Tskill
The syntax for the command isTSKILL processid | processname [/SERVER:servername]
[/ID:sessionid | /A] [/V]
The meaning of the various parameters is given in Table I.| Parameter | Description |
|---|---|
| processid | PID for process to be terminated. Use only if processname is not used |
| processname | Process name to be terminated. Wildcards can be used here . Do not use if PID is used |
| /SERVER:servername | Server containing processID (default is current). Usually not needed on home PCs |
| /ID:sessionid | End process running under the specified session. Often not needed on home PCs |
| /A | End process running under ALL sessions (administrator privileges required) |
| /V | Display information about actions being performed |
An example of a simple command that would end Notepad would be tskill notepad
Another example is ending all the Microsoft documents that you have open tskill
winword All open Word documents will be closed but the contents will not
be saved so make sure to save important work. An administrator can close processes
that might be running in sessions started by other users. The command tskill
winword /a will close everybody's open Word documents.
It may not always be obvious what process name to use for a program. Usually the name of the program executable file (minus the EXE extension) will work. One way is to use Tasklist to find the PID and use that. Another is to use Task Manager to find the process associated with a program. (Of course, Task Manager itself can be used to terminate a program.).
Taskkill
A tool with more options is provided by Taskkill. The command syntax is TASKKILL [/S system [/U username [/P[password]]]]{ [/FI filter] [/PID processid | /IM imagename] } [/F] [/T] The various parameters are described in Table II.
| Parameter | Description |
|---|---|
| /S system | Specifies the remote system to connect to. Not needed for most home PCs |
| /U username | User context under which the command should execute. Often not needed on home PCs |
| /P password | Password for username |
| /FI filter | Displays a set of tasks that match criteria specified by the filter |
| /PID process id | Specifies the PID of the process that has to be terminated. Not used when image name is given in the command |
| /IM imagename | Specifies the image name of the process that has to be terminated. Wildcard '*' can be used to specify all image names. Not used if PID is given in the command |
| /F | Forces the termination of all processes |
| /T | Tree kill: terminates the specified process and any child processes which were started by it |
Parameters like the image name or the PID may not be immediately obvious and Tasklist can
be used to obtain them. Taskkill has more options than Tskill and is accordingly
more complicated to use. For example, the simple command "Taskkill notepad" won't
work. First of all the image name is "notepad.exe" and not the program
name
"notepad". Also, generally you will have to use the forcing
switch. The command to close notepad would be taskkill /im
notepad.exe /f Another example is to close down several programs at once.taskkill /f /im notepad.exe /im mspaint.exe
The Microsoft literature is not consistent about whether the /f switch
goes before or after the image name but it doesn't seem to matter.
Filtering Taskkill output
Taskkill becomes especially powerful when filters are used with the switch "/fi". Various rules can be formed by using the comparison operators shown in Table III.
| Operator | Description |
|---|---|
| eq | Equals |
| ne | Does not equal |
| gt | Greater than. Only used with numeric values |
| lt | Less than. Only used with numeric values |
| ge | Greater than or equal to. Only used with numeric values |
| le | Less than or equal to. Only used with numeric values |
Table IV shows the variables that can be used in a filter.
| Parameter | Valid operators | Valid values |
|---|---|---|
| ImageName | eq, ne | Any valid string |
| PID | eq, ne, gt, lt, ge, le | Any valid positive integer |
| MemUsage | eq, ne, gt, lt, ge, le | Any valid positive integer in kilobytes |
| CPUTime | eq, ne, gt, lt, ge, le | CPU time in the format of hh:mm:ss. |
| Session | eq, ne, gt, lt, ge, le | Session number |
| Status | eq, ne | Running, Not Responding |
| Username | eq, ne | Any valid user name (includes SYSTEM, LOCAL SERVICE , NETWORK SERVICE) |
| WindowTitle | eq, ne | Any valid string |
| Services | eq, ne | Service name |
| Modules | eq, ne | DLL name |
Examples of using filters in Taskkill
With filters, you can impose some specific set of conditions that must be met. Filters give Taskkill considerable versatility and allow you to fine-tune the target..Some examples are given below. Note that a specific image name or PID does not have to be included when using filters.- Forcefully shut down all the processes that are not responding. Can be used to make a little batch file to shut down hung or frozen programs.
- taskkill /f /fi "status eq not responding"
- Forcefully shut down all programs using a specific DLL file named "some.dll". This should be used with care but one application might be to stop processes thought to be associated with a DLL from spyware or a Trojan. Use Tasklist to see what processes are using a given DLL.
- taskkill /f /fi "modules eq some.dll"
- Close down all programs using large amounts of memory, say 40 MB. Use with care.
- taskkill /f /fi "memusage gt 40000"
- Close down programs using more than 40 MB of memory but not Windows Explorer
- taskkill /f /fi "imagename ne explorer.exe" /fi "memusage gt 40000"