获取进程和taskkill的命令行
Get commandline of process and taskkill
我需要一些帮助。
我目前正在尝试像这样杀死任何不在白名单(命令行)中的进程,但是它不起作用。:
@echo off
setlocal
set "whitelist=DcomLaunch RPCSS LocalServiceNetworkRestricted netsvcs LocalService LocalSystemNetworkRestricted NetworkService LocalServiceAndNoImpersonation taskhostex cmd dwm conhost services smss SearchIndexer Isass Explorer csrss conhost cftmon"
for /f "tokens=2 delims=," %%I in (
'wmic process get executablepath^,status /format:csv ^| find "\"'
) do (
set "proc=%%~I"
setlocal enabledelayedexpansion
set /p "=%%~I: "<NUL
wmic path win32_process get CommandLine | findstr /i "%whitelist%" >NUL && (
echo OK
) || (
echo UNACCEPTABLE!
taskkill /im "%%~nxI" /f
)
endlocal
)
wmic path win32_process get CommandLine | findstr /i "%whitelist%"
在上面的命令中,findstr 会在 整个 wmic 输出 中寻找一个匹配项,所以它会找到一个匹配项 always。例如,至少 cmd 会匹配,因为 wmic 运行 在 cmd window 中。下一个 commented 代码片段应该可以工作,但是如果提升它会给出不同的结果(运行 作为管理员)。
set "whitelist=DcomLaunch RPCSS LocalServiceNetworkRestricted netsvcs LocalService LocalSystemNetworkRestricted NetworkService LocalServiceAndNoImpersonation taskhostex cmd dwm conhost services smss SearchIndexer Isass Explorer csrss conhost cftmon"
rem add windows VITAL processes !!! incomplete !!!
set "whitelist=svchost ctfmon lsass winlogon %whitelist%"
for /f "tokens=2,3 delims=," %%I in (
'wmic process get executablepath^,ProcessID^,status^,WindowsVersion /format:csv ^| find "\"'
) do (
set "proc=%%~I"
set "procID=%%~J"
setlocal enabledelayedexpansion
rem debugging: set /p "=%%~I: "<NUL
rem debug try: wmic path win32_process where "ProcessID=%%J" get Name 2>NUL | findstr /i "%whitelist%">NUL 2>&1 && (
rem debug try: wmic path win32_process get executablepath 2>NUL | findstr /i "!proc:/=//!">NUL 2>&1 && (
wmic path win32_process where "ProcessID=%%J" get CommandLine 2>NUL | findstr /i "%whitelist%">NUL 2>&1 && (
rem suppress "No Instance(s) Available" report in above line: 2>NUL
echo OK %%J "%%~I"
) || (
rem UNWANTED: here come inactive processes "cmd", "wmic", "find"
rem and maybe more ones that were active in FOR %%I execution time
rem (but loop continues); let's filter them here:
tasklist /FI "PID eq %%J" /NH | find "%%J" >NUL 2>&1 && (
echo NO %%J "%%~I"
rem taskkill /PID "%%~J" /f
) || (
echo XX %%J "%%~I"
rem inactive at the moment
)
)
endlocal
)
Essential Processes needed to run Windows(下一个列表可能有点过时):
… here is a list of the essential processes that Windows needs to run
correctly.
- System Idle Process
- explorer.exe
- taskmgr.exe
- spoolsv.exe
- lsass.exe
- csrss.exe
- smss.exe
- winlogon.exe
- svchost.exe – (There will be a few of these)
- services.exe
By shutting down anything other than these processes, stand alone
Windows should operate fine, however if any of these processes are
shutdown, Windows will start to become unstable or unusable.
我需要一些帮助。
我目前正在尝试像这样杀死任何不在白名单(命令行)中的进程,但是它不起作用。:
@echo off
setlocal
set "whitelist=DcomLaunch RPCSS LocalServiceNetworkRestricted netsvcs LocalService LocalSystemNetworkRestricted NetworkService LocalServiceAndNoImpersonation taskhostex cmd dwm conhost services smss SearchIndexer Isass Explorer csrss conhost cftmon"
for /f "tokens=2 delims=," %%I in (
'wmic process get executablepath^,status /format:csv ^| find "\"'
) do (
set "proc=%%~I"
setlocal enabledelayedexpansion
set /p "=%%~I: "<NUL
wmic path win32_process get CommandLine | findstr /i "%whitelist%" >NUL && (
echo OK
) || (
echo UNACCEPTABLE!
taskkill /im "%%~nxI" /f
)
endlocal
)
wmic path win32_process get CommandLine | findstr /i "%whitelist%"
在上面的命令中,findstr 会在 整个 wmic 输出 中寻找一个匹配项,所以它会找到一个匹配项 always。例如,至少 cmd 会匹配,因为 wmic 运行 在 cmd window 中。下一个 commented 代码片段应该可以工作,但是如果提升它会给出不同的结果(运行 作为管理员)。
set "whitelist=DcomLaunch RPCSS LocalServiceNetworkRestricted netsvcs LocalService LocalSystemNetworkRestricted NetworkService LocalServiceAndNoImpersonation taskhostex cmd dwm conhost services smss SearchIndexer Isass Explorer csrss conhost cftmon"
rem add windows VITAL processes !!! incomplete !!!
set "whitelist=svchost ctfmon lsass winlogon %whitelist%"
for /f "tokens=2,3 delims=," %%I in (
'wmic process get executablepath^,ProcessID^,status^,WindowsVersion /format:csv ^| find "\"'
) do (
set "proc=%%~I"
set "procID=%%~J"
setlocal enabledelayedexpansion
rem debugging: set /p "=%%~I: "<NUL
rem debug try: wmic path win32_process where "ProcessID=%%J" get Name 2>NUL | findstr /i "%whitelist%">NUL 2>&1 && (
rem debug try: wmic path win32_process get executablepath 2>NUL | findstr /i "!proc:/=//!">NUL 2>&1 && (
wmic path win32_process where "ProcessID=%%J" get CommandLine 2>NUL | findstr /i "%whitelist%">NUL 2>&1 && (
rem suppress "No Instance(s) Available" report in above line: 2>NUL
echo OK %%J "%%~I"
) || (
rem UNWANTED: here come inactive processes "cmd", "wmic", "find"
rem and maybe more ones that were active in FOR %%I execution time
rem (but loop continues); let's filter them here:
tasklist /FI "PID eq %%J" /NH | find "%%J" >NUL 2>&1 && (
echo NO %%J "%%~I"
rem taskkill /PID "%%~J" /f
) || (
echo XX %%J "%%~I"
rem inactive at the moment
)
)
endlocal
)
Essential Processes needed to run Windows(下一个列表可能有点过时):
… here is a list of the essential processes that Windows needs to run correctly.
- System Idle Process
- explorer.exe
- taskmgr.exe
- spoolsv.exe
- lsass.exe
- csrss.exe
- smss.exe
- winlogon.exe
- svchost.exe – (There will be a few of these)
- services.exe
By shutting down anything other than these processes, stand alone Windows should operate fine, however if any of these processes are shutdown, Windows will start to become unstable or unusable.