Editor: This article comes from the security focus, I hope that the copyright is not copied :) Q: How can I turn off a process that cannot be related to the task manager? I found a process in my machine for some time. As long as it is turned on, I can't pay attention to the task manager. 1. It is easy to kill the process, just find a tool. For example, ICESWORD. The key is to find the startup method of this process, otherwise the next restart it is coming again. By the way, you will teach everyone. In fact, it can kill most processes with Windows: C: /> NTSD-C Q -P PID only System, Smss.exe and CSRSS.exe cannot kill. The first two is pure core, and finally the Win32 subsystem, the NTSD itself needs it. NTSD starts from 2000 is the user status debug tool with the system. The process of being attached to the debugger (Attach) is exited with the adjustment, so it can be used to terminate the process on the command line. Automatically get DEBUG permissions using NTSD, which can kill most of the process. NTSD will open a debug window, which is originally uncontrolled under the pure command line, but if it is just a simple command, such as exiting (Q), pass the command line from the command line with the -c parameter. NTSDNTSD also provides software developers in accordance with the practice. Only the system developers use this command. For more information, see the help files attached in NTSD.
USAGE: NTSD [-?] [-2] [-d] [-g] [-g] [-myob] [-line] [-n] [-o] [-s] [-V] [-w ] [-R breakerrolevel] [-tprinterrorlevel] [-HD] [-pd] [-pe] [-pt #] [-PV] [-x | -x {e | d | n | i}] [- - | -p pid | -pn name | Command-line | -z crashdmpfile] [-zp crashpagefile] [-premote transport] [-robp] [-adllname] [-c "command"] [-i imagepath] [- Y symbolspath] [-clines #] [-srcpath sourcepath] [-QR // Machine] [-wake] [-remote transport: server =
Name, portid] [-server transport: portid] [-ses] [-ssfce] [-sicv] [-ssnul] [-noio] [-failinc] [-NOSHELL] where: -?
Displays this help text command-line is the command to run under the debugger - is the same as -g -g -p -p -1 -d -pd -adllname sets the default extension dll -c executes the following debugger Command - clines number of lines of output history retrieved by a remote client -failinc causes incomplete symbol and module loads to fail -d sends all debugger output to via kernel debugger DbgPrint -d can not be used with debugger remoting -d can only be used when the kernel debugger is enabled -g ignores initial breakpoint in debuggee -G ignores final breakpoint at process termination -hd specifies that the debug heap should not be used for created processes. This only works on Windows Whistler. -o debugs all processes launched by debuggee -p Pid specifies the decimal process id to attach to -pd specifies That the debugger shop Automatically Detach -pe Specifies That Any Attach SHO uld be to an existing debug port -pn name specifies the name of the process to attach to -pt # specifies the interrupt timeout -pv specifies that any attach should be noninvasive -r specifies the (0-3) error level to break on ( SeeSetErrorLevel) -robp allows breakpoints to be set in read-only memory -t specifies the (0-3) error level to display (SeeSetErrorLevel) -w specifies to debug 16 bit applications in a separate VDM -x sets second-chance break on AV exceptions -x {e | d | n | i} sets the break status for the specified event -2 creates a separate console window for debuggee -i ImagePath specifies the location of the executables that generated the fault (see _NT_EXECUTA
BLE_IMAGE_PATH) -lines requests that line number information be used if present -myob ignores version mismatches in DBGHELP.DLL -n enables verbose output from symbol handler -noio disables all I / O for dedicated remoting servers -noshell disables the .shell (!! ) command -QR queries for remote servers -s disables lazy symbol loading -ses enables strict symbol loading -sfce fails critical errors encountered during file searching -sicv ignores the CV record when automatic symbol loading -snul disables symbol loading for unqualified names -srcpath specifies the source search path -v enables verbose output from debugger -wake wakes up a sleeping debugger and exits -y specifies the symbol search path (see _NT_SYMBOL_PATH) -z specifies the name of a crash dump file to debug -zp Specifier the name of a page.dmp file to use with a crash dump -remote le ts you connect to a debugger session started with -server must be the first argument if present transport: tcp | npipe | ssl | spipe | 1394 | com name: machine name on which the debug server was created portid: id of the port the debugger Server Was Created ON for TCP USE: Port = for NPIPE USE: PIPE = for 1394 Use: channel = for CoM Use: port =, baud =, channel = for ssl and spipe see the documentation example: ... -remote npipe: Server = YourMachine, Pipe = FooBar-Server Creates A Debugger Session Other People CAN C
onnect to must be the first argument if present transport: tcp | npipe | ssl | spipe | 1394 | com portid: id of the port remote users can connect to for tcp use: port = for npipe use: pipe = for 1394 use: channel = for com use: port =, baud =, channel = for ssl and spipe see the documentation example: ... -server npipe: pipe = foobar -premote transport specifies the process server to connect to transport arguments are given as with remoting Environment Variables: _NT_SYMBOL_PATH = [Drive:]. [path] Specify symbol image path _NT_ALT_SYMBOL_PATH = [Drive:] [path] Specify an alternate symbol image path _NT_DEBUGGER_EXTENSION_PATH = [Drive:]. [path] Specify a path which should be searched first for EXTENSIONS DLLS _NT_EXECUTABLE_IMAGE_PATH = [Drive:] [PATH] Specify Execut able image path _NT_SOURCE_PATH = [Drive:]. [Path] Specify source file path _NT_DEBUG_LOG_FILE_OPEN = filename If specified, all output will be written to this file from offset 0. _NT_DEBUG_LOG_FILE_APPEND = filename If specified, all output will be APPENDed to this file. . _NT_DEBUG_HISTORY_SIZE = size Specifies the size of a server's output history in kilobytes Control Keys: Quit debugger Break into Target Force a break into debuggee (same as Ctrl-C) Debug Current debugger Toggle Verbose mode Print version informationntsd: exiting - press enter - - Usage: Open a cmd.exe window, type: ntsd -c q -p pid put the last PID & # xf
