Roy Osherove

View Original

Revisited: Killing a process, Introducing: TaskKiller

A few days ago I blogged about a trick how to kill a process that wouldn't die. Well, the trick I had up my sleeve was good, but there were better ways, described oh so eloquently by Pavel Lebedinsky as comments to that post. here are the highlights (I was referring to NTSD.exe read about it in the original post):
 
Introducing TaskKill.exe
"This was a good way to kill processes on Win2K, which doesn't come with a command line tool like kill.exe. The reason it works in some cases when task manager doesn't is because ntsd enables SeDebugPrivilege, allowing you to open processes that you otherwise wouldn't have access to.
On XP and Win2003 however you should just use taskkill.exe. It's more reliable and should even work in some cases when ntsd wouldn't - for example, if the process is deadlocked on the loader lock. Ntsd will not be able to attach to such process (it will eventually time out and suspend it, but when you type 'q' it will simply quit and resume the process (unless you do .kill first)). "
 
Changing a priority for system processes
"One situation where ntsd does come in handy even on XP+ is when you want to change priority of a system process. Let's say a service (for example, msdtc) is taking up 100% CPU. You want to let it finish whatever it's doing but you don't want it to slow down your interactive processes.
So you open up task manager, right-click on the msdtc process and try to change its priority. This fails with access denied because msdtc runs as NETWORK SERVICE and its security descriptor doesn't give you any access.
Fortunately, you can launch task manager under debugger (" ntsd taskmgr"). Ntsd enables SeDebugPrivilege in its token, and taskmgr inherits this setting so it can now open system processes too. You can even detach the debugger (type 'qd', Enter) and use this instance of task manager to kill system processes or change their priorities. "
 
"...Actually, it looks like on XP SP2 task manager automatically enables SeDebugPrivilege when you try to kill a process. This can easily be seen in debugger (just put a breakpoint on ADVAPI32!AdjustTokenPrivileges).
For some reason taskmgr doesn't do this when you try change priority of a process.
So starting taskmgr under debugger is only necessary if you want to change priority of a process that you normally don't have access to. It is not needed if you want to to kill such process (at least, not on XP SP2). "
 
Awesome. Thanks Pavel.
Anyway - thanks to his great advice and comments I've gone ahead and created a little GUI app that shows you a list of running processes and allows you to "ultra-kill" each one, even if its a system process or a service, underneath using the ntsd and taskkill.exe commands.
Task Killer:
Picture
Allows killing a process, filtering and it can hide in the tray. I'm using some of the DevExpress controls in there for the grid and stuff so it looks pretty nice. Feel free to download this, it requires .Net 1.1 (1.4 MB).
yes, I know about psKill and psList. this is just a more friendly way of doing the same basic things.
 
Also - a note regarding John Lam's post on psKill and psList: the two tools that already come with windows cover most of what you want them for already: TaskKill.exe and TaskList.exe (on win XP and up). TaskKill.exe already has some pretty wild command line params such as wild card filters, and you can even use equation operators to look for specific processes. who says you don't always get what you need?