I'm familiar with the sysinternals process explorer - while I'm a big fan of sysinternals... TaskInfo2002 kicks all ass.

"Are you sure you couldn't write a program that could save any program in RAM?"

Ah, what a difficult question. I wish I knew more about how programs are executed, but I'll speak from heresay. The technique you describe may involve the program sticking it's entire file into some chunk of memory. And from that memory, it will load various modules as needed. All programs have their virtual address space (literal address space is swapped in and out just like process code for the processor to enable multi-tasking) in memory to run in, and it may not be contiguous - nor ordered in any consistent fashion. So the trick is to hope that the file IS stored in a contiguous fashion in memory (or using some means of keeping track of the order of file chunks) for dumping to file. The location of the file's memory location may be determined in the program's own code. This is why it may not be possible to save just any ole program running in memory. You'd have to know the program code itself. You can probably find and copy the program's address space and stack to file using the process handle, but anything else is program-specific.

Erm, if somebody knew more than I did on the subject, they could probably point out a few things where I'm mistaken, but I hope to at least show you how difficult this undertaking would be.

But anyway, here we speak about programming theory. I'd like to know what TaskInfo2002 has to say about your phantom process.
_________________________
Domain Registration, Hosting, Management
http://www.dollardns.net