TASK
See
all Pid(process id):
tasklist
tasklist /? (This
command will show all option:help)
Show
the all DLL is with the image:
tasklist /M >pid.txt
(Output to a text file called “pid.txt”)
Show the all DLL is related with
the specified image:
Displaying Services in each
process:
tasklist /SVC
Example output:
Image Name PID
Services
========================= ======
=============================================
System Idle Process 0
N/A
System 4
N/A
smss.exe 552
N/A
csrss.exe 608
N/A
winlogon.exe 632
N/A
services.exe 676
Eventlog, PlugPlay
lsass.exe 688
PolicyAgent, ProtectedStorage, SamSs
vmacthlp.exe 844
VMware Physical Disk Helper Service
svchost.exe 860
DcomLaunch, TermService
svchost.exe 936
RpcSs
svchost.exe 1028
AudioSrv, CryptSvc, Dhcp, dmserver, ERSvc,
EventSystem,
FastUserSwitchingCompatibility,
helpsvc,
lanmanserver, lanmanworkstation,
Netman,
Nla, Schedule, seclogon, SENS,
SharedAccess,
ShellHWDetection, srservice,
Themes,
TrkWks, W32Time, winmgmt, wscsvc,
wuauserv,
WZCSVC
svchost.exe 1076
Dnscache
svchost.exe 1128
LmHosts, RemoteRegistry, SSDPSRV, WebClient
explorer.exe 1476
N/A
spoolsv.exe 1516
Spooler
VMwareTray.exe 1616
N/A
vmtoolsd.exe 1632
N/A
IDMan.exe 1640
N/A
Skype.exe 1648
N/A
IEMonitor.exe 1796
N/A
vmtoolsd.exe 988
VMTools
TPAutoConnSvc.exe 796
TPAutoConnSvc
alg.exe 384
ALG
wscntfy.exe 2096
N/A
TPAutoConnect.exe 2412
N/A
cmd.exe 2760
N/A
wuauclt.exe 3212
N/A
notepad.exe 296
N/A
tasklist.exe 272
N/A
wmiprvse.exe 1612
N/A
Service
OUTPUT:
tasklist /SVC /FO CSV
TASKILL
Taskkill is a tool to kill a
process.
Simple
command:
taskkill /?
Example output:
TASKKILL [/S system [/U username
[/P [password]]]]
{ [/FI filter] [/PID
processid | /IM imagename] } [/F] [/T]
Description:
This command line tool can be
used to end one or more processes.
Processes can be killed by the
process id or image name.
Parameter List:
/S system
Specifies the remote system to connect to.
/U [domain\]user
Specifies the user context under which
the
command should execute.
/P [password]
Specifies the password for the given
user
context. Prompts for input if omitted.
/F
Specifies to forcefully terminate
process(es).
/FI filter
Displays a set of tasks that match a
given
criteria specified by the filter.
/PID process id
Specifies the PID of the process that
has
to be terminated.
/IM image name
Specifies the image name of the process
that
has to be terminated. Wildcard '*'
can
be used to specify all image names.
/T Tree
kill: terminates the specified process
and any
child processes which were started by it.
/?
Displays this help/usage.
Filters:
Filter Name Valid Operators
Valid Value(s)
----------- ---------------
--------------
STATUS eq, ne
RUNNING | NOT RESPONDING
IMAGENAME eq, ne
Image name
PID eq, ne, gt, lt,
ge, le PID value
SESSION eq, ne, gt, lt,
ge, le Session number.
CPUTIME eq, ne, gt, lt,
ge, le CPU time in the format
of
hh:mm:ss.
hh
- hours,
mm
- minutes, ss - seconds
MEMUSAGE eq, ne, gt, lt,
ge, le Memory usage in KB
USERNAME eq, ne
User name in [domain\]user
format
MODULES eq, ne
DLL name
SERVICES eq, ne
Service name
WINDOWTITLE eq, ne
Window title
NOTE: Wildcard '*' for the /IM
switch is accepted only with filters.
NOTE: Termination of remote
processes will always be done forcefully
irrespective of whether /F
option is specified or not.
Examples:
TASKKILL /S system /F /IM
notepad.exe /T
TASKKILL /PID 1230 /PID 1241
/PID 1253 /T
TASKKILL /F /IM notepad.exe
/IM mspaint.exe
TASKKILL /F /FI "PID ge
1000" /FI "WINDOWTITLE ne untitle*"
TASKKILL /F /FI "USERNAME
eq NT AUTHORITY\SYSTEM" /IM notepad.exe
TASKKILL /S system /U
domain\username /FI "USERNAME ne NT*" /IM *
TASKKILL /S system /U username
/P password /FI "IMAGENAME eq note*"
Kill a process:
taskkill /PID 296
taskill /IM notepad.exe
Killing Multiple process:
taskill /PID 333 /PID 444 /PID
49494
Starting
and Stopping Service
Simple command:
sc
(help)
Stop a service:
sc stop avp
start a service:
sc start avp
See configuration of a service
:
sc qc avp
Example output:
C:\Documents and
Settings\Administrator\Desktop>sc qc RemoteRegistry
[SC] GetServiceConfig SUCCESS
SERVICE_NAME: RemoteRegistry
TYPE : 20
WIN32_SHARE_PROCESS
START_TYPE : 2
AUTO_START
ERROR_CONTROL : 1
NORMAL
BINARY_PATH_NAME :
C:\WINDOWS\system32\svchost.exe -k LocalService
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME :
Remote Registry
DEPENDENCIES :
RPCSS
SERVICE_START_NAME : NT
AUTHORITY\LocalService
Configure the service :
sc config start = disable
Tidak ada komentar:
Posting Komentar