Ntsd command in Windows

Q: How can I disable a process that cannot be closed by the task manager?
Some time ago, I found that I had another process in my machine. As long as I started the machine, I couldn't close it with the task manager.

Answer: 1. It is easy to kill the process. You can find any tool. For example, icesword.
The key is to find the starting method of the process, or restart it again next time.

By the way, let's take a look. In fact, most processes can be killed using tools provided by Windows:
C:/> ntsd-C q-P PID

Only system, SMSs. EXE, and CSRSS. EXE cannot be killed.
The first two are pure kernel state, and the last one is the Win32 subsystem. ntsd needs it.

Ntsd is a user-mode debugging tool provided by the system starting from 2000. The attach process exits along with the debugger, so it can be used to terminate the process under the command line. You can use ntsd to automatically obtain the debug permission to kill most processes.

Ntsd will open a new debugging window, which cannot be controlled in pure command lines, but if it is just a simple command, such as exit (Q ), use the-C parameter to pass it from the command line.

Ntsdntsd is also provided to software developers by convention. Only system developers use this command. For more information, see the Help file attached to ntsd.

 

Usage: ntsd [-?] [-2] [-D] [-G] [-G] [-myob] [-lines] [-N] [-O] [-S] [-v] [-W]
[-R breakerrorlevel] [-T printerrorlevel]
[-Hd] [-Pd] [-PE] [-Pt #] [-PV] [-x |-X {e | d | n | I}]
[-- |-P pid |-PN name | command-line |-Z crashdmpfile]
[-ZP crashpagefile] [-premote transport] [-ROBP]
[-Adllname] [-c "command"] [-I ImagePath] [-y symbolspath]
[-Clines #] [-srcpath sourcepath] [-QR // machine] [-wake]
[-Remote transport: Server = Name, portid] [-server transport: portid]
[-Ses] [-sfce] [-sicv] [-snul] [-NOIO] [-failinc] [-noshell]

Where :-? Displays this help text
Command-line is the command to run under the debugger
-- Is the same as-g-o-p-1-D-Pd
-Adllname sets the default extension DLL
-C executes the following debugger command
-Clines number of lines of output history retrieved by a remote client
-Failinc causes incomplete symbol and module loads to fail
-D sends all debugger output to kernel debugger via dbuplint
-D cannot be used with debugger remoting
-D can only be used when the kernel debugger is enabled
-G ignores initial breakpoint in debuggee
-G ignores final breakpoint at Process Termination
-HD specifies that the debug heap shoshould not be used
For Created processes. This only works on Windows Whistler.
-O debugs all processes launched by debuggee
-P pid specifies the decimal process ID to attach
-Pd specifies that the debugger shocould automatically detach
-PE specifies that any attach shoshould be to an existing debug port
-PN name specifies the name of the process to attach
-Pt # specifies the interrupt timeout
-PV specifies that any attach shoshould be noninvasive
-R specifies the (0-3) error level to break on (seeseterrorlevel)
-ROBP allows breakpoints to be set in read-only memory
-T specifies the (0-3) error level to display (seeseterrorlevel)
-W specifies to debug 16 bit applications in a separate vdm
-X sets second-chance break on AV exceptions
-X {e | d | n | I} sets the break status for the specified event
-2 creates a separate Console window for debuggee
-I ImagePath specifies the location of the executables that generated
The fault (see _ nt_executable_image_path)
-Lines requests that line number information be used if present
-Myob ignores version mismatches in dbghelp. dll
-N enables verbose output from symbol Handler
-NOIO Disables all I/O for dedicated remoting servers
-Noshell disables the. Shell (!!) Command
-QR <// machine> queries for remote servers
-S disables lazy symbol Loading
-Ses enables strict symbol Loading
-Sfce fails critical errors encountered during file searching
-Sicv ignores the CV record when symbol Loading
-Snul disables automatic symbol loading for unqualified names
-Srcpath specifies the source search path
-V enables verbose output from Debugger
-Wake wakes up a sleeping debugger and exits
-Y specifies the symbol search path (see _ nt_symbol_path)
-Z specifies the name of a crash dump file to debug
-ZP specifies the name of a page. dmp File
To use with a crash dump
-Remote lets you connect to a debugger session started with-Server
Must be the first argument if present
Transport: TCP | npipe | SSL | spipe | 1394 | com
Name: Machine name on which the debug server was created
Portid: ID of the port the debugger server was created on
For TCP use: Port =
For npipe use: pipe =
For 1394 use: Channel =
For com use: Port =, baud =,
Channel =
For SSL and spipe see the documentation
Example:...-remote npipe: Server = yourmachine, pipe = foobar
-Server creates a debugger session Other people can connect
Must be the first argument if present
Transport: TCP | npipe | SSL | spipe | 1394 | com
Portid: ID of the port remote users can connect
For TCP use: Port =
For npipe use: pipe =
For 1394 use: Channel =
For com use: Port =, baud =,
Channel =
For SSL and spipe see the documentation
Example:...-server npipe: pipe = foobar
-Premote transport specifies the process server to connect
Transport arguments are given as with remoting

Environment variables:

_ Nt_symbol_path = [drive:] [path]
Specify symbol image path.

_ Nt_alt_symbol_path = [drive:] [path]
Specify an alternate symbol image path.

_ Nt_debugger_extension_path = [drive:] [path]
Specify a path which shoshould be searched first for extensions DLLs

_ Nt_executable_image_path = [drive:] [path]
Specify executable image path.

_ Nt_source_path = [drive:] [path]
Specify source file path.

_ Nt_debug_log_file_open = filename
If specified, all output will be written to this file from offset 0.

_ Nt_debug_log_file_append = filename
If specified, all output will be appended to this file.

_ Nt_debug_history_size = size
Specifies the size of a server's output history in kilobytes

Control keys:

Quit Debugger
Break into target
Force a break into debuggee (same as Ctrl-C)
Debug current Debugger
Toggle verbose mode
Print Version Information
Ntsd: exiting-press ENTER ---

Usage: Open the cmd.exe window and enter:
Ntsd-C q-P PID

Change the last PID to the ID of the process to be terminated.

If you do not know the process ID, choose Task Manager> process tab> View> Select column>
Check "PID (process identifier)" and then you can see it.

2. There are two other good things in XP
Tasklist and tskill
Tasklist can list all processes and related information.
Tskill can detect and kill the process le
The syntax is simple.
Tskill program name !!