Getting the exit code of a completed process

You can find this as the second argument to ZwTerminateProcess . NtTerminateProcess is just a kernel version, right?

0:000> kb
ChildEBP RetAddr  Args to Child              
003ff414 7774d5ac ffffffff 1234abcd 00000000 ntdll!ZwTerminateProcess+0x12
003ff430 759c79ec 00000000 77e8f3b0 ffffffff ntdll!RtlExitUserProcess+0x85
...

      

        
        
        
      

    

Or the fourth parameter is RtlExitUserProcess

0:000> kn
 # ChildEBP RetAddr  
00 003ff414 7774d5ac ntdll!ZwTerminateProcess+0x12
01 003ff430 759c79ec ntdll!RtlExitUserProcess+0x85
...

0:000> .frame 01
01 003ff430 759c79ec ntdll!RtlExitUserProcess+0x85

0:000> dd esp L4
003ff414  7771fcc2 7774d5ac ffffffff 1234abcd