How to KILL a task in win XP.

[elkinm]

This is related to programs like mal-ware or some legit programs (not services) that just refuse to close and always reopen on their own.

At home I have some 3'rd party process viewers that can kill a process and not close it like task manager does, which then leads to the end task prompt if the app is not responding.

Is there any way to kill at last from the task manager or maybe from the command prompt.

This is with systems at work or elsewhere so I cannot install any software.

Thank You
elkinm

 

[Phoenix86]

tasklist.exe/taskkill.exe will do it, but that's not your problem.

See when a process closes it's closed. Nothing shy of the user or another program will re-open it, and that's exactlly what spyware does. They layer their processes so they monitor each other.

Pie in the sky example. Spyware has 2 processes and a service, all are running. You ID a bad process and kill it (heck you delete the file too), but the other process or service running will replace the file, restart it, and re-add it to your startup. Tricky eh?

The answer is to perform your work in safe mode, this will prevent most spyware from running in the first place so you can properly TS the bitch. good luck.

 

[elkinm]

Thanks,

Is there any way to kill a set of tasks at once? Maybe with a 3'rd party program for my own use.

Also, I have seen mal-ware that runs and prevents changing it even in safe mode. I had no programs with me and she had no internet so I could do nothing about it and have not yet had a chance to go back. Any way to stop them. Some even run directly from the registry, not startup sections so I cannot even find them.

But at work the programs are some AOL monitor related, any way to kill them?

Thanks again

 

[Smilin]

Both drivers (device) and services (ala services in control panel) are defined under:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

Each item listed under that key will have a "Start" value of 0-4.
0=boot (start during first splash screen)
1=system
2=automatic (begin starting just after winlogon screen)
3=manual
4=disabled

These values are used to determine when a service starts for both normal mode and safe mode. However, to determine if a service key is even looked at at all during safe mode you have to look at the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot

Any services listed under "minimal" will start in safe mode.
Any services listed under "networking" will start in safe mode with networking.

If you are having trouble with something starting up that shouldn't even when in safemode, start by looking here. Keep in mind this only determines if it gets looked at in safe mode. A value of 4 (disabled) under the services key is what really kills it.

Also, this only applies to basic services and drivers. Apps can still be launched as traditional processes and there are also filter drivers that will be launched alongside the main drivers. Filter drivers are found under:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class
And
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum

Look for upperfilter and lowerfilter in the above two locations.

Note: if a system is compromised it is entirely possible to put processes on it that simply can never be detected. Ever. Run your spyware cleaners and all that whatnot for your home system, but if you get a production server compromised, be prepared to rebuild it whithout hesitation.

 

[elkinm]

Thanks Smilin definitely put a smile on my face. Didn't know about those advanced settings, wonder if I can sun some regular services or programs I like at boot or system level? Will definitely look into it and try it.

Phoenix, thanks, I looked at taskkill.exe help and I tried:

taskkill.exe /f /pid 001 /pid 002 /pid 003 /t to by process ID and:

taskkill.exe /f /im taskname1 /im taskname2 /im taskname3 848 /t

It works for normal tasks. Will see if this can kill all the rotten tasks at once.
/F forcefully kill, and /T kill tree should also help and what I was looking for. Will research the other functions as well.
Is there an actual program that can forcefully kill several process trees simultaneously?

Thanks

 

[elkinm]

And one more thing, how can I view an entire process tree.

Thanks again.

 

[Smilin]

Originally posted by: elkinm
And one more thing, how can I view an entire process tree.

Thanks again.

There is "process explorer" or something of the like over at sysinternals.com

The gui based tool is great for what you're looking at.

 

[Smilin]

Originally posted by: elkinm
Thanks Smilin definitely put a smile on my face. Didn't know about those advanced settings, wonder if I can sun some regular services or programs I like at boot or system level? Will definitely look into it and try it.

Be sure you know how to backup and restore your registry via recovery console before you dink with that stuff. You'll get yourself in a no-boot situation in a heartbeat.

For instance .. setting an automatic (start 2) to a boot (start 0) that doesn't belong will likely net you a Stop 0x0000007B at boot time. There's more to it than that, but I've given you enough to get in trouble. Go investigate what the "group" and "tag" values do if you want