Linux
Apache
MySQL
PHP

CSS
XHTML1.1
XML/RSS

Creative Commons

2007-05-24 18:18:16

Kill the unkillable process

In the article I posted yesterday, I mentioned certain processes that cannot be killed by conventional means. You were probably thinking, what are conventional means and how would I kill such a process unconventionally? Well, you might not have thought that, and you might not even know or care if you have a virus. I'm going to explain anyway.
The following processes cannot be killed conventionally (via the Windows Task Manager): Normally, killing these processes is a bad^H^H^Hvery bad thing. But, when someone writes a virus/backdoor/whatever, saves it with the same filename as one of those in the list, and plants it on your computer, you're kind of screwed. You can't delete the infected file because it's running and you can't stop it from running because Windows thinks it's a system process. So how do you kill a process when Windows won't let you? Enter the Windows Management Instrumentation Console (WMIC).
Though there are other third party utilities, such as the PS tools, which can do the job, Windows has a scripting engine built right in. To get started, open a command prompt and run `wmic`. You'll be greeted with the WMIC prompt:
wmic:root\cli>
Once in the console you have many commands at your disposal to access and change all parts of your system. To list the available commands you give it the normal Windows help switch, `/?`. Since we are trying to kill a process, we'll use the `process` command:
wmic:root\cli> process /? PROCESS - Process management. HINT: BNF for Alias usage. ( [WMIObject] | [] | [] ) []. USAGE: PROCESS ASSOC [] PROCESS CALL [] PROCESS CREATE PROCESS DELETE PROCESS GET [] [] PROCESS LIST [] []
Now since the process we want to kill is named the same as other processes which we don't want to kill, we first need to make sure we have the right one. We will do a brief listing of the running processes to find the one we want to kill:
wmic:root\cli> process list brief HandleCount Name Priority ProcessId ThreadCount WorkingSetSize 0 System Idle Process 0 0 1 28672 224 System 8 4 47 86016 19 smss.exe 11 544 3 77824 344 csrss.exe 13 608 11 2654208 479 winlogon.exe 13 632 18 1642496 259 services.exe 9 676 16 1130496 407 lsass.exe 9 688 19 1523712 125 svchost.exe 8 860 6 1523712 271 svchost.exe 8 948 10 1679360 980 svchost.exe 8 1060 38 10952704 65 svchost.exe 8 1100 4 1024000 111 svchost.exe 8 1376 6 1097728 107 spoolsv.exe 8 1556 11 1118208 139 inetinfo.exe 8 1692 5 1249280 254 explorer.exe 8 364 8 5955584 139 smss.exe 8 1613 9 1728283 157 wuauclt.exe 8 1524 3 1011712 30 cmd.exe 8 1128 1 3534848 152 wmic.exe 8 520 5 7872512 139 wmiprvse.exe 8 120 6 6377472
We've already realized that our threat is another 'smss.exe'. So in the list, we see two; one has a pid of 544 and the other 1613. If you don't know anything about how Windows works, you can guess that the system processes start first. Therefore, the real 'smss.exe' is the one with a pid of 544. So, we're looking to kill the one with a pid of 1613. Now, I'm using "pid" because I'm used to the *nix style syntax, however the WMIC calls it the "ProcessID". Now that we have a unique identifier of the threat process, we can kill it:
wmic:root\cli> process where ProcessID='1613' call terminate Execute (\\VM\ROOT\CIMV2:Win32_Process.Handle="1613")->terminate() (Y/N/?)? y Method execution successful. Out Parameters: instance of __PARAMETERS { ReturnValue = 0; };
Voila! The process has been successfully killed.
The WMIC is a very powerful tool. Everything that is available to you in a VBScript utilizing WMI is available to you through this console. Sometime in the future I may do a little tutorial on the WMIC, but for now, the killing of a process is all I'll cover.

Back

4 comments


2014-07-04 11:25:36


Doesnt always work says...
I have been trying to kill my python script - WMIC Call terminate returns successful but it is still there. Call the terminate command again and it says successful again. Even call delete doesnt kill it.

any idea instead of rebooting the machine ?

Example:

c:jenkins_SQAworkspaceBIT_Auto_Tester_4>WMIC PROCESS WHERE "Commandline like "%python.exe%SetupUnitViaSerial.py__u_1__f_TCR_vmlinux_TCR_INITRAMFS[_]DEBUG_181786.full.img%" AND NOT Caption li
IC.exe%"" CALL TERMINATE
Executing (\SAL-31610ROOTCIMV2:Win32_Process.Handle="2768")->TERMINATE()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
ReturnValue = 0;
};


c:jenkins_SQAworkspaceBIT_Auto_Tester_4>WMIC PROCESS WHERE "Commandline like "%python.exe%SetupUnitViaSerial.py__u_1__f_TCR_vmlinux_TCR_INITRAMFS[_]DEBUG_181786.full.img%" AND NOT Caption li
IC.exe%"" CALL TERMINATE
Executing (\SAL-31610ROOTCIMV2:Win32_Process.Handle="2768")->TERMINATE()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
ReturnValue = 0;
};

2014-07-04 14:55:51


slonkak says...
I've noticed sometimes with scripting languages that they sometimes fork into multiple processes. Your one script might be "a part of" 2 or more other python processes, or if it was called from another process, killing the parent might help to kill the sub python process. Without seeing your process list while your script is running I'm not exactly sure what you need to kill.

2014-07-17 02:34:09


Sion O'Connor says...
Hi thanks for reply.

Sorry been awhile but thought it might have been a one off.

But its happening again. ive checked all other process with WMIC when that locked python exists but nothing, no spawn, multiple python process etc.

I even tried to use task manager to "End Process" and "End Process Tree" - it thinks success but still there.

Here is list (only caption displayed for ease of reading)

C:UsersAdministrator>wmic PROCESS get caption
Caption
System Idle Process
System
smss.exe
csrss.exe
wininit.exe
csrss.exe
services.exe
lsass.exe
lsm.exe
winlogon.exe
svchost.exe
svchost.exe
svchost.exe
LogonUI.exe
svchost.exe
svchost.exe
svchost.exe
SavService.exe
svchost.exe
spoolsv.exe
svchost.exe
armsvc.exe
svchost.exe
MSOIDSVC.EXE
svchost.exe
taskeng.exe
MSOIDSVCM.EXE
SAVAdminService.exe
ManagementAgentNT.exe
cmd.exe
conhost.exe
ALsvc.exe
cmd.exe
RouterNT.exe
swc_service.exe
java.exe
swi_service.exe
WmiPrvSE.exe
svchost.exe
SearchIndexer.exe
svchost.exe
LMS.exe
UNS.exe
OcsService.exe
csrss.exe
winlogon.exe
rdpclip.exe
taskhost.exe
dwm.exe
explorer.exe
communicator.exe
ALMon.exe
wmpnetwk.exe
python.exe
taskmgr.exe
cmd.exe
conhost.exe
WmiPrvSE.exe
audiodg.exe
SearchProtocolHost.exe
SearchFilterHost.exe
WMIC.exe

2014-07-17 06:59:08


slonkak says...
How is the script starting? Are you manually running it from a command prompt, like "python script.py"? Or is it started non-interactively somehow, like a Windows service or something?

My first thought is if you have a command prompt up, just hit CTRL+C. On linux, you'd be able to also hit CTRL+Z to put the process to sleep then kill it that way, but you can't do that on Windows.

If Python is spawned from something else, like a running command prompt (I see cmd.exe in your process list), try killing the command prompt and any process it spawned should also die.

Let me know if any of those things work.

Post a comment!

Name:
Comment: