Rob van der Woude's Scripting Pages

Managing Processes

in Windows NT 4 / 2000 / XP

In multitasking operating systems you sometimes need to find out what processes are running, or you may even need to end one of the processes.

Until Windows XP there were no native commands to manage processes from the command line. Windows XP has its TASKLIST and TASKKILL utilities.
There are some very good alternatives available for Windows NT 4 and 2000. Some of those will be discussed briefly on this page.

Back to the top of this page

 

KILL.EXE

KILL.EXE is part of the Windows NT 4 Resource Kit

Microsoft (R) Windows NT (TM) Version 3.5 KILL
Copyright (C) 1994-1998 Microsoft Corp. All rights reserved

usage: KILL [options] <<pid> | <pattern>>*

           [options]:
               -f     Force process kill

           <pid>
              This is the process id for the task
               to be killed.  Use TLIST to get a
               valid pid

           <pattern>
              The pattern can be a complete task
              name or a regular expression pattern
              to use as a match.  Kill matches the
              supplied pattern against the task names
              and the window titles.

Back to the top of this page

 

PSKILL.EXE

PSKILL.EXE is part of SysInternals's PSTools suite

PsKill v1.03 - local and remote process killer
Copyright (C) 2000 Mark Russinovich
http://www.sysinternals.com

PsKill terminates processes on a local or remote NT system.

Usage: pskill.exe [\\RemoteComputer [-u Username]] <process Id or name>
     -u    Specifies optional user name for login to
           remote computer.

Back to the top of this page

 

PSLIST.EXE

PSLIST.EXE is part of SysInternals's PSTools suite

PsList v1.2 - Process Information Lister
Copyright (C) 1999-2002 Mark Russinovich
Sysinternals - www.sysinternals.com

Usage: pslist.exe [-d][-m][-x][-t][-s [n] [-r n] [\\computer [-u username][-p password][name|pid]
   -d          Show thread detail.
   -m          Show memory detail.
   -x          Show processes, memory information and threads.
   -t          Show process tree.
   -s [n]      Run in task-manager mode, for optional seconds specified.
               Press Escape to abort.
   -r n        Task-manager mode refresh rate in seconds (default is 1).
   \\computer  Specifies remote computer.
   -u          Optional user name for remote login.
   -p          Optional password for remote login. If you don't present
               on the command line pslist will prompt you for it if necessary.
   name        Show information about specified process.
   pid         Show information about specified process.

All memory values are displayed in KB.
Abbreviation key:
   Pri         Priority
   Thd         Number of Threads
   Hnd         Number of Handles
   Mem         Working Set
   VM          Virtual Memory
   WS          Working Set
   WS Pk       Working Set Peak
   Priv        Private Memory
   Faults      Page Faults
   NonP        Non-Paged Pool
   Page        Paged Pool
   PageFile    Pagefile usage
   Cswtch      Context Switches

Back to the top of this page

 

PULIST.EXE

PULIST.EXE is part of the Windows NT 4 Resource Kit

PULIST for Windows NT v1.00 Aug 30 1996 21:47:08
(c) Copyright 1996 Scott Field (sfield@microsoft.com) and Microsoft Corp.
 This utility displays all the processes running on a system.
 If no server name is specified, this utility will attempt to display
 the username associated with each process running on the local system.

Usage: pulist.exe [\\Server] [\\Server...]

Back to the top of this page

 

TASKKILL.EXE

TASKKILL.EXE is a native Windows XP command

TASKKILL [/S system [/U username [/P [password]]]]
         { [/FI filter] [/PID processid | /IM imagename] } [/F] [/T]

Description:
	This command line tool can be used to end one or more processes.
	Processes can be killed by the process id or image name.

Parameter List:
	/S    system           Specifies the remote system to connect to.

	/U    [domain\]user    Specifies the user context under which
                           the command should execute.

	/P    [password]       Specifies the password for the given
                           user context. Prompts for input if omitted.

	/F                     Specifies to forcefully terminate
                           process(es).

	/FI   filter           Displays a set of tasks that match a
                           given criteria specified by the filter.

	/PID  process id       Specifies the PID of the process that
                           has to be terminated.

	/IM   image name       Specifies the image name of the process
                           that has to be terminated. Wildcard '*'
                           can be used to specify all image names.

	/T                     Tree kill: terminates the specified process
                           and any child processes which were started by it.

	/?                     Displays this help/usage.

Filters:
	Filter Name   Valid Operators           Valid Value(s)
	-----------   ---------------           --------------
	STATUS        eq, ne                    RUNNING | NOT RESPONDING
	IMAGENAME     eq, ne                    Image name
	PID           eq, ne, gt, lt, ge, le    PID value
	SESSION       eq, ne, gt, lt, ge, le    Session number.
	CPUTIME       eq, ne, gt, lt, ge, le    CPU time in the format
                                            of hh:mm:ss.
                                            hh - hours,
                                            mm - minutes, ss - seconds
	MEMUSAGE      eq, ne, gt, lt, ge, le    Memory usage in KB
	USERNAME      eq, ne                    User name in [domain\]user
                                            format
	MODULES       eq, ne                    DLL name
	SERVICES      eq, ne                    Service name
	WINDOWTITLE   eq, ne                    Window title

NOTE: Wildcard '*' for the /IM switch is accepted only with filters.

NOTE: Termination of remote processes will always be done forcefully
      irrespective of whether /F option is specified or not.

Examples:
	TASKKILL /S system /F /IM notepad.exe /T
	TASKKILL /PID 1230 /PID 1241 /PID 1253 /T
	TASKKILL /F /IM notepad.exe /IM mspaint.exe
	TASKKILL /F /FI "PID ge 1000" /FI "WINDOWTITLE ne untitle*"
	TASKKILL /F /FI "USERNAME eq NT AUTHORITY\SYSTEM" /IM notepad.exe
	TASKKILL /S system /U domain\username /FI "USERNAME ne NT*" /IM *
	TASKKILL /S system /U username /P password /FI "IMAGENAME eq note*"

Back to the top of this page

 

TASKLIST.EXE

TASKLIST.EXE is a native Windows XP command

TASKLIST [/S system [/U username [/P [password]]]]
         [/M [module] | /SVC | /V] [/FI filter] [/FO format] [/NH]

Description:
	This command line tool displays a list of application(s) and 
	associated task(s)/process(es) currently running on either a local or 
	remote system.

Parameter List:
   /S     system           Specifies the remote system to connect to.

   /U     [domain\]user    Specifies the user context under which
                           the command should execute.

   /P     [password]       Specifies the password for the given
                           user context. Prompts for input if omitted.

   /M     [module]         Lists all tasks that have DLL modules loaded
                           in them that match the given pattern name.
                           If the module name is not specified,
                           displays all modules loaded by each task.

   /SVC                    Displays services in each process.

   /V                      Specifies that the verbose information
                           is to be displayed.

   /FI    filter           Displays a set of tasks that match a
                           given criteria specified by the filter.

   /FO    format           Specifies the output format.
                           Valid values: "TABLE", "LIST", "CSV".

   /NH                     Specifies that the "Column Header" should
                           not be displayed in the output.
                           Valid only for "TABLE" and "CSV" formats.

   /?                      Displays this help/usage.

Filters:
	Filter Name     Valid Operators           Valid Value(s)
	-----------     ---------------           --------------
	STATUS          eq, ne                    RUNNING | NOT RESPONDING
	IMAGENAME       eq, ne                    Image name
	PID             eq, ne, gt, lt, ge, le    PID value
	SESSION         eq, ne, gt, lt, ge, le    Session number
	SESSIONNAME     eq, ne                    Session name
	CPUTIME         eq, ne, gt, lt, ge, le    CPU time in the format
                                              of hh:mm:ss.
                                              hh - hours,
                                              mm - minutes, ss - seconds
	MEMUSAGE        eq, ne, gt, lt, ge, le    Memory usage in KB
	USERNAME        eq, ne                    User name in [domain\]user
                                              format
	SERVICES        eq, ne                    Service name
	WINDOWTITLE     eq, ne                    Window title
	MODULES         eq, ne                    DLL name

Examples:
	TASKLIST
	TASKLIST /M
	TASKLIST /V
	TASKLIST /SVC
	TASKLIST /M wbem*
	TASKLIST /S system /FO LIST
	TASKLIST /S system /U domain\username /FO CSV /NH
	TASKLIST /S system /U username /P password /FO TABLE /NH
	TASKLIST /FI "USERNAME ne NT AUTHORITY\SYSTEM" /FI "STATUS eq running"

Back to the top of this page

 

TLIST.EXE

TLIST.EXE is part of the Windows NT 4 Resource Kit

Microsoft (R) Windows NT (TM) Version 3.51 TLIST
Copyright (C) 1994 Microsoft Corp. All rights reserved

usage: TLIST <<-t> | <pid> | <pattern>>
           [options]:
               -t     Print Task Tree

           <pid>
              List module information for this task.

           <pattern>
              The pattern can be a complete task
              name or a regular expression pattern
              to use as a match.  Tlist matches the
              supplied pattern against the task names
              and the window titles.

Back to the top of this page

 

Other third party tools

Back to the top of this page

 

Examples

Determine a batch file's own Process ID

MYOWNPID.BAT uses TLIST from the NT 4 Resource Kit to display the batch file's own PID (Process ID).
This may prove useful to prevent "killing" itself when "killing" another batch file.
Do not call this batch file from within another batch file, but insert this code in the "killer" batch file itself instead.
Tested in Windows 2000.

@ECHO OFF
:: Trick read on John Savill's  Windows NT/2000 site
:: http://www.ntfaq.com/Articles/Index.cfm?ArticleID=15339
FOR /F "tokens=1 delims= " %%A IN ('TLIST ^| FIND /I "%0"') DO SET PID=%%A
ECHO My own Process ID (PID) is %PID%

This batch file handles multiple simultaneous CMD sessions by filtering its own batch file name from TLIST's output:

 736 winmgmt.exe
 748 mspmspsv.exe
 192 explorer.exe      Program Manager
1308 EM_EXEC.EXE
 996 internat.exe
1213 cmd.exe           C:\WINNT\system32\cmd.exe
1456 cmd.exe           C:\WINNT\system32\cmd.exe - E:\Batch\MyOwnPID.bat
 728 TLIST.EXE

By using FIND /I "%0" (%0 happened to be E:\Batch\MyOwnPID.bat) the right process is found.
In order to make this filtering work, do not set the CMD session's title till after you determined the batch file's PID (TLIST actually displays the CMD session's title, which happens to be its command line unless a title is set).

This batch file will fail if it runs in multiple sessions simultaneously.
Use Daniel Scheibli's GetPIDs if that is to be expected.

Replacing TLIST by PSLIST makes it a little harder to determine the batch file's own PID, since PSLIST doesn't show the CMD sessions' command line.
However, the command:

PSLIST -d CMD

will display something similar to this:

PsList v1.2 - Process Information Lister
Copyright (C) 1999-2002 Mark Russinovich
Sysinternals - www.sysinternals.com

Thread detail for MYCOMPUTER:


cmd 1528:
 Tid Pri    Cswtch            State     User Time   Kernel Time   Elapsed Time
1132   8       503    Wait:LpcReply   0:00:00.010   0:00:00.010    0:01:22.448

cmd 728:
 Tid Pri    Cswtch            State     User Time   Kernel Time   Elapsed Time
 908   8       520    Wait:LpcReply   0:00:00.010   0:00:00.010    0:01:19.083

cmd 1268:
 Tid Pri    Cswtch            State     User Time   Kernel Time   Elapsed Time
 988   9       579     Wait:UserReq   0:00:00.010   0:00:00.040    0:01:16.009

In this example the CMD session with process ID 1268 is the CMD session running the batch file. The column named "State" will either display "Wait:LpcReply", "Wait:UserReq", "Wait:Executive" or "Ready". After many tests it seems that only one CMD session will not be in the "Wait:LcpReply" state, the one running the batch file.
The following code will determine which CMD session has the highest priority and display that session's PID:

@ECHO OFF
SETLOCAL
SET PID=
FOR /F "skip=1 tokens=1,2,4 delims= " %%A IN ('PSLIST -d CMD ^| FIND ":"') DO CALL :HiPrio %%A %%B %%C
SET PID
ENDLOCAL
GOTO:EOF

:HiPrio
IF DEFINED PID GOTO:EOF
IF /I "%1"=="CMD" SET TmpPID=%2
IF /I "%1"=="CMD" SET TmpPID=%TmpPID::=%
IF /I "%3"=="Ready"          SET PID=%TmpPID%
IF DEFINED PID GOTO:EOF
IF /I "%3"=="Wait:Executive" SET PID=%TmpPID%
IF DEFINED PID GOTO:EOF
IF /I "%3"=="Wait:UserReq"   SET PID=%TmpPID%
GOTO:EOF

This code should be inserted in the batch file that needs to determine its own process ID.

Warning: This code has been tested on one computer only! It is to be considered "experimental". Use it entirely at your own risk.

Windows XP's TASKLIST /V command will result in a list like this:

Image Name                   PID Session Name     Session#    Mem Usage Status          User Name                                              CPU Time Window Title                                                            
========================= ====== ================ ======== ============ =============== ================================================== ============ ========================================================================
System Idle Process            0 Console                 0         20 K Running         NT AUTHORITY\SYSTEM                                     0:13:02 N/A                                                                     
System                         4 Console                 0        216 K Running         NT AUTHORITY\SYSTEM                                     0:00:07 N/A                                                                     
smss.exe                     432 Console                 0        348 K Running         NT AUTHORITY\SYSTEM                                     0:00:00 N/A                                                                     
csrss.exe                    488 Console                 0      3.928 K Running         NT AUTHORITY\SYSTEM                                     0:00:07 N/A                                                                     
winlogon.exe                 512 Console                 0      3.212 K Running         NT AUTHORITY\SYSTEM                                     0:00:01 NetDDE Agent                                                            
services.exe                 556 Console                 0      2.740 K Running         NT AUTHORITY\SYSTEM                                     0:00:02 N/A                                                                     
lsass.exe                    568 Console                 0      1.524 K Running         NT AUTHORITY\SYSTEM                                     0:00:00 N/A                                                                     
svchost.exe                  732 Console                 0      3.440 K Running         NT AUTHORITY\SYSTEM                                     0:00:00 N/A                                                                     
svchost.exe                  804 Console                 0     12.728 K Running         NT AUTHORITY\SYSTEM                                     0:00:03 N/A                                                                     
svchost.exe                  888 Console                 0      2.740 K Running         NT AUTHORITY\NETWORK SERVICE                            0:00:00 N/A                                                                     
svchost.exe                  936 Console                 0      3.660 K Running         NT AUTHORITY\LOCAL SERVICE                              0:00:00 N/A                                                                     
spoolsv.exe                 1124 Console                 0      4.000 K Running         NT AUTHORITY\SYSTEM                                     0:00:00 N/A                                                                     
explorer.exe                1348 Console                 0     21.648 K Running         MYCOMPUTER\MyID                                         0:00:17 N/A                                                                     
point32.exe                 1604 Console                 0      2.604 K Running         MYCOMPUTER\MyID                                         0:00:00 N/A                                                                     
qttask.exe                  1676 Console                 0        896 K Running         MYCOMPUTER\MyID                                         0:00:00 N/A                                                                     
ctfmon.exe                  1780 Console                 0      2.016 K Running         MYCOMPUTER\MyID                                         0:00:00 N/A                                                                     
cmd.exe                     1354 Console                 0      1.296 K Running         MYCOMPUTER\MyID                                         0:00:00 C:\WINDOWS\System32\cmd.exe - dir i:\ /s/b/on                           
msmsgs.exe                  1788 Console                 0      3.232 K Running         MYCOMPUTER\MyID                                         0:00:00 N/A                                                                     
nvsvc32.exe                 1952 Console                 0      1.824 K Running         NT AUTHORITY\SYSTEM                                     0:00:00 NVSVCPMMWindowClass                                                     
svchost.exe                  204 Console                 0      2.472 K Running         NT AUTHORITY\SYSTEM                                     0:00:00 N/A                                                                     
devldr32.exe                 344 Console                 0      2.544 K Running         MYCOMPUTER\MyID                                         0:00:00 DEVLDR                                                                  
cmd.exe                     1252 Console                 0      1.296 K Running         MYCOMPUTER\MyID                                         0:00:00 C:\WINDOWS\System32\cmd.exe - tasklist /v                               
wmiprvse.exe                1928 Console                 0      3.956 K Running         NT AUTHORITY\NETWORK SERVICE                            0:00:00 N/A                                                                     
tasklist.exe                 332 Console                 0      2.740 K Running         MYCOMPUTER\MyID                                         0:00:00 OleMainThreadWndName                                                    

Each line starting with cmd.exe displays — amongst others — the console's command line.
This can be used to determine the batch file's own PID in a simple one liner:

@ECHO OFF
:: Determine the PID in Windows XP
FOR /F "tokens=2 delims=	 " %%A IN ('TASKLIST /V ^| FIND /I "%~0"') DO SET MyPID=%%A

The same limitations mentioned for TLIST are valid for this batch file as well:

Determine which services are "hosted" by which SvcHost process

Have you ever wondered why there are multiple instances of SvcHost running on your computer, and what services each of these SvcHost processes "hosts"?

Well, probably not, but I'll continue anyway.

The following command (for Windows XP and later) will show you more details for each SvcHost process:

TASKLIST /FI "imagename eq svchost.exe" /SVC

The result will most likely look like this:

Image Name                   PID Services
========================= ====== =============================================
svchost.exe                 1500 DcomLaunch, TermService
svchost.exe                 1604 RpcSs
svchost.exe                 1720 AudioSrv, BITS, Browser, CryptSvc, Dhcp,
                                 dmserver, ERSvc, EventSystem, helpsvc,
                                 HidServ, lanmanserver, lanmanworkstation,
                                 Netman, Nla, RasMan, Schedule, seclogon,
                                 SENS, SharedAccess, srservice, TapiSrv,
                                 Themes, TrkWks, W32Time, winmgmt, wscsvc,
                                 wuauserv, WZCSVC
svchost.exe                 1816 Dnscache
svchost.exe                 1964 LmHosts, RemoteRegistry, WebClient
svchost.exe                 2248 stisvc

Credits: mygreenpaste.blogspot.com

Back to the top of this page


page last modified: 2018-12-24; loaded in 0.0015 seconds