The Windows operating system tracks all processes that are currently running. You can see this list by viewing the Processes tab in the Windows Task Manager (right-click the taskbar, then click > ).
Each process has both a process identifier (PID) and a parent process identifier (parent PID). The parent PID identifies the process that launched it. Application Launcher uses a Windows API to retrieve the process list, including the PIDs and parent PIDs, every three seconds. Using the parent PIDs, Application Launcher knows whether or not the process is a rogue process. If the parent PID is not Application Launcher's PID, or if the process is not running as the LocalSystem user, then it is a rogue process.
After Application Launcher identifies the rogue processes, it performs the appropriate management actions, either ignoring or terminating the processes, taking into account any processes identified in the exceptions list. If logging is enabled, it also writes the rogue process information to the log file.