Issue:
What methods does WinAttach use to terminate a process?

Solution:
There are various methods WinAttach has to terminate a process and it will use progressively forceful methods in turn until it is successful. If the process has a GUI then WinAttach will post a WM_CLOSE message to it. This is the standard way to tell a Windows application to close. Likewise, a CTRL-C is sent to console applications. If these methods don't succeed, the user is notified and asked to confirm the forced termination of the application. If confirmed, WinAttach then kills the application using the TerminateProcess() API call.

The TerminateProcess function is used to cause a process to exit unconditionally. Use it only in extreme circumstances. The state of global data maintained by dynamic-link libraries (DLLs) may be compromised if TerminateProcess is used rather than ExitProcess. TerminateProcess causes all threads within a process to terminate, and causes a process to exit, but DLLs attached to the process are not notified that the process is terminating. Terminating a process does not cause child processes to be terminated. Terminating a process does not necessarily remove the process object from the system. A process object is deleted when the last handle to the process is closed. Terminating a process causes the following:

• All of the object handles opened by the process are closed.
• All of the threads in the process terminate their execution.
• The state of the process object becomes signaled, satisfying any threads that had been waiting for the process to terminate.
• The states of all threads of the process become signaled, satisfying any threads that had been waiting for the threads to terminate.
• The termination status of the process changes from STILL_ACTIVE to the exit value of the process.