Reputation: 159
Get commandline of process and taskkill
I need some help here.
I am currently trying to kill any process that isn't in a whitelist (command line) like so, however it is not working.:
@echo off
setlocal
set "whitelist=DcomLaunch RPCSS LocalServiceNetworkRestricted netsvcs LocalService LocalSystemNetworkRestricted NetworkService LocalServiceAndNoImpersonation taskhostex cmd dwm conhost services smss SearchIndexer Isass Explorer csrss conhost cftmon"
for /f "tokens=2 delims=," %%I in (
'wmic process get executablepath^,status /format:csv ^| find "\"'
) do (
set "proc=%%~I"
setlocal enabledelayedexpansion
set /p "=%%~I: "<NUL
wmic path win32_process get CommandLine | findstr /i "%whitelist%" >NUL && (
echo OK
) || (
echo UNACCEPTABLE!
taskkill /im "%%~nxI" /f
)
endlocal
)
Upvotes: 0
Views: 1477
Answers (1)
Reputation: 30113
wmic path win32_process get CommandLine | findstr /i "%whitelist%"
In above command, findstr would look for a match in entire wmic output so it will find a match always. For instance, at least cmd would match because wmic runs in a cmd window. Next commented code snippet should work however it gives different results if elevated (run as administrator).
set "whitelist=DcomLaunch RPCSS LocalServiceNetworkRestricted netsvcs LocalService LocalSystemNetworkRestricted NetworkService LocalServiceAndNoImpersonation taskhostex cmd dwm conhost services smss SearchIndexer Isass Explorer csrss conhost cftmon"
rem add windows VITAL processes !!! incomplete !!!
set "whitelist=svchost ctfmon lsass winlogon %whitelist%"
for /f "tokens=2,3 delims=," %%I in (
'wmic process get executablepath^,ProcessID^,status^,WindowsVersion /format:csv ^| find "\"'
) do (
set "proc=%%~I"
set "procID=%%~J"
setlocal enabledelayedexpansion
rem debugging: set /p "=%%~I: "<NUL
rem debug try: wmic path win32_process where "ProcessID=%%J" get Name 2>NUL | findstr /i "%whitelist%">NUL 2>&1 && (
rem debug try: wmic path win32_process get executablepath 2>NUL | findstr /i "!proc:/=//!">NUL 2>&1 && (
wmic path win32_process where "ProcessID=%%J" get CommandLine 2>NUL | findstr /i "%whitelist%">NUL 2>&1 && (
rem suppress "No Instance(s) Available" report in above line: 2>NUL
echo OK %%J "%%~I"
) || (
rem UNWANTED: here come inactive processes "cmd", "wmic", "find"
rem and maybe more ones that were active in FOR %%I execution time
rem (but loop continues); let's filter them here:
tasklist /FI "PID eq %%J" /NH | find "%%J" >NUL 2>&1 && (
echo NO %%J "%%~I"
rem taskkill /PID "%%~J" /f
) || (
echo XX %%J "%%~I"
rem inactive at the moment
)
)
endlocal
)
Essential Processes needed to run Windows (next list may be a bit out of date):
… here is a list of the essential processes that Windows needs to run correctly.
- System Idle Process
- explorer.exe
- taskmgr.exe
- spoolsv.exe
- lsass.exe
- csrss.exe
- smss.exe
- winlogon.exe
- svchost.exe – (There will be a few of these)
- services.exe
By shutting down anything other than these processes, stand alone Windows should operate fine, however if any of these processes are shutdown, Windows will start to become unstable or unusable.
Upvotes: 1
Related Questions
- How to use ADB Shell when Multiple Devices are connected? Fails with "error: more than one device and emulator"
- I want to delete all bin and obj folders to force all projects to rebuild everything
- How can I redirect Windows cmd standard output and standard error to a single file?
- How do I get current date/time on the Windows command line in a suitable format for usage in a file/folder name?
- Create an empty file on the commandline in windows (like the linux touch command)
- Displaying Windows command prompt output and redirecting it to a file
- Defining and using a variable in batch file
- How do I get the application exit code from a Windows command line?