Solved

Terminate process by name.

Posted on 1998-11-19
10
1,011 Views
Last Modified: 2013-12-28
   Hi.   I need to write program that terminates
all processes with specific name.Can somebody advise me how
can I do that?

Thanks.
0
Comment
Question by:dpodvaln
  • 4
  • 2
  • 2
  • +1
10 Comments
 
LVL 1

Expert Comment

by:CaballeroF
ID: 1794920
Explain yourself a little more...
What kind of processes ?
Any Service ?
0
 
LVL 1

Expert Comment

by:CaballeroF
ID: 1794921
Sorry, i did not want to write an answer before. Only a comment...
0
 

Expert Comment

by:b9
ID: 1794922
If they have a main window, you can write and install a WH_CBT hook to kill them off before they even show onscreen.  That's what I did to kill off browser downloads here.  The download windows are new toplevel windows, so I caught HCBT_CREATEWND and moidered da lil buggers right there.  I SendMessage a WM_CLOSE first, then return 1 so the window is *destroyed*.  Source on request!  (I need the points, darnit. ;-)

0
 

Author Comment

by:dpodvaln
ID: 1794923
    Process that I want to terminate not necesserally has a main
window.   I want to do something like this :
   1.  process_pid = ProcessName2PID(process_name);
   2.  TerminateProcess(pid);

But I don't know how to do first step of this "algorithm".

      Thanks.
0
 
LVL 7

Expert Comment

by:ahalya
ID: 1794924
Well, you can iterate through all processes and find the PID corresponding to your required process. (using ToolHelp functions)

Here goes a Delphi code i used to find the PID of the process created by a given EXE file.

Handle:=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
try
if Process32First(Handle,ProcessEntry) then
   repeat
   found := (EXEName =  String(ProcessEntry.szExeFile));
   until found or (not Process32Next(Handle,ProcessEntry));
finally
  CloseHandle(Handle);
  end;

0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Expert Comment

by:b9
ID: 1794925
TerminateProcess() is baaaaaaaaaaaaad.  The SDK docs say so.
0
 
LVL 7

Expert Comment

by:ahalya
ID: 1794926
btw, ToolHelp functions work in NT5 and in  NT4 with SP4 installed.
0
 

Author Comment

by:dpodvaln
ID: 1794927
   Sorry, I forgot to mention this.   I need this to the WinNT.
Not for the Win95.

    P.S.  ahalya : MSDN says that CreateToolhelp32Snapshot
function works only under Win 95.  So I suppose Your answer
will not work on WinNT.
0
 
LVL 7

Expert Comment

by:ahalya
ID: 1794928
if i recall right, in addition to Win95, ToolHelp functions work in NT5 and NT4 with SP4 installed.
0
 
LVL 7

Accepted Solution

by:
ahalya earned 150 total points
ID: 1794929
dpodvaln:

Here is the MS kb article on this:  q175-0-30.txt

This code works on NT (by using the PSAPI.DLL, download from MS) and Win95.
(i've removed the documentation on W95 to cut down the size).

using PSAPI.DLL you get the equivalent of "ToolHelp" functions in Win95.

========================================================
may be only the link would have been enough. but if you haven't already "registered" with MS, then going through their "registration process" to access the article takes an awful lot of patience. That's why 've pasted the code below.
=========================================================
Microsoft Win32 Application Programming Interface (API) included with:
         - Microsoft Windows NT version 4.0 - Microsoft Windows 95

     SUMMARY

One common programming problem in Win32 is the need to enumerate all "applications". The Task Manager under Windows NT 4.0 is a perfect  example of this. It lists "applications" in two ways. The first tab of the Task Manager lists all "application windows" on the desktop. The second tab of the Task Manager lists all the "processes" in the system. This article provides details on how to perform both these tasks in Windows 95 and Windows NT.

MORE INFORMATION

Windows NT and the PSAPI.DLL:

The Windows NT approach to creating a list of processes uses functions from the PSAPI.DLL. The PSAPI.DLL file is distributed with the Platform  SDK, which is available at http://www.microsoft.com/msdn/sdk (path: \MSSDK\bin\winnt\psapi.dll). The PSAPI.H and PSAPI.LIB files that you need are also included with the Platform SDK (paths: \Mssdk\samples\sdktools\image\winnt\pfmon\psapi.h and    \Mssdk\samples\sdktools\image\winnt\pfmon\psapi.lib).

To use the functions in the PSAPI.DLL, add the PSAPI.LIB file to your project, and include the PSAPI.H file with any modules that call the PSAPI.DLL functions. Remember to distribute the PSAPI.DLL file with any executable that uses it, as it is not currently distributed with the  crerating system.

Like the ToolHelp32 functions, the PSAPI.DLL also contains a variety of useful functions. However, this article only discusses those functions that are  relevant to enumerating processes:

        EnumProcesses(), EnumProcessModules(), GetModuleFileNameEx(),
        GetModuleBaseName().


     EnumProcesses() is the first step in creating a list of processes in the system. Following is its declaration:

        BOOL EnumProcesses( DWORD *lpidProcess, DWORD cb, DWORD *cbNeeded );


     EnumProcesses() takes a pointer to a DWORD array (lpidProcess), the size of the array (cb), and  a pointer to a DWORD to return the length of the data returned(cbNeeded). The DWORD array is  populated with an array of process ID's for the processes in the system. The pointer to the  DWORD parameter (cbNeeded) returns the size of the array that is used. The following calculation tells you how many process IDs were returned: nReturned = cbNeeded /
 sizeof(DWORD). One important note should be made. Although the documentation names the  returned DWORD "cbNeeded", there is actually no way to find out how big the passed in array  must be. EnumProcesses() will never return a value in cbNeeded that is larger than the size  of  array value that you passed in the cb parameter. As a result the only way to assure success with  the EnumProcesses() function is to allocate a DWORD array, if cbNeeded == cb upon return, allocate a larger array and try again until cbNeeded is smaller than cb.

Now you have an array with each process ID in the system. If your goal is to get the name of the process, then you must first get a handle. To get a handle from a process ID, use  
OpenProcess().

     Once you have a handle you will need to get the "first" module of the process. To get the first module of a process call the EnumProcessModules()
     API with the following parameters:

        EnumProcessModules( hProcess, &hModule, sizeof(hModule), &cbReturned );


This will put the handle of the first module of the process in the hModule variable. Remember  that a process doesn't really have a name, but that the first module in the process is going to     be the executable of the process. Now you can use the hModule with the  GetModuleFileNameEx(), GetModuleBaseName() to get the full path name, or the simple module name for the process executable. Both functions take the handle to the process, handle to the  module, and a buffer pointer in which to return the name, followed by the size of the buffer.

By repeating this for each process ID returned with the EnumProcesses(),you create a list of processes under Windows NT.

6-Bit Processes:
In Windows 95 16-bit applications are equal citizens as far as ToolHelp32 is concerned. 16-Bit applications have process IDs etc., just like Win32  applications. However, this is not the case under Windows NT.

16-Bit applications running under Windows NT run in what is called a Virtual Dos Machine (VDM). EnumProcesses will not recognize any 16-bit  applications in the system, however it will return the 32-bit NTVDM processes under which the 16-bit EXE's are running. To enumerate 16-bit  applications under Windows NT you must use a function called EnumTaskWOWEx(). You must include the VDMDBG.H in your source module,  and the VDMDBG.LIB file should be linked with your project. These two files are shipped with the Platform SDK.

The declaration of this function is as follows:

INT WINAPI VDMEnumTaskWOWEx( DWORD dwProcessId, TASKENUMPROCEX fp,
                                     LPARAM lparam );


where dwProcessId is the id of the NTVDM process whose 16-bit tasks you want to enumerate.  The fp parameter is a pointer to a callback "enum" function. And the lparam parameter is a user-defined lparam to be passed to your enum function.

Your "enum" function should be defined as follows:
    BOOL WINAPI Enum16( DWORD dwThreadId, WORD hMod16, WORD hTask16, PSZ
                           pszModName, PSZ pszFileName, LPARAM lpUserDefined );


This function will be called once per 16-bit task running under the NTVDM process passed into VDMEnumTaskWOWEx(). You should return FALSE if you wish to continue enumerating and TRUE  if you wish to end enumeration. NOTE: This is the opposite of EnumWindows().

Sample Code

The following sample code encapsulates the PSAPI.DLL and ToolHelp32 functions into one function called "EnumProcs()". This function works similar to EnumWindows() in that it takes a pointer to a function and calls it repeatedly, once for each process in the system. Following is the declaration for the function:

        BOOL WINAPI EnumProcs( PROCENUMPROC lpProc, LPARAM lParam );


     If you use this function, the callback function should be declared as follows:

        BOOL CALLBACK Proc( DWORD dw, WORD w16, LPCSTR lpstr, LPARAM lParam );


The dw parameter will contain the ID, the w16 is the 16-bit task number or 0 if 32-bit process     (always zero under Windows 95), the lpstr parameter will point to the filename, and the lParam  is the user-defined lParam passed into EnumProcs().

The EnumProcs() function uses the ToolHelp32 and PSAPI.DLL functions via explicit linking, rather than the more common implicit linking. This  technique is used so that the code including the EnumProcs() function will be binary compatible across both Windows NT and Windows 95. (For  example, implicit linking of a ToolHelp32 function would cause an EXE to fail to load and run under Windows NT.)

        /*********************
        EnumProc.h
        *********************/
        #include <windows.h>

        typedef BOOL (CALLBACK *PROCENUMPROC)( DWORD, WORD, LPSTR,
           LPARAM ) ;

        BOOL WINAPI EnumProcs( PROCENUMPROC lpProc, LPARAM lParam ) ;

        /*********************
        EnumProc.c (or .cpp)
        *********************/
        #include "EnumProc.h"
        #include <tlhelp32.h>
        #include <vdmdbg.h>

        typedef struct
        {
           DWORD          dwPID ;
           PROCENUMPROC   lpProc ;
           DWORD          lParam ;
           BOOL           bEnd ;
        } EnumInfoStruct ;

        BOOL WINAPI Enum16( DWORD dwThreadId, WORD hMod16, WORD hTask16,
           PSZ pszModName, PSZ pszFileName, LPARAM lpUserDefined ) ;

        // The EnumProcs function takes a pointer to a callback function
        // that will be called once per process in the system providing
        // process EXE filename and process ID.
        // Callback function definition:
        // BOOL CALLBACK Proc( DWORD dw, LPCSTR lpstr, LPARAM lParam ) ;
        //
        // lpProc -- Address of callback routine.
        //
        // lParam -- A user-defined LPARAM value to be passed to
        //           the callback routine.
        BOOL WINAPI EnumProcs( PROCENUMPROC lpProc, LPARAM lParam )
        {
           OSVERSIONINFO  osver ;
           HINSTANCE      hInstLib ;
           HINSTANCE      hInstLib2 ;
           HANDLE         hSnapShot ;
           PROCESSENTRY32 procentry ;
           BOOL           bFlag ;
           LPDWORD        lpdwPIDs ;
           DWORD          dwSize, dwSize2, dwIndex ;
           HMODULE        hMod ;
           HANDLE         hProcess ;
           char           szFileName[ MAX_PATH ] ;
           EnumInfoStruct sInfo ;

           // ToolHelp Function Pointers.
           HANDLE (WINAPI *lpfCreateToolhelp32Snapshot)(DWORD,DWORD) ;
           BOOL (WINAPI *lpfProcess32First)(HANDLE,LPPROCESSENTRY32) ;
           BOOL (WINAPI *lpfProcess32Next)(HANDLE,LPPROCESSENTRY32) ;

           // PSAPI Function Pointers.
           BOOL (WINAPI *lpfEnumProcesses)( DWORD *, DWORD cb, DWORD * );
           BOOL (WINAPI *lpfEnumProcessModules)( HANDLE, HMODULE *,
              DWORD, LPDWORD );
           DWORD (WINAPI *lpfGetModuleFileNameEx)( HANDLE, HMODULE,
              LPTSTR, DWORD );

           // VDMDBG Function Pointers.
           INT (WINAPI *lpfVDMEnumTaskWOWEx)( DWORD,
              TASKENUMPROCEX  fp, LPARAM );


           // Check to see if were running under Windows95 or
           // Windows NT.
           osver.dwOSVersionInfoSize = sizeof( osver ) ;
           if( !GetVersionEx( &osver ) )
           {
              return FALSE ;
           }

           // If Windows NT:
           if( osver.dwPlatformId == VER_PLATFORM_WIN32_NT )
           {

              // Load library and get the procedures explicitly. We do
              // this so that we don't have to worry about modules using
              // this code failing to load under Windows 95, because
              // it can't resolve references to the PSAPI.DLL.
              hInstLib = LoadLibraryA( "PSAPI.DLL" ) ;
              if( hInstLib == NULL )
                 return FALSE ;

              hInstLib2 = LoadLibraryA( "VDMDBG.DLL" ) ;
              if( hInstLib2 == NULL )
                 return FALSE ;

              // Get procedure addresses.
              lpfEnumProcesses = (BOOL(WINAPI *)(DWORD *,DWORD,DWORD*))
                 GetProcAddress( hInstLib, "EnumProcesses" ) ;
              lpfEnumProcessModules = (BOOL(WINAPI *)(HANDLE, HMODULE *,
                 DWORD, LPDWORD)) GetProcAddress( hInstLib,
                 "EnumProcessModules" ) ;
              lpfGetModuleFileNameEx =(DWORD (WINAPI *)(HANDLE, HMODULE,
                 LPTSTR, DWORD )) GetProcAddress( hInstLib,
                 "GetModuleFileNameExA" ) ;
              lpfVDMEnumTaskWOWEx =(INT(WINAPI *)( DWORD, TASKENUMPROCEX,
                 LPARAM))GetProcAddress( hInstLib2, "VDMEnumTaskWOWEx" );
              if( lpfEnumProcesses == NULL ||
                 lpfEnumProcessModules == NULL ||
                 lpfGetModuleFileNameEx == NULL ||
                 lpfVDMEnumTaskWOWEx == NULL)
                 {
                    FreeLibrary( hInstLib ) ;
                    FreeLibrary( hInstLib2 ) ;
                    return FALSE ;
                 }

              // Call the PSAPI function EnumProcesses to get all of the
              // ProcID's currently in the system.
              // NOTE: In the documentation, the third parameter of
              // EnumProcesses is named cbNeeded, which implies that you
              // can call the function once to find out how much space to
              // allocate for a buffer and again to fill the buffer.
              // This is not the case. The cbNeeded parameter returns
              // the number of PIDs returned, so if your buffer size is
              // zero cbNeeded returns zero.
              // NOTE: The "HeapAlloc" loop here ensures that we
              // actually allocate a buffer large enough for all the
              // PIDs in the system.
              dwSize2 = 256 * sizeof( DWORD ) ;
              lpdwPIDs = NULL ;
              do
              {
                 if( lpdwPIDs )
                 {
                    HeapFree( GetProcessHeap(), 0, lpdwPIDs ) ;
                    dwSize2 *= 2 ;
                 }
                 lpdwPIDs = HeapAlloc( GetProcessHeap(), 0, dwSize2 );
                 if( lpdwPIDs == NULL )
                 {
                    FreeLibrary( hInstLib ) ;
                    FreeLibrary( hInstLib2 ) ;
                    return FALSE ;
                 }
                 if( !lpfEnumProcesses( lpdwPIDs, dwSize2, &dwSize ) )
                 {
                    HeapFree( GetProcessHeap(), 0, lpdwPIDs ) ;
                    FreeLibrary( hInstLib ) ;
                    FreeLibrary( hInstLib2 ) ;
                    return FALSE ;
                 }
              }while( dwSize == dwSize2 ) ;

              // How many ProcID's did we get?
              dwSize /= sizeof( DWORD ) ;

              // Loop through each ProcID.
              for( dwIndex = 0 ; dwIndex < dwSize ; dwIndex++ )
              {
                 szFileName[0] = 0 ;
                 // Open the process (if we can... security does not
                 // permit every process in the system).
                 hProcess = OpenProcess(
                    PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,
                    FALSE, lpdwPIDs[ dwIndex ] ) ;
                 if( hProcess != NULL )
                 {
                    // Here we call EnumProcessModules to get only the
                    // first module in the process this is important,
                    // because this will be the .EXE module for which we
                    // will retrieve the full path name in a second.
                    if( lpfEnumProcessModules( hProcess, &hMod,
                       sizeof( hMod ), &dwSize2 ) )
                    {
                       // Get Full pathname:
                       if( !lpfGetModuleFileNameEx( hProcess, hMod,
                          szFileName, sizeof( szFileName ) ) )
                       {
                          szFileName[0] = 0 ;
                         }
                    }
                    CloseHandle( hProcess ) ;
                 }
                 // Regardless of OpenProcess success or failure, we
                 // still call the enum func with the ProcID.
                 if(!lpProc( lpdwPIDs[dwIndex], 0, szFileName, lParam))
                    break ;

                 // Did we just bump into an NTVDM?
                 if( _stricmp( szFileName+(strlen(szFileName)-9),
                    "NTVDM.EXE")==0)
                 {
                    // Fill in some info for the 16-bit enum proc.
                    sInfo.dwPID = lpdwPIDs[dwIndex] ;
                    sInfo.lpProc = lpProc ;
                    sInfo.lParam = lParam ;
                    sInfo.bEnd = FALSE ;
                    // Enum the 16-bit stuff.
                    lpfVDMEnumTaskWOWEx( lpdwPIDs[dwIndex],
                       (TASKENUMPROCEX) Enum16,
                       (LPARAM) &sInfo);

                    // Did our main enum func say quit?
                    if(sInfo.bEnd)
                       break ;
                 }
              }

              HeapFree( GetProcessHeap(), 0, lpdwPIDs ) ;
              FreeLibrary( hInstLib2 ) ;

           // If Windows 95:
           }else if( osver.dwPlatformId == VER_PLATFORM_WIN32_WINDOWS )
           {


              hInstLib = LoadLibraryA( "Kernel32.DLL" ) ;
              if( hInstLib == NULL )
                 return FALSE ;

              // Get procedure addresses.
              // We are linking to these functions of Kernel32
              // explicitly, because otherwise a module using
              // this code would fail to load under Windows NT,
              // which does not have the Toolhelp32
              // functions in the Kernel 32.
              lpfCreateToolhelp32Snapshot=
                 (HANDLE(WINAPI *)(DWORD,DWORD))
                 GetProcAddress( hInstLib,
                 "CreateToolhelp32Snapshot" ) ;
              lpfProcess32First=
                 (BOOL(WINAPI *)(HANDLE,LPPROCESSENTRY32))
                 GetProcAddress( hInstLib, "Process32First" ) ;
              lpfProcess32Next=
                 (BOOL(WINAPI *)(HANDLE,LPPROCESSENTRY32))
                 GetProcAddress( hInstLib, "Process32Next" ) ;
              if( lpfProcess32Next == NULL ||
                 lpfProcess32First == NULL ||
                 lpfCreateToolhelp32Snapshot == NULL )
              {
                 FreeLibrary( hInstLib ) ;
                 return FALSE ;
              }

              // Get a handle to a Toolhelp snapshot of the systems
              // processes.
              hSnapShot = lpfCreateToolhelp32Snapshot(
                 TH32CS_SNAPPROCESS, 0 ) ;
              if( hSnapShot == INVALID_HANDLE_VALUE )
              {
                 FreeLibrary( hInstLib ) ;
                 return FALSE ;
              }

              // Get the first process' information.
              procentry.dwSize = sizeof(PROCESSENTRY32) ;
              bFlag = lpfProcess32First( hSnapShot, &procentry ) ;

              // While there are processes, keep looping.
              while( bFlag )
              {
                 // Call the enum func with the filename and ProcID.
                 if(lpProc( procentry.th32ProcessID, 0,
                    procentry.szExeFile, lParam ))
                 {
                    procentry.dwSize = sizeof(PROCESSENTRY32) ;
                    bFlag = lpfProcess32Next( hSnapShot, &procentry );
                 }else
                    bFlag = FALSE ;
              }


           }else
              return FALSE ;

           // Free the library.
           FreeLibrary( hInstLib ) ;

           return TRUE ;
        }

        BOOL WINAPI Enum16( DWORD dwThreadId, WORD hMod16, WORD hTask16,
           PSZ pszModName, PSZ pszFileName, LPARAM lpUserDefined )
        {
           BOOL bRet ;

           EnumInfoStruct *psInfo = (EnumInfoStruct *)lpUserDefined ;

           bRet = psInfo->lpProc( psInfo->dwPID, hTask16, pszFileName,
              psInfo->lParam ) ;

           if(!bRet)
           {
              psInfo->bEnd = TRUE ;
           }

           return !bRet;
        }


     
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

The use of stolen credentials is a hot commodity this year allowing threat actors to move laterally within the network in order to avoid breach detection.
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now