I found my appdomain, now what?

From the query I described yesterday, here are the different possible appdomain states and what they represent:

 

Appdomain initialization:

E_APPDOMAIN_CREATING – Creating the appdomain

 

Appdomain in use:

E_APPDOMAIN_SHARED – A Runtime appdomain is ready for use by multiple users

E_APPDOMAIN_SINGLEUSER – A DDL appdomain is ready for use by a single user to perform DDL operations

E_APPDOMAIN_DOOMED – The appdomain is going to be unloaded, but cannot be yet because there are still threads executing in it

 

Appdomain cleanup:

E_APPDOMAIN_UNLOADING – SQL is telling CLR to unload the appdomain, usually because the assembly has been altered or dropped

E_APPDOMAIN_UNLOADED – CLR unloaded the appdomain, usually the result of escalation procedure due to ThreadAbort, OutOfMemory, etc. or an unhandled exception in user code

E_APPDOMAIN_ENQUEUE_DESTROY – Appdomain has been unloaded in CLR and set to be destroyed by SQL

E_APPDOMAIN_DESTROY – Appdomain in the process of being destroyed by SQL

E_APPDOMAIN_ZOMBIE – Appdomain has been destroyed, however all of the references to it have not yet been cleaned up so it is known as a zombie.

 

With this information, you can follow your appdomain lifecycle and watch for suspicious or repetitive appdomain unloading without having to parse the Windows Event Log.

 

- Steven Hemingray