NTSD Command Usage explanation

Use to open cmd and enter the following command to end the process:

method One: Use process PID to end the process
Command format: ntsd-c q-p pid
command example: Ntsd-c q-p 1332 (end of PID 1332 Explorer.exe process)
Example: Explorer.exe pid is 1332, but how to get the PID of the process? Enter tasklist under CMD to get the PID of all the current task manager's processes (not all exploer.exe processes are 1332)

method Two: Use the process name to end the process
Command format: ntsd-c q-pn ***.exe (***.exe for process name, EXE cannot save)
command example: Ntsd-c Q-PN explorer.exe
Another DOS command to end the process is the Taskkill:
Command format: Taskkill/pid 1234/f (can also achieve the same effect.) ）

If these are not enough to satisfy your thirst for knowledge, here are the following:

NTSD Detailed

There are some high-level processes, Tskill and taskkill may not end, then we have a more powerful tool, that is, system debug
Level of NTSD. To be exact, NTSD is a system debugging tool that is only available to administrators at the system development level, but it is still cool for us to kill the process. Basically, except for the Windows system's own management process, NTSD can be killed.


Of course, some rootkit-level super Trojan, or helpless, fortunately, this cattle-level Trojan is still very few.
The NTSD debugger requires the user to specify a process to connect at startup. With TLIST or pviewer, you can get an existing
Process ID, and then type ntsd-p PID to debug the process. The NTSD command line uses the following syntax:


NTSD [Options] ImageFile
Where ImageFile is the name of the image to debug, options is one of the following:
Option Description-2 opens a new window for the application to debug character mode-D redirects the output to the debug terminal-G to perform automatic pass-through
The first breakpoint-G causes NTSD to exit immediately when the subroutine terminates O enables debugging of multiple processes, with the default value being a debug program-derived
Process-p Specifies debug process ID identified by process-V to produce verbose output


For example, suppose Inetinfo.exe has a process ID of 104. Type the following command to connect the NTSD debugger to the Inetinfo process (IIS).
Ntsd-p 104
You can also use NTSD to start a new process for debugging. For example, NTSD notepad.exe will start a new Notepad.exe
and establish a connection with it.
Once you are connected to a process, you can use various commands to view the stack, set breakpoints, dump memory, and so on.
Command meaning ~ show a list of all threads KB displays the stack trace of the current thread ~*kb shows the stack trace of all threads R displays the current
The register of the frame outputs U disassembly Code and displays the procedure name and offset d[type][< Range>] Dump memory bp[#]
Set Breakpoint bc[] clears one or more breakpoints bd[] disables one or more breakpoints be[< Bp>] enables one or more breakpoints bl[] lists a
or more breakpoints


Personal opinion, there is a very important parameter is the-v parameter, which we can discover by which connection library files are hooked up under a process.
There are many viruses, trojans, or malicious software, like to make themselves into a dynamic library, and then registered to the System normal program load library list, to hide their purpose.

First we need to set the output redirection of NTSD, preferably redirected to a text file, so that we can analyze the study.
C:\>set _nt_debug_log_file_append=c:\pdw.txt
Note that although the output is redirected, our output will continue to be displayed on the screen and will go into debug mode, we use the-C
Q parameter, you can avoid this problem.
C:\>ntsd-c q-v notepad.exe
Now we can see the debug information for the Notepad.exe file in our Pdw.txt file.
The NTSD uses the following parameters to kill the process.
C:\>ntsd-c q-p pid As long as you can provide the PID of the process, then you can kill the process.

NTSD Command Usage explanation