The Windows operating system tracks all processes that are currently running. You can see this list by viewing the Processes tab in the Windows Task Manager (right-click the Task Bar > click Task Manager > click Processes).
Each process has both a process identifier (PID) and a parent process identifier (parent PID). The parent PID identifies the process that launched it. Application Launcher uses a Windows API to retrieve the process list, including the PIDs and parent PIDs, every three seconds. Using the parent PIDs, Application Launcher knows whether or not the process is a rogue process. If the parent PID is not Application Launcher's PID, or if the process is not running as the LocalSystem user, then it is a rogue process.
After Application Launcher identifies the rogue processes, it performs the appropriate management actions, either ignoring or terminating the processes, taking into account any processes identified in the exceptions list. If logging is enabled, it also writes the rogue process information to the log file.
On Windows 98/2000/XP, the Windows API that Application Launcher uses to retrieve the Processes list supports parent PIDs. This enables Application Launcher to correctly identify rogue processes on Windows 98/2000/XP workstations.
On Windows NT 4.0, however, the Windows API that Application Launcher uses does not support parent PIDs. Therefore, Application Launcher identifies all non-LocalSystem user processes as rogue processes, including the processes it launched. Depending on the configured management action, Application Launcher will either ignore or terminate the rogue processes.
To overcome this Windows NT 4.0 API limitation, you need to configure Application Launcher to terminate rogue processes and then add the applications launched by Application Launcher to the exceptions list. More information and instructions are provided in Setting Up Rogue Process Management on Windows NT 4.0 Workstations.