tasklist Introduction
Tasklist "is a command under Winxp/win2003/vista/win7/win8 to display all processes running on a local or remote computer with multiple execution parameters.
Use formatting
tasklist [/s <Computer> [/U [<domain>\]<username> [/P <password>]] [{/M <Module> |/svc |/ v}] [/fo {table | list | csv}] [/NH] [/fi <Filter> [/fi <Filter> [...]]
Parameter meaning
/S <computer> Specifies the computer or IP address to which the default native is connected.
/u [<domain>\]<username> specifies which user to use to execute this command.
/p [Password] specifies the password for the specified user.
/M [module] lists all processes that invoke the specified DLL module. If no module name is specified, all modules loaded by each process are displayed.
/SVC Displays the service information in each process, which is valid when the/FO parameter is set to table.
/V displays detailed information.
The/FI filter displays a series of processes that conform to the filter designation.
/FO format Specifies the output formats, valid values: TABLE, LIST, CSV.
/NH The column headings are not displayed in the specified output. Valid only for table and CSV formats.
Parameters and operators that filter can use
Filter Name
Available operators
Available values
STATUS
EQ, NE
RUNNING | Not Responding | UNKNOWN
IMAGENAME
EQ, NE
Image name
Pid
EQ, NE, GT, lt, GE, le
PID Value
SESSION
EQ, NE, GT, lt, GE, le
Number of sessions
SessionName
EQ, NE
Session Name
CPUTime
EQ, NE, GT, lt, GE, le
CPU usage time, formatted as HH:MM:SS
Memusage
EQ, NE, GT, lt, GE, le
The amount of memory used in kilobytes
USERNAME
EQ, NE
Legal User Name
SERVICES
EQ, NE
Service Name
WindowTitle
EQ, NE
Window title
MODULES
EQ, NE
DLL name
Application examples
View native processes
Enter the Tasklist command at the command prompt to display all of the native processes (Figure 1). The results of this machine are composed of 5 parts: image name (process name), PID, session name, Session #, and memory usage.
C:\users\administrator>tasklist Image Name PID session name Session # Memory Usage========================= ======== ================ =========== ============System Idle Process0Services0 -Ksystem4Services0 9,516Ksmss.exe420Services0 836Kcsrss.exe632Services0 4,632Kwininit.exe752Services0 4,388Kcsrss.exe772Console1 the,908Kservices.exe816Services0 8,856Klsass.exe836Services0 One, theKlsm.exe844Services0 3,748Ksvchost.exe948Services0 8,496K
Viewing the process of a remote system
Enter "tasklist/s 218.22.123.26/u jtdd/p 12345678" (without quotation marks) at the command prompt to see the process of a remote system with an IP address of 218.22.123.26. Where the/s parameter "218.22.123.26" refers to the IP address of the remote system to be viewed,/u "JTDD" means the user account used by the tasklist command, it must be a legitimate account on the remote system, and/p after the "12345678" refers to the JTDD account password.
Note: When you use the tasklist command to view the process of a remote system, you need the support of the remote machine's RPC service, otherwise the command will not work properly.
View the services provided by the system process
The tasklist command not only allows you to view system processes, but also to view the services provided by each process. If you view the services provided by the native process SVCHOST.EXE, enter the "tasklist/svc" command at the command prompt (Figure 3). You will be surprised to find that there are 4 SVCHOST.EXE processes, and a total of more than 20 services use this process.
C:\users\administrator>tasklist/SVC image name PID service========================= ======== ============================================System Idle Process0N/a system4Smss.exe420Csrss.exe632Wininit.exe752Csrss.exe772Services.exe816Lsass.exe836Keyiso, ProtectedStorage, Samss, VaultSvclsm.exe844Svchost.exe948Dcomlaunch, Plugplay, Poweribmpmsvc.exe1020IBMPMSVCnvvsvc.exe432Nvsvcsvchost.exe472Rpceptmapper, RpcSs
For remote systems, it is also very easy to view system services, using the "tasklist/s 218.22.123.26/u jtdd/p 12345678/svc" command to view the services provided by remote system processes with IP addresses 218.22.123.26.
To view a list of processes that call DLL module files
To see which processes in the local system have called the Shell32.dll module file, simply enter "tasklist/m shell32.dll" at the command prompt to display a list of these processes.
Use filters to find the specified process
Enter "Tasklist/fi" USERNAME ne NT authority\system "/fi" status eq running at the command prompt to list all processes in the system that are running non-system states. where "/fi" is the filter parameter, "NE" and "eq" are relational operators "unequal" and "equal".
End process of integrated application
Taskkill
Speaking of the "Tasklist" command, we have to mention its twin brother "Taskill" command, as the name implies, it is used to shut down the process.
There are two ways to turn off the Notepad.exe process for this machine:
1, first use tasklist to find its PID, assuming that the system shows the Notepad.exe (Notepad.exe is a viral program, it is difficult to delete, generally under the C:/windows/system32) the PID value of the process is 1132, and then run " Taskkill/pid 1132 "command. Where the "/pid" parameter is followed by the PID value to terminate the process.
2. Run the "taskkill/im notepad.exe" command directly, where the "/im" parameter is followed by the image name of the process.
NTSD
System debug level of NTSD, a lot of process tasklist is not kill, but with NTSD can, basically except the Windows system own management process, NTSD can kill, but some rootkit-level super Trojan is powerless, But fortunately this kind of Trojan is still very few.
1, using the process of PID end process
Command format: ntsd-c q-p pid
command example: Ntsd-c q-p 1332 (end Explorer.exe process)
2. End process with process name
Command format: ntsd-c q-pn ***.exe (***.exe for process name, EXE cannot save)
Source: Baidu Encyclopedia
Windows cmd command tasklist and Taskkill