In Windows, check which process calls the DLL.

Uninstall the program. The result is not uninstalled. --- there is still a DLL file in the installation directory of the program. If you want to delete the DLL file, the system prompts that the DLL file is occupied by a process and will not be deleted.

Previously, I used unlocker to unlock and delete it. However, the company's computer does not allow you to install software at will, so you can only find other ways.

After searching for a long time on the Internet, I finally found the method for viewing the DLL called by a process.

You can use tasklist/m dll file name in the command line to find the file. It turns out that tasklist has this function. Therefore, the tasklist instructions are used. The following is an example of the application. For specific tasklist parameters and meanings, use tasklist /? That's all.

------------------------------------------------------------------------------ Gorgeous split line ------------------------------------------------------------------------------------------------------------

Application Instance

1. View local processes

Enter the tasklist command in the "command prompt" to display all processes on the local machine (figure 1 ). The display result of the local machine is composed of five parts: image name (process name), PID, session name, session # And memory usage.

2. view the process of the remote system

Enter "tasklist/s 218.22.123.26/u jtdd/P 12345678" (excluding quotation marks) at the command prompt to view the process of the remote system with the IP address 218.22.123.26. "218.22.123.26" after the/S parameter indicates the IP address of the remote system to be viewed. "jtdd" after the/u indicates the user account used by the tasklist command, it must be a valid account on the remote system, and "12345678" after/P indicates the password of the jtdd account.

Note: When you use the tasklist command to view the processes in the remote system, you must support the remote machine's RPC service. Otherwise, the command cannot be used normally.

3. view the services provided by System Processes

The tasklist command can not only view system processes, but also view the services provided by each process. For example, to view the services provided by the local process SVCHOST. EXE, enter the "tasklist/svc" command at the command prompt (Figure 3 ). You will be surprised to find that there are four SVCHOST. EXE processes, and a total of more than 20 services use this process.

For remote systems, viewing system services is also very simple. Use the "tasklist/s 218.22.123.26/u jtdd/P 12345678/svc" command, you can view the services provided by remote system processes whose IP address is 218.22.123.26.

4. view the process list of calling the DLL module File

To view which processes in the Local System Call the shell32.dll module File, you only need to enter "tasklist/M shell32.dll" in the command prompt to display the list of these processes.

5. Use a filter to find the specified process

Enter "tasklist/fi" username ne nt authority \ System "/fi" status EQ running "in the command prompt to list all processes running in non-system state in the system. "/Fi" is the filter parameter, and "ne" and "EQ" are the Relational operators "not equal" and "equal ".

End Process of Integrated Application

I. tasklist

Speaking of the "tasklist" command, we have to mention its twin brother "taskill" command. As its name suggests, it is used to shut down the process.

There are two methods to disable the notepad.exe process of the local machine:

1. First, use tasklistto find the desired PID. If the system displays the notepad.exe(notepad.exe is a virus program, it is difficult to delete it. Generally, in C:/Windows/system32, the PID value of the process is 1132, and then run the "taskkill/PID. The "/PID" parameter is followed by the PID value of the process to be terminated.

2. Run the "taskkill/IM notepad.exe" command directly. The "/im" parameter is followed by the process image name.

Ii. ntsd

In the system debug-level ntsd, many process tasklists cannot be killed, but ntsd can be used. Basically, ntsd can be killed in addition to the Windows system's own management process, however, some super rootkit-level Trojans are powerless, but fortunately there are few such Trojans.

1. Use the PID of the process to end the process.

Command Format: ntsd-C q-P PID

Command example: ntsd-C q-P 1332 (zookeeper er.exe process)

2. Use the process name to end the process

Command Format: ntsd-C q-PN ***. EXE (***. EXE is the process name, and exe cannot be saved)