How to kill "un-kill-able" processes

FyreLance · Jan 17, 2007

Cliff Notes Version: I want to know how to kill processes that you can't normally kill, namely "vsmon.exe" and "iclient.exe" (part of ZoneAlarm).

The challenge: Our company's remote access suite for VPNing in to our corporate network consists of four programs: iPass, Contivity VPN Client, Nortel Networks Tunnelguard, and ZoneLabs Integrity Client. These programs are required for remote access, but not every day use. When installed (standard on our current image), all four items load at startup, eating up valuable system resources. The boot times are increased dramatically. So I am attempting to write a script which I will include on our image which will Stop and Start the programs when ran, to negate the need for auto startup.

The problem: Two of the tasks, namely "vsmon.exe" and "iclient.exe" (which start when ZoneLabs Integrity Client is opened) refuse to be terminated. The only way I can get rid of them is by physically right clicking on the system tray and telling the program to close, which doesn't work too well for scripting I don't think. But I have been unsuccessful in my attempts to automate closing them.

I cannot even close these tasks in the Task Manager. It returns a dialog box: "The operation could not be completed. Access is denied." Whether the related Service ("TrueVector Internet Monitor") is started or not seems to make little difference.

I have made the following command line attempts:

tskill vsmon
- End Process failed for vsmon:Access is denied.

pskill vsmon <==== a program by SysInternals
- Unable to kill process vsmon:
- Acess is denied.

taskkill -IM vsmon.exe
- ERROR: The process "vsmon.exe" with PID 2424 could not be terminated.
- Reason: This process can only be terminated forcefully (with /F option).

taskkill -IM vsmon.exe /F
- ERROR: "The process "vsmon.exe" with PID 2424 could not be terminated.
- Reason: Access is denied.

NET STOP vsmon
- The requested pause or stop is not valid for this service.
- More help is available by typing NET HELPMSG 2191.

Does anyone have any ideas?

spyordie007 · Jan 17, 2007

have you tried the resource kit tool kill.exe? You'll need the PID to do it.

FyreLance · Jan 17, 2007

No, I have not tried that one yet. I guess in my head I kinda figured that if none of the other methods worked, that one wouldn't either.

I'll give it a shot though.

spyordie007 · Jan 17, 2007

could be, you could also try another app such as taskman+, I'm not sure if it's scriptable or not.
http://www.diamondcs.com.au/index.php?page=taskman

Have you tried contacting the vendor to see why the service is not stopping properly?

FyreLance · Jan 17, 2007

Originally posted by: spyordie007
could be, you could also try another app such as taskman+, I'm not sure if it's scriptable or not.
http://www.diamondcs.com.au/index.php?page=taskman

Have you tried contacting the vendor to see why the service is not stopping properly?

No, I haven't. I assume it's got to do with keeping viruses/malware/spyware from closing the firewall software and sending goodies to an alternate location or something, but I'd think there's gotta be a way...

I will look into the link you posted, thanks!

irishScott · Jan 17, 2007

Hijack This?

spyordie007 · Jan 17, 2007

Originally posted by: FyreLance
I assume it's got to do with keeping viruses/malware/spyware from closing the firewall software and sending goodies to an alternate location or something, but I'd think there's gotta be a way...

I'd consider any app that doesn't yield control when I want it malware

FyreLance · Jan 17, 2007

Originally posted by: irishScott
Hijack This?

I don't think you understand what I'm trying to accomplish here...

spyordie007, I tried that utility, no change.

FyreLance · Jan 17, 2007

Originally posted by: spyordie007

Originally posted by: FyreLance
I assume it's got to do with keeping viruses/malware/spyware from closing the firewall software and sending goodies to an alternate location or something, but I'd think there's gotta be a way...

Click to expand...

I'd consider any app that doesn't yield control when I want it malware

lol, you got it....

Nothinman · Jan 17, 2007

I cannot even close these tasks in the Task Manager. It returns a dialog box: "The operation could not be completed. Access is denied." Whether the related Service ("TrueVector Internet Monitor") is started or not seems to make little difference.

They're most likely running under the SYSTEM account. If you can change the account that they run under you can have them run under a less priviledged account so that you can kill them.

Also I've used the scheduler to kill processes running under system. Just use the at command to scheduler an interactive instance of taskmgr and it should start under the SYSTEM account as well, just be careful what you call with it, killing the wrong process can cause the system to BSOD.

spyordie007 · Jan 17, 2007

They're most likely running under the SYSTEM account. If you can change the account that they run under you can have them run under a less priviledged account so that you can kill them.

If it's an AV app this will probably break it...

Also I've used the scheduler to kill processes running under system. Just use the at command to scheduler an interactive instance of taskmgr and it should start under the SYSTEM account as well, just be careful what you call with it, killing the wrong process can cause the system to BSOD.

:thumbsup:

That would definetly do it. I suppose you could even do the same for taskkill (so it could be scriptable).

I still think you should go after the vendor. If their app isnt playing nice it needs to be fixed or go away

WT · Jan 17, 2007

Bart PE ... boot to the Live CD and remove whatever files or folders you want to. If you know the name of the file or process, its just a matter of finding it.

Jeff7 · Jan 17, 2007

I'll have to try kill.exe
My TV Tuner's lousy software keeps crashing on my C2D system now. I get this fun run-around with taskkill.exe:

Z:\>taskkill /im wintv2k.exe
ERROR: The process "WinTV2K.EXE" with PID 3960 could not be terminated.
Reason: This process can only be terminated forcefully ( with /F option ).

Z:\>taskkill /f /im wintv2k.exe
ERROR: The process "WinTV2K.EXE" with PID 3960 could not be terminated.
Reason: There is no running instance of the task to terminate.

Z:\>taskkill /im wintv2k.exe
ERROR: The process "WinTV2K.EXE" with PID 3960 could not be terminated.
Reason: This process can only be terminated forcefully ( with /F option ).

Z:\>

First line: Ok, it can only be terminated forcibly, right? I try that. Taskkill then says it doesn't exist, but in the third line line, it confirms that the process is still running. It shows up in Task Manager, which is also unable to terminate it.

Nothinman · Jan 17, 2007

Bart PE ... boot to the Live CD and remove whatever files or folders you want to. If you know the name of the file or process, its just a matter of finding it.

It's usually a good idea to read the original post before handing out ideas that make no sense.

First line: Ok, it can only be terminated forcibly, right? I try that. Taskkill then says it doesn't exist, but in the third line line, it confirms that the process is still running. It shows up in Task Manager, which is also unable to terminate it.

You'll never be able to terminate a process that has a higher priviledged level than you no matter how much "force" you use, if you could that would be a huge security hole.

SoulAssassin · Jan 17, 2007

set the service to manual and then just start it when you need it

FyreLance · Jan 18, 2007

Originally posted by: SoulAssassin
set the service to manual and then just start it when you need it

Bart PE ... boot to the Live CD and remove whatever files or folders you want to. If you know the name of the file or process, its just a matter of finding it.

I can't believe how much some of you people are NOT reading my original post.

Also I've used the scheduler to kill processes running under system. Just use the at command to scheduler an interactive instance of taskmgr and it should start under the SYSTEM account as well, just be careful what you call with it, killing the wrong process can cause the system to BSOD.

Thanks, I'll give it a shot!

FyreLance · Jan 18, 2007

By the way, is there some sort of "now" variable for the AT command? For example,

at (NOW) /interactive taskmgr.exe

skace · Jan 18, 2007

Prove that AT does it before worrying about the timing for the AT command.

Also, grab "Process Explorer" and check and make sure vsmon.exe is the parent process. Or if there is something else you should be killing to control the application.

spyordie007 · Jan 18, 2007

Originally posted by: FyreLance
By the way, is there some sort of "now" variable for the AT command? For example,

at (NOW) /interactive taskmgr.exe

I imagine this would work:

at %time% /interactive "command"

FyreLance · Jan 18, 2007

at command does not work... no change.

I am currently trying a "SendKeys" solution in my script. I have it make sure the program is open and in focus, and then I'm trying to send an ALT + Spacebar command, at which point I could send an ALT + S command which will "Shutdown Zone Labs Integrity Flex". Unfortunately, it doesn't work. Even though the same method DOES work for notepad. It's like the program knows how to ignore SendKeys commands from a script... The menu never pops up.

The code I'm using:

set wshell = CreateObject("WScript.Shell")

' "Re-open" Integrity Client so that its window will appear.
' This will start Integrity Client if it was not already running.
wshell.Exec "C:\Program Files\Zone Labs\Integrity Client\iclient.exe"

WScript.Sleep 1500 ' Gives it some time to load

' Ensures that Integrity Client is the active window
Do Until Success = True
Success = wshell.AppActivate("Zone Labs Integrity Flex")
wscript.Sleep 1000
Loop

wshell.SendKeys "%{ }"
'wshell.SendKeys "%s"
'wshell.SendKeys "%s"
'wshell.Sendkeys "{ENTER}"

set wshell = nothing

However, if I change the script to work with Notepad, it works just fine...

FyreLance · Jan 18, 2007

Also, I know the SendKeys commands are getting "sent", because if I open a notepad behind the window and click it to bring it into focus before the alt+space happens, it sends the keys to notepad and the menu comes up.

zazzn · Feb 12, 2017

I believe you can use PSexec ( I know this is old) psexec allows you to run processes under system context...

Red Squirrel · Feb 12, 2017

Yep pskill should work.

If you want to have fun pskill the winlogon process. Really weird things happen, eventually resulting in a crash. We use to psexec/pskill processes on each other's computers as a prank at a place I worked at. pskill winlogon in the startup folder is quite comical. Or replacing the pskill command with a batch file that does a pskill2 (rename actual command) winlogon... Oh the fun we used to have screwing around with each other's computers.

At my current job that would not be funny, we have way too much crap to open after a fresh boot.

Elixer · Feb 12, 2017

zazzn said:
I believe you can use PSexec ( I know this is old) psexec allows you to run processes under system context...

Um...Joined: Dec 11, 2007, and this thread is from 2007, and this is your first post?

Did you just wake up again?

shortylickens · Feb 13, 2017

Back in 2007 I think I was using KillBox.

I dont know if Killbox works in windows 10 and I have not yet tried.

How to kill "un-kill-able" processes

Member

Diamond Member

Member

Diamond Member

Member

Lifer

Diamond Member

Member

Member

Elite Member

Diamond Member

Diamond Member

Lifer

Elite Member

Diamond Member

Member

Member

Lifer

Diamond Member

Member

Member

Junior Member

No Lifer

Lifer

No Lifer