Reprinted:
[Important] command for shutting down a process under the CMD command line
When there are too many threads, there are too many threads, too many threads.
Method 1:
In "run", enter the ntsd-C q-PN program name (the function in MS-DOS is the same)
Method 2:
Ntsd uses the following parameters to kill a process.
C: \> ntsd-C q-p pid as long as you can provide the PID of the process, you can kill the process.
Method 2:
Tskill command
This command corresponds to the tasklist command! The tasklist command shows which processes are running!
The tskill command is used to close running processes.
But I tried it. It seems useless! ^ O ^
How many types of command line dead?
Three! The tskill command, taskkill command, and ntsd command.
The tskill command is the simplest to use. c: \> tskill
Tskill processid | processname [/Server: servername] [/ID: sessionid |/A] [/V]
The process ID of the process whose processid is to end.
The name of the process whose processname is to end.
/Server: the server whose servername contains processid (the default value is the current value ).
When using the process name and/server, you must specify/ID or/
/ID: sessionid ends the process running in the specified session.
/A ends the processes running in all sessions.
/V displays the information of the operation being executed.
The main benefit of taskkill command is that it has many filters and can end processes in batches.
C: \> taskkill /?
Taskkill [/S system [/u username [/P [Password]
{[/FI filter] [/PID processid |/IM imagename]} [/F] [/T]
Description:
This command line tool can end at least one process. You can end a process based on the process ID or image name.
Parameter List:
/S system specifies the remote system to connect.
/U [domain \] User specifies the user context in which the command should be executed.
/P [Password] specifies a password for the provided user context. If this parameter is ignored, a prompt is displayed.
/F specifies the process to be forcibly terminated.
/FI filter specifies to filter in or out the query tasks.
/PID process ID specifies the PID of the process to terminate.
/Im image name specifies the image name of the process to terminate. The wildcard '*' can be used to specify all image names.
/T tree kill: Terminate the specified process and any sub-processes that are started from this process.
/? Show Help/usage.
Filter:
Valid value of the filter name Operator
----------------------------------------
Status EQ, run by ne | no response
Imagename EQ, ne image name
Pid eq, NE, GT, LT, GE, le PID Value
Session EQ, NE, GT, LT, GE, le session number
Cputime EQ, NE, GT, LT, GE, le CPU time, format: hh: mm: Ss. Hh-hour, mm-clock, SS-second
Memusage EQ, NE, GT, LT, GE, and Le memory usage, in KB
Username EQ, ne username, in the format of [domain \] user
Modules EQ, ne DLL name
Services EQ, ne service name
Windowtitle EQ, ne window title
Note: The wildcard '*' can be used for switching with/Im only when a filter is available '*'.
Note: The Remote Process must always be forcibly terminated, whether or not the/F option is specified.
For example:
Taskkill/S system/f/IM notepad.exe/T
Taskkill/PID 1230/PID 1241/PID 1253/T
Taskkill/f/IM notepad.exe/IM mspaint.exe
Taskkill/f/fi "PID Ge 1000"/fi "windowtitle ne untitle *"
Taskkill/f/fi "username EQ nt authority \ System"/IM notepad.exe
Taskkill/S system/u domain \ Username/fi "username ne Nt *"/IM *
Taskkill/S system/u username/P password/fi "imagename EQ note *"
There are some high-level processes, tskill and taskkill may not end, so we also have a more powerful tool, that is, the system debug-level ntsd. to be accurate, ntsd is a system debugging tool that can only be used by system development administrators. However, it is quite nice to kill processes. basically, apart from the Windows system's own management process, ntsd can all be killed.
of course, some super rootkit-level Trojans are powerless. Fortunately, there are still few such Trojans.
the ntsd debugging program requires you to specify a process to be connected at startup. Using tlist or pviewer, you can obtain the process ID of an existing process, and then type ntsd-p pid to debug the process. The ntsd command line uses the following syntax:
ntsd [Options] imagefile
where imagefile is the name of the image to be debugged, and options is one of the following options:
Option description-2 open a new window for debugging the Character Mode Application-D redirects the output to the debugging terminal-g so that the execution will automatically enable ntsd through the first breakpoint-G exit O immediately when the subroutine is terminated to enable debugging for multiple processes, the default value is a process-P derived from the debug program, which specifies that the process-V identified by the process ID generates detailed output.
For example, assume that the process ID of inetinfo.exe is 104. Run the following command to connect the ntsd debug program to the Inetinfo process (IIS ).
ntsd-P 104
you can also use ntsd to start a new process for debugging. For example, ntsd notepad.exe starts a new notepad.exe process and establishes a connection with it.
once you connect to a process, you can use various commands to view the stack, set breakpoints, and dump memory.
command meaning ~ Display a list Of all threads kb shows the stack track of the current thread ~ * KB: display the stack trajectory of all threads. R: display the registers of the current frame. Output U disassembly code and display the process name and offset. d [type] [ ] Dump memory. BP [#]
Set the breakpoint BC [] to clear one or more breakpoints BD [] to disable one or more breakpoints be [<BP>] to enable one or more breakpoints BL [] to list one or more breakpoint
In my opinion, a very important parameter is the-V parameter. We can use it to find the connection library files attached to a process. there are a lot of viruses, Trojans, or malware. They all like to make themselves into a dynamic library, and then register them into the list of loaded libraries of normal system programs to hide their purposes.
First, we need to set ntsd output redirection. It is best to redirect to a text file to facilitate our analysis and research.
C: \> SET _ nt_debug_log_file_append = c: \ pd1_txt
Note: although the output is redirected, our output will continue to be displayed on the screen and enter the debug mode. we can avoid this problem by using the-C q parameter.
C: \> ntsd-C q-V notepad.exe
Now, we can see the debugging information of the notepad.exe file in our pdpdpdpd.txt file.
Ntsd uses the following parameters to kill a process.
C: \> ntsd-C q-p pid as long as you can provide the PID of the process, you can kill the process.
Command to close the process under the CMD command line