在Windows系统的维护过程中,有时会发现这样的恶意进程,进程1和进程2互相监控,若发现对方不再运行,则立即重启进程。 这种情况下采用Windows的资源管理器,就不能杀死这两个恶意进程了。
有一种最简单的方法就是,使用Windows自带的taskkill命令,如:
taskkill /f /pid 2011 /pid 2012
附上taskkill的帮助信息:
TASKKILL [/S system [/U username [/P [password]]]]
{ [/FI filter] [/PID processid | /IM p_w_picpathname] } [/F] [/T]
描述:
这个命令行工具可用来结束至少一个进程。可以根据进程 id 或图像名(注意,这是p_w_picpathname 的直译)来结束进程。
参数列表:
/S system 指定要连接到的远程系统。
/U [domain\]user 指定应该在哪个用户上下文 执行这个命令。
/P [password] 为提供的用户上下文指定密码。如果忽略,提示输入。
/F 指定要强行终止进程。
/FI filter 指定筛选进或筛选出查询的的任务。
/PID process id 指定要终止的进程的PID。
/IM p_w_picpath name 指定要终止的进程的图像名。通配符 '*'可用来指定所有图像名。
/T Tree kill: 终止指定的进程和任何由此启动的子进程。
/? 显示帮助/用法。
更详细的英文介绍:
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/taskkill.mspx?mfr=true
Syntax
taskkill [/s Computer] [/u Domain\User [/p Password]]] [/fi FilterName] [/pid ProcessID]|[/im ImageName] [/f][/t]
Parameters
/s Computer : Specifies the name or IP address of a remote computer (do not use backslashes). The default is the local computer.
/u Domain\User : Runs the command with the account permissions of the user specified by User or Domain\User. The default is the permissions of the current logged on user on the computer issuing the command.
/p Password : Specifies the password of the user account that is specified in the /u parameter.
/fi FilterName : Specifies the types of process(es) to include in or exclude from termination. The following are valid filter names, operators, and values.
| Name | Operators | Value |
|
Hostname |
eq, ne |
Any valid string. |
|
Status |
eq, ne |
RUNNING|NOT RESPONDING |
|
Imagename |
eq, ne |
Any valid string. |
|
PID |
eg, ne, gt, lt, ge, le |
Any valid positive integer. |
|
Session |
eg, ne, gt, lt, ge, le |
Any valid session number. |
|
CPUTime |
eq, ne, gt, lt, ge, le |
Valid time in the format of hh:mm:ss. The mm and ss parameters should be between 0 and 59 and hh can be any valid unsigned numeric value. |
|
Memusage |
eg, ne, gt, lt, ge, le |
Any valid integer. |
|
Username |
eq, ne |
Any valid user name ([Domain\]User). |
|
Services |
eq, ne |
Any valid string. |
|
Windowtitle |
eq, ne |
Any valid string. |
/pid ProcessID : Specifies the process ID of the process to be terminated.
/im ImageName : Specifies the p_w_picpath name of the process to be terminated. Use the wildcard (*) to specify all p_w_picpath names.
/f : Specifies that process(es) be forcefully terminated. This parameter is ignored for remote processes; all remote processes are forcefully terminated.
/t : Specifies to terminate all child processes along with the parent process, commonly known as a tree kill.
/?: Displays help at the command prompt.
Remarks
| • |
The wildcard character (*) is accepted only when specified along with the filters. |
| • |
Termination for remote processes will always be done forcefully regardless of whether the /f parameter is specified. |
| • |
Supplying a computer name to the HOSTNAME filter will cause a shutdown and all processes will be stopped. |
| • |
Use tasklist to determine the Process ID (PID) for the process to be terminated. |
| • |
Taskkill is a replacement for the Kill tool. |
Examples
The following examples show how you can use the taskkill command:
taskkill /pid 1230 /pid 1241 /pid 1253
taskkill /f /fi "USERNAME eq NT AUTHORITY\SYSTEM" /im notepad.exe
taskkill /s srvmain /f /im notepad.exe
taskkill /s srvmain /u maindom\hiropln /p p@ssW23 /fi "IMAGENAME eq note*" /im *
taskkill /s srvmain /u maindom\hiropln /fi "USERNAME ne NT*" /im *
taskkill /f /fi "PID ge 1000" /im *
