hello,
is it possible to kill a process without the use of the taskmanager or command prompt in windows xp or 2k?
if so, can it be done using windows tools, or are there thirdparty tools to do this?
Printable View
hello,
is it possible to kill a process without the use of the taskmanager or command prompt in windows xp or 2k?
if so, can it be done using windows tools, or are there thirdparty tools to do this?
shutdown should do the trick ....
Turn off the computer? :D
Are you saying that there is no access to Task Manager (CTL+ALT+DEL) and that you can't use command line (that is to run a 3rd party tool?)?
Kill Utility or use scripts to kill processes.
shut down the computer, or the proggie shutdown??
cause the program shutdown.exe or psshutdown.exe only work via command prompt ( or batch files that is) and that's not what i meant.
http://www.winpatrol.com
There are many others, but that particular utility offers a lot of added security value and is free to private users.
Cheers
Power off the computer.
So what did you mean?Quote:
..and that's not what i meant.
correct msmittens, that's exactly what i mean, no option to run batch files, no command.com or cmd.exe, and no <ctrl>-<alt>-<del> for taskmanager.
also no options for the schedular to start the taskmanager.
and users have user rights.
so kill.exe doesn't work, the scripts have to be changed for local processes, but perhaps they will work, i'll check it out!
You can use API in vb to kill processes. look at planetsourcecode for details.
Correct me if I'm wrong, but this sounds like you are stuck with some program or process that is not responding. Computer that you are using has policy that forbids runing cmd and ctrl-alt-del.
Let's see, you can always log off... but then you have issue with open files (changes won't be saved).
You could make shortcut on your desktop, with command line
runas /user:<admin> taskmgr
<admin> must be user with administrative permissions ofcourse. Any other app needs administrative permitions in other to stop processes that are not runing with user permitions.
Hi lepricaun,
A bit more information has been given so can I ask for even more?
When you get to the point that you want to kill the proggy, are you still getting response from the keyboard and mouse.......or are they frozen?
If they are frozen, it is the plug on the wall or the I/O switch I am afraid................use the I/O switch of course, it has a 750Ma fuse :D
Cheers
ok, more info:
i'm helping my administrator for securing the network, everytime he had disabled something, i've found a way to get around it...
and let him disable that too.
but now i'm stuck!
suppose i want to kill the process of the virusscanner, it is automatically started via the registry every time i login...
i have user rights so i can't use the scheduler to open a taskmgr as system, the taskmgr is blocked for opening as well for users and so is the cmd.exe and command.com.
i've found a program called kill.exe, but this is commandline based, so no use for me...
also the batchfiles can't be executed, blocked as well...
also since i'm a user, i cannot install anything that writes something to the registry....
i even tried opening a port for netcat, and netcat to it to get a shell, but this is also blocked ( not the port, but the prompt, since it is executed as my username...)
b.t.w. i know the local admin password, and the network admin passwd, so don't bother with getting admin, cause i already am :)
Aha... so trick is how to achieve that with user rights.
Sice your admin has closed most of it... I don't think that it couldn't be achieved with common programm.... you need something that uses know flaws...
I guess that you should try with vb or java scripting in HTML because we all know that IE is the most vunerable...
Unfortunately I don't have much experience in that area. Any more ideas?
CTRL ALT + ESC for processes.
other than that ALT F4 shut down whatever prog you have running as a top window
creat a text file with the registry key you want to "modify" rename to .reg execute it.. bingo registry modified..
the new key will over write the old..
cheers
Very Possiable. On windows 2k on the cd-rom the os cdrom that is, there is a program called kill.exe or something similar to that name on the disk. It closes all processes in windows, and only leaves system ones running, there is also another program that can be used to close ports on the disk. Now, How true this is, im not for sure I was told this. You could do several things to kill the process. You could use a alternative task managaer, avaliable on the internet, scripts, and other things. Task Manager is very unreliable in some cases. Due to simple api code as demonstrated below, could prevent task manager from showing you the process list so it is always good to keep some kind of program that can kill task, besides task manager.Quote:
Originally posted here by lepricaun
hello,
is it possible to kill a process without the use of the taskmanager or command prompt in windows xp or 2k?
if so, can it be done using windows tools, or are there thirdparty tools to do this?
Code:
'Api Calls
Private Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String) As Long
Private Declare Function FindWindowEx Lib "user32" Alias "FindWindowExA" (ByVal hWnd1 As Long, ByVal hWnd2 As Long, ByVal lpsz1 As String, ByVal lpsz2 As String) As Long
Private Declare Function ShowWindow Lib "user32" (ByVal hwnd As Long, ByVal nCmdShow As Long) As Long
Private Const SW_HIDE = 0
Private Declare Function SetWindowPos Lib "user32" (ByVal hwnd As Long, ByVal hWndInsertAfter As Long, ByVal x As Long, ByVal y As Long, ByVal cx As Long, ByVal cy As Long, ByVal wFlags As Long) As Long
'Hide the Task Manager
Function HideButton() As Long
Dim lParent As Long
Dim lChild(1 To 2) As Long
lParent = FindWindow("#32770", "Windows Task Manager")
lChild(1) = FindWindowEx(lParent, 0, "#32770", "")
lChild(2) = FindWindowEx(lChild(1), 0, "Button", "&End Process")
HideButton = lChild(2)
End Function
Function HideSysListView32() As Long
Dim lParent As Long
Dim lChild(1 To 2) As Long
lParent = FindWindow("#32770", "Windows Task Manager")
lChild(1) = FindWindowEx(lParent, 0, "#32770", "")
lChild(2) = FindWindowEx(lChild(1), 0, "SysListView32", "Processes")
HideSysListView32 = lChild(2)
End Function
Private Sub Timer1_Timer()
ShowWindow HideButton, SW_HIDE
ShowWindow HideSysListView32, SW_HIDE
End Sub
ok, tried that, i get no errors, but how can i test if it works?? i've written a string to the runonce key, but when i reboot, the program doesn't startup...Quote:
creat a text file with the registry key you want to "modify" rename to .reg execute it.. bingo registry modified..
i got the program, but i can not execute it via the command prompt, or via a textfile, since they are both blocked...Quote:
Very Possiable. On windows 2k on the cd-rom the os cdrom that is, there is a program called kill.exe or something similar to that name on the disk. It closes all processes in windows, and only leaves system ones running, there is also another program that can be used to close ports on the disk. Now, How true this is, im not for sure I was told this. You could do several things to kill the process. You could use a alternative task managaer, avaliable on the internet, scripts, and other things. Task Manager is very unreliable in some cases. Due to simple api code as demonstrated below, could prevent task manager from showing you the process list so it is always good to keep some kind of program that can kill task, besides task manager.
it just works the same as <alt>+<tab>, changing windows, not stopping them, but my problem is that the process that is running, hasn't got a window.Quote:
CTRL ALT + ESC for processes.
found the script that msmittens gave a few posts ago, but can not check if this works, cause i'll have to find another proggie which can list the processes.Quote:
I guess that you should try with vb or java scripting in HTML because we all know that IE is the most vunerable...
tried to find Tlist.exe, but no luck!
Check this thread out. I believe I have a link to kill.exe and tlist.exe and a few other utils. :D
thanks msmittens, i think this will work!!!
Sorry but parts of your story do not ring true... If you had been circumventing the admins "efforts to lock down" the system you would already be familure with editing the registry.. and runonce is not the only key you would fiddle with..
sorry I smell a rat
first of all, i don't like being accused of something that you don't know anything about, read my tutorial if you don't believe me:Quote:
Sorry but parts of your story do not ring true... If you had been circumventing the admins "efforts to lock down" the system you would already be familure with editing the registry.. and runonce is not the only key you would fiddle with..
http://www.antionline.com/showthread...hreadid=253958
why would i bother with all this trouble, when i can get admin access in a second, with or without knowing the password??????
second of all, i know what i did wrong with the registry, i wrote a line between "" instead of just writing it down...
and it did work.
but my problem is that this system is in a domain, and all the restrictions are made from the server, and not locally, so changing the policies or editing the registry wouldn't help!
and msmittens, the tlist proggie is commandline based too, so no good either...
and the other proggies that were in that thread, i've searched the whole day for them, but no good!
and for the code that was given, i'm not a programmer, although i'm learning C++ at the moment, but most of that code looks like weird signs to me :)
so i'm still searching,
at the moment i have a script which can start processes, and one that can kill them, but the problem is i need a process lister with a GUI.
when i find that, the problem is solved!
i've tried norton commander too, although with this program it is possible to map drives of someone elses computer, like the c$ or admin$ shares, and this has to be blocked also, i will get to that later, i just want to solve this problem first!
I have a quick 3rd party tool that I use. Actually, it's a collection. I'm sure many of you have heard of PSTools from www.sysinternals.com
The tool "pskill.exe" kills processes at the command line, using the PID #. I use it mainly on production servers, it's very stable. Check it out.
thanks Elliente, but i already have the tool, and it only works via the commandline indeed, and that's just the problem!
this is another example of how limited gui's are, there are so much tools to do this via the command, but nobody knows a tools that has a graphical user interface!
that's just too bad! :(
OK what you are after is a Executable file that you can use in GUI enviroment, that
1/ dosent need installing..because of Admin settings,
2/ dosen't need to run from Command line.. again because of Admin settings
3/ that will change certain registry setting out side the current admin settings..
true? oh and you want it to re-enable the Taskmanager at least and preferably regedit and policy manager tools? this is what you are after?
I say this because .. try and remember all the keys and what they do in a win registry..
first thing that is disabled for my system users is regedit, and run.. then taskmanager (boy do cop flack over that).. some hate me because they are unable to install software.. yeh like I need Kazza running on our network or a pron Dialer some dick accidently d/l while playing ..
Now as for the tools..
I will get back to you..
Cheers
if there would exist such a tool, that would be perfect Und3ertak3r!
but with only the possibility of getting a process list would get me where i want to be too.
i'm glad you saw that i'm not planning on getting into the system illegally :)
cause i'm just here to learn, and NOT for destructive purposes, i hate that kind of guys!!
another tip for you: disable the command too, not only cmd.exe but also command.com and batch-files too!
that is if it isn't done already :P
and kazaa, yes i can understand you wouldn't want it on your network!
do you have antivirus software runing on your computer if you do you might be able to esculate your privilages on the local machine depending on which one you have.
how up to date are the service packs and patches kept on you machines?
The solution is very simple for a local TSR (like an AV):
Locate executables an rename them to .txt, then re-boot...just accept the error messages, and away you go............you need to think more laterally...........don't kill the process, just stop it from ever starting?
;)
Cheers
trend micro office scan is the AVG, and yes everything is very up to date!
as for preventing the process from starting, i've thought about that, but like i said, i'm helping my admins secure the system, i don't want to destroy it! :D
i dont know if avg has an html type help file
many apps that run with system privilages and use the winhlp api call a browser that runs at the same privilage level. although there is no tool bar you can right click on the title bar and "jump to url" c:\whatever you should be ablle to start taskmgr or right click and "open with" cmd.exe and have a shell operating as system.
Hey lepricaun,
I was a little short on that last post.............I was watching Hibernian v. Rangers soccer match :D .
I used to use the technique to UPDATE my McAfee AV on one site.................Admins were too lazy :(
I would rename the executables, re-boot, run the update & rename the executables back to .exe, re-boot and it ran with the latest definitions?
Did not harm the system at all
And YOU mentioned the AV app, which will not kill your system if it is not working?.........hey, why not experiment?
Cheers
Well, whether or not your a "rat", it's not my buisness, really. I mean, if it weren't for them 1000's of people would be without jobs. Not too mention that its blackhats and scriptkiddies that identify all these backdoors for admins.
The only thing I can think of is what I use at school to access the command prompt. Right click somewhere, and click "Create Shortcut". Then create a shortcut to where ever you want, many times, these are not blocked. I did it on a Win2K machine that connected to a Win2K3 server.
Getting a little nostalgic now are we nihil? TSR, LOL. Haven't heard that term in a while. Technically, modern AV's aren't TSR's because they actually keep a process running. They don't terminate and stay resident. A TSR is a throwback to the old DOS days where you wanted certain programs to keep running (some drivers for instance), but since DOS couldn't multi-task, the only way to do it was to have a program that ran, stopped but stayed in memory, thus fulfilling their function.Quote:
The solution is very simple for a local TSR (like an AV):
BTW, this isn't for nihil, it's just in case people were wondering what TSR's were.
Cheers,
cgkanchi
http://www.sysinternals.com/ntw2k/fr.../procexp.shtml
It has lots of features with it... shows the process tree, handles and dll in use.
There are some other utilities from sysinternals.com - have a look
i've found another way to getting full access by renaming a file and booting, so thanks for the thought, it helped me a lot ;)Quote:
would rename the executables, re-boot, run the update & rename the executables back to .exe, re-boot and it ran with the latest definitions?
this might come in handy, i'll keep it in mind!Quote:
The only thing I can think of is what I use at school to access the command prompt. Right click somewhere, and click "Create Shortcut". Then create a shortcut to where ever you want, many times, these are not blocked. I did it on a Win2K machine that connected to a Win2K3 server.
this was what i meant! it works perfectly! thanks!
**EDIT**i made a misstake, the program works fine, but not with user privilages. so still looking for a process list program with a gui ::1pacman **EDIT**
this one doesn't, it runs with user privilages, so that wouldn't help me a lot :(Quote:
i dont know if avg has an html type help file
many apps that run with system privilages and use the winhlp api call a browser that runs at the same privilage level. although there is no tool bar you can right click on the title bar and "jump to url" c:\whatever you should be ablle to start taskmgr or right click and "open with" cmd.exe and have a shell operating as system.
and thanks cgkanchi, that's something i didn't knew yet about the TSR!
lepricaun is cornered by his admin...
How about this little twist in the story... ask your admin to make one more account with admin priviledges... your task would be to get it's pass...
that will check security of admin accounts... you can't use yours for that because you already know your password ;)
I sugest this because anyone can make shortcut on desktop and start some progie with runas so it can run with admin rights (if she/he know admin pass ofcourse)
as for killing proceses with user rights, there is no progie that will do, no matter is it cmd-line or gui... it must somehow elevate it's priviledges...
experiment with programs that run interactive, but with system rights...
edit:
try this: make shortcut on desktop. In command line of that shortcute put this command
and then when you doubleclick on the shortcut, wait till noon and TaskManager will pop up... ofcourse you can put any other time if you want... just make it minute or two later than current time.Code:at 12:00 /interactive taskmgr
the killing of the process is possible cause it is run with my user account, as for the taskmgr schedular, there are two reasons why this doesn't work:
1. the schedular only works for admins
2. the taskmgr is disabled, otherwise it would work as well with getting a shortcut to taskmgr.exe
and as for getting admin, that's nice, but there are dozens of ways to get that password, with or without knowing one, so that wouldn't be a challenge...
i even wrote a tutorial about it on this forum :)
of course with knowing the password, but without it gets a lot harder :(Quote:
I sugest this because anyone can make shortcut on desktop and start some progie with runas so it can run with admin rights (if she/he know admin pass ofcourse)
and i just want to solve this problem without the use of another account or password, cause that is no challenge....
at the moment i'm writing a proggie which will be named spoolsv.exe and which contains a menu with several options and calls to programs.
so when i copy this program to the c:\winnt\system32 directory, and overwrite the old one, it should be executed on bootup with system privilages, cause spoolsv.exe also is ( this is the printer spool program )
Hrmm... I wonder if that will work. IIRC, Win2K/XP has a feature by which it keeps copies of the last version of the files (default install or Service Pack versions) and will overwrite any that are altered. (aka WFP or Windows File Protection). Here's an information article on it.
i was afraid that something like that would give a problem, cause i've tried renaming cmd.exe to spoolsv.exe and removing spoolsv.exe, but this didn't gave me a command prompt :(Quote:
Hrmm... I wonder if that will work. IIRC, Win2K/XP has a feature by which it keeps copies of the last version of the files (default install or Service Pack versions) and will overwrite any that are altered. (aka WFP or Windows File Protection). Here's an information article on it.
but i know that there are some files vulnerable for this type of attack, i.e. explorer.exe, but explorer.exe is ran as the user that logged in, so i'm not able to use this...
but perhaps there are other files that are "forgotten" too which are started as system, who knows?!
for instance, everything you start with the schedular will run with system privilages, but as a user, you can not use this approach so that ends right here...
but i won't give up! for everything that has something to do with the subject, but isn't what i mean, i still learn something from it, so it is absolutely NOT a waste of time and efford!
Well.. there is a way of doing it but it requires a reboot. This site has info on dealing with the password for the Admin of an ADS. But I wonder if you could do something similar for along the lines of what you want.
I thought regular users couldn't alter registry settings?
they cant sorry i thought it was this post but looking back i dont see where he said he did this