviceMap e1a31a58 Owning Process 8a35e920 Image: AppParent.exe Attached Process 8a484020 Image: AppChild.exe Wait Start TickCount 2099 Ticks: 1 (0:00:00:00.015) Context Switch Count 279 LargeStack UserTime 00:00:00.046 KernelTime 00:00:00.046 Win32 Start Address AppParent!mainCRTStartup (0×0100d303) Start Address kernel32!BaseProcessStartThunk (0×77e617f8) Stack Init ba972000 Current ba971364 Base ba972000 Limit ba96e000 Call 0 Priority 8 BasePriority 8 PriorityDecrement 0 ChildEBP RetAddr ba97137c 80833f2d nt!KiSwapContext+0×26 ba9713a8 80829c72 nt!KiSwapThread+0×2e5 ba9713f0 bad3c9db nt!KeWaitForSingleObject+0×346 [...] ba971b94 8094cfc3 nt!MmCreatePeb+0×2cc ba971ce4 8094d42d nt!PspCreateProcess+0×5a9 ba971d38 8088b4ac nt!NtCreateProcessEx+0×77 ba971d38 7c82845c nt!KiFastCallEntry+0xfc (TrapFrame @ ba971d64) 0006f498 7c826d09 ntdll!KiFastSystemCallRet 0006f49c 77e6cf95 ntdll!ZwCreateProcessEx+0xc 0006fcc0 7d1ec670 kernel32!CreateProcessInternalW+0×15e5 0006fd0c 01008bcf ADVAPI32!CreateProcessAsUserW+0×108 [...]