WINDOWS自带的无敌kill进程命令

最新推荐文章于 2025-03-05 07:00:00 发布

转载最新推荐文章于 2025-03-05 07:00:00 发布 · 5.9k 阅读

文章标签：

#windows #kill #path #output #server #image

集锦专栏收录该内容

23 篇文章

订阅专栏

此方法可以杀掉任务管理器杀不掉的进程!
问:怎么才能关掉一个用任务管理器关不了的进程？我前段时间发现我的机子里多了一个进程，只要开机就在，我用任务管理器却怎么关也关不了

答1:杀进程很容易，随便找个工具都行。比如IceSword。关键是找到这个进程的启动方式，不然下次重启它又出来了。顺便教大家一招狠的。其实用Windows自带的工具就能杀大部分进程：

　　c:>ntsd -c q -p PID


　　只有System、SMSS.EXE和CSRSS.EXE不能杀。前两个是纯内核态的，最后那个是Win32子系统，ntsd本身需要它。ntsd从
2000开始就是系统自带的用户态调试工具。被调试器附着(attach)的进程会随调试器一起退出，所以可以用来在命令行下终止进程。使用ntsd自动
就获得了debug权限，从而能杀掉大部分的进程。ntsd会新开一个调试窗口，本来在纯命令行下无法控制，但如果只是简单的命令，比如退出(q)，用
-c参数从命令行传递就行了。NtsdNtsd 按照惯例也向软件开发人员提供。只有系统开发人员使用此命令。有关详细信息，请参阅 NTSD
中所附的帮助文件。用法:开个cmd.exe窗口，输入：

　　ntsd -c q -p PID

　　把最后那个PID，改成你要终止的进程的ID。如果你不知道进程的ID，任务管理器－>进程选项卡－>查看－>选择列－>勾上"PID（进程标识符）"，然后就能看见了。

答2：xp下还有两个好东东tasklist和tskill。tasklist能列出所有的进程，和相应的信息。tskill能查杀进程，语法很简单：tskill 程序名！！


附：NTSD 中所附的帮助文件

usage: ntsd [-?] [-2] [-d] [-g] [-G] [-myob] [-lines] [-n] [-o] [-s] [-v] [-w]
  [-r BreakErrorLevel] [-t PrintErrorLevel]
  [-hd] [-pd] [-pe] [-pt #] [-pv] [-x | -x{e|d|n|i} ]
  [-- | -p pid | -pn name | command-line | -z CrashDmpFile]
  [-zp CrashPageFile] [-premote transport] [-robp]
  [-aDllName] [-c "command"] [-i ImagePath] [-y SymbolsPath]
  [-clines #] [-srcpath SourcePath] [-QR /machine] [-wake ]
  [-remote transport:server=name,portid] [-server transport:portid]
  [-ses] [-sfce] [-sicv] [-snul] [-noio] [-failinc] [-noshell]

where: -? displays this help text
  command-line is the command to run under the debugger
  -- is the same as -G -g -o -p -1 -d -pd
  -aDllName sets the default extension DLL
  -c executes the following debugger command
  -clines number of lines of output history retrieved by a remote client
  -failinc causes incomplete symbol and module loads to fail
  -d sends all debugger output to kernel debugger via DbgPrint
  -d cannot be used with debugger remoting
  -d can only be used when the kernel debugger is enabled
  -g ignores initial breakpoint in debuggee
  -G ignores final breakpoint at process termination
  -hd specifies that the debug heap should not be used
  for created processes. This only works on Windows Whistler.
  -o debugs all processes launched by debuggee
  -p pid specifies the decimal process Id to attach to
  -pd specifies that the debugger should automatically detach
  -pe specifies that any attach should be to an existing debug port
  -pn name specifies the name of the process to attach to
  -pt # specifies the interrupt timeout
  -pv specifies that any attach should be noninvasive
  -r specifies the (0-3) error level to break on (SeeSetErrorLevel)
  -robp allows breakpoints to be set in read-only memory
  -t specifies the (0-3) error level to display (SeeSetErrorLevel)
  -w specifies to debug 16 bit applications in a separate VDM
  -x sets second-chance break on AV exceptions
  -x{e|d|n|i} sets the break status for the specified event
  -2 creates a separate console window for debuggee
  -i ImagePath specifies the location of the executables that generated
  the fault (see _NT_EXECUTABLE_IMAGE_PATH)
  -lines requests that line number information be used if present
  -myob ignores version mismatches in DBGHELP.DLL
  -n enables verbose output from symbol handler
  -noio disables all I/O for dedicated remoting servers
  -noshell disables the .shell (!!) command
  -QR  queries for remote servers
  -s disables lazy symbol loading
  -ses enables strict symbol loading
  -sfce fails critical errors encountered during file searching
  -sicv ignores the CV record when symbol loading
  -snul disables automatic symbol loading for unqualified names
  -srcpath specifies the source search path
  -v enables verbose output from debugger
  -wake wakes up a sleeping debugger and exits
  -y specifies the symbol search path (see _NT_SYMBOL_PATH)
  -z specifies the name of a crash dump file to debug
  -zp specifies the name of a page.dmp file
  to use with a crash dump
  -remote lets you connect to a debugger session started with -server
  must be the first argument if present
  transport: tcp | npipe | ssl | spipe | 1394 | com
  name: machine name on which the debug server was created
  portid: id of the port the debugger server was created on
  for tcp use: port=
  for npipe use: pipe=
  for 1394 use: channel=
  for com use: port=,baud=,
  channel=
  for ssl and spipe see the documentation
  example: ... -remote npipe:server=yourmachine,pipe=foobar
  -server creates a debugger session other people can connect to
  must be the first argument if present
  transport: tcp | npipe | ssl | spipe | 1394 | com
  portid: id of the port remote users can connect to
  for tcp use: port=
  for npipe use: pipe=
  for 1394 use: channel=
  for com use: port=,baud=,
  channel=
  for ssl and spipe see the documentation
  example: ... -server npipe:pipe=foobar
  -premote transport specifies the process server to connect to
  transport arguments are given as with remoting

Environment Variables:

  _NT_SYMBOL_PATH=[Drive:][Path]
  Specify symbol image path.

  _NT_ALT_SYMBOL_PATH=[Drive:][Path]
  Specify an alternate symbol image path.

  _NT_DEBUGGER_EXTENSION_PATH=[Drive:][Path]
  Specify a path which should be searched first for extensions dlls

  _NT_EXECUTABLE_IMAGE_PATH=[Drive:][Path]
  Specify executable image path.

  _NT_SOURCE_PATH=[Drive:][Path]
  Specify source file path.

  _NT_DEBUG_LOG_FILE_OPEN=filename
  If specified, all output will be written to this file from offset 0.

  _NT_DEBUG_LOG_FILE_APPEND=filename
  If specified, all output will be APPENDed to this file.

  _NT_DEBUG_HISTORY_SIZE=size
  Specifies the size of a server's output history in kilobytes

Control Keys:

  Quit debugger
  Break into Target
  Force a break into debuggee (same as Ctrl-C)
  Debug Current debugger
  Toggle Verbose mode
  Print version information
ntsd: exiting - press enter ---