Procstat input incorrectly identifies PID of Windows service process when it stopped

[M0rdecay]

Relevant telegraf.conf:

[[inputs.procstat]]
  win_service = "some_service_name"
  pid_finder = "native"
#  namepass = [ "procstat_lookup" ]

System info:

Windows Server 2016 Telegraf version - 1.18.0

Expected behavior:

When Windows service is stopped, field running in procstat_lookup measurement will be 0

Actual behavior:

Native PID finder misidentifies process:

2021-07-06T11:08:04Z I! Starting Telegraf 1.18.0
procstat,host=HOST.LOCAL,process_name=[System\ Process],win_service=some_service_name num_threads=2i,pid=0i,ppid=0i 1625569685000000000
procstat_lookup,host=HOST.LOCAL,pid_finder=native,result=success,win_service=some_service_name pid_count=1i,result_code=0i,running=1i 1625569685000000000

Also, sc query "some_service_name" returns correct state - STOPPED

Additional info:

The Telegraf service was created in the standard way - telegraf.exe ...... -service install

[sspaink]

next steps: investigate how procstat determines running state for Windows

[srebhan]

@M0rdecay does that issue still exist?

[telegraf-tiger[bot]]

Hello! I am closing this issue due to inactivity. I hope you were able to resolve your problem, if not please try posting this question in our Community Slack or Community Forums or provide additional details in this issue and reqeust that it be re-opened. Thank you!