ISerializable - Roy Osherove's Blog

Hey Roy,

Thanks for the cool tip Roy. Could not have come at a better time. I have been having trouble trying to load a large playlist in WinAmp. It kept hanging and I was having a heck of a time trying to kill the process! Not anymore.

BTW Family/Personal Health before Professional Health. Nice to see someone with their priorities straight.

This was a good way to kill processes on Win2K, which doesn't come with a command line tool like kill.exe. The reason it works in some cases when task manager doesn't is because ntsd enables SeDebugPrivilege, allowing you to open processes that you otherwise wouldn't have access to.

On XP and Win2003 however you should just use taskkill.exe. It's more reliable and should even work in some cases when ntsd wouldn't - for example, if the process is deadlocked on the loader lock. Ntsd will not be able to attach to such process (it will eventually time out and suspend it, but when you type 'q' it will simply quit and resume the process (unless you do .kill first)).

Wow Pavel. Thanks for the great advice! I didn't even know TaskKill existed up until now. Perhaps you have some more cool low level debugging and process manipulation stuff you'd like to share? actually, why don't you have a weblog?
:)

James: Thanks :)

OK, here's another tip :)

One situation where ntsd does come in handy even on XP+ is when you want to change priority of a system process.

Let's say a service (for example, msdtc) is taking up 100% CPU. You want to let it finish whatever it's doing but you don't want it to slow down your interactive processes.

So you open up task manager, right-click on the msdtc process and try to change its priority. This fails with access denied because msdtc runs as NETWORK SERVICE and its security descriptor doesn't give you any access.

(continued)

Fortunately, you can launch task manager under debugger (ntsd taskmgr). Ntsd enables SeDebugPrivilege in its token, and taskmgr inherits this setting so it can now open system processes too. You can even detach the debugger (type 'qd', Enter) and use this instance of task manager to kill system processes or change their priorities.

Pavel: Very nice! So theoretically I could create a batch file to run at startup that launches the Task list with elevated seDebug privilages using ntsd.. right?
the only question now is how to you send a "qd" to ntsd from a batch file once ntsd is already running on the shell.
hmmm.... any idea?

Yes this should work. You can auto-detach debugger using this command line:

ntsd -hd -c "qd" taskmgr

-c "qd" tells debugger to execute 'qd' command at the first breakpoint.

-hd forces the target process to use regular heap (when the process is started under debugger the default is to use the NT debug heap. This is slower and takes up more memory)

Awsome! What exactly do you do to have such in depth knowledge in this area?

If I start TaskMgr with the elevated priviliges I'm guessing it will also have the power to kill those processes that wouldn't die earlier. am I right?
Also - is there a way to mimic such a process that wouldn't die any other way just so I can test it out?

Actually, it looks like on XP SP2 task manager automatically enables SeDebugPrivilege when you try to kill a process. This can easily be seen in debugger (just put a breakpoint on ADVAPI32!AdjustTokenPrivileges).

For some reason taskmgr doesn't do this when you try change priority of a process.

So starting taskmgr under debugger is only necessary if you want to change priority of a process that you normally don't have access to. It is not needed if you want to to kill such process (at least, not on XP SP2).

How to kill a process that wouldn't die through the TaskList dialog

1. Locate the process ID (make the "PID" column visible in the task list
2. open a command prompt
3. type "ntsd -p [PID]" without the quotes
4. You've just entered a low level debugger and you'll notice that you are now inside a breakpoint on that process that wouldn't die.
5. type "q" and ENTER to quit the debugger and the process will die along with it.
6. this works for services too.

===========================================================

For those of you who wants to use the above tip (i.e. original tip, at the top) but think - why not use a batch file instead, you can do what I did and it works fine.

It might not be the most elegant way of doing it and I am sure someone else will come up with a better way but until then, it works ok for me :-)

I am using WinXP sp2 but it should work fine with other versions of NT!
Also you can use either the .bat extension or the .cmd extension.

Now create 3 batch files i.e.

- kill-p1.bat
- kill-p2.bat
- kill-p.txt

=========================

Kill-p1.bat should look like -

=========================

@echo off
echo.
CD %SYSTEMROOT%\System32\
type %SYSTEMROOT%\System32\kill-P.txt
echo.
echo.
echo.
echo.
echo.
echo.
cmd /k
@echo on

=========================

Kill-p2.bat should look like -

=========================

@echo off
echo.
CD %SYSTEMROOT%\System32\
ntsd -p %1 -c "q"
exit

=========================

Kill-p.txt should look like -

=========================

now use this on the command prompt below -

kill-p2 [PID]

[PID] = process id without the []

e.g. kill-p2 9999

=========================

The 3 batch files should be copied to your %SYSTEMROOT%\System32\
folder i.e. where you install windows xp etc. for it to work properly and also so you can use by going to START ---> RUN etc.

Kill-p1.bat
=======

puts you in your %SYSTEMROOT%\System32 folder and lets you know how to use the Kill-p2.bat by displaying the kill-p.txt.

Kill-p2.bat
=======

Does the job if used as instructed on the displayed text. It's exactly like in the original thread (above) but saves you the job of typing it out and manually quiting ntsd.


*** Use with caution, i.e. make sure you have the right process id because it has the potential of crashing your computer if you use it inadvertently on critical system processes ***

Obviously you start the whole sequence by using the kill-p1.bat !!!