93

In Unix we can suspend a process execution temporarily and resume it with signals SIGSTOP and SIGCONT. How can I suspend a single-threaded process in Windows without programming ?

Michael
  • 41,026
  • 70
  • 193
  • 341
  • 3
    possible duplicate of [How can I freeze the execution of a program?](http://stackoverflow.com/questions/4062665/how-can-i-freeze-the-execution-of-a-program) – Hans Passant Jun 13 '12 at 08:10
  • Just to add a pinch of pedantry, a Unix process may also be suspended by [`SIGTSTP`](https://stackoverflow.com/q/11886812/4408170) which maps to `Ctrl-Z` in the shell. – bfx May 03 '19 at 14:22
  • 2
    There is a windows builtin tool `resmon.exe` that allows suspending a process. See https://superuser.com/questions/1139965/is-there-a-windows-equivalent-to-kill-stop-or-ctrl-z – PPC Feb 17 '21 at 10:09

7 Answers7

115

You can't do it from the command line, you have to write some code (I assume you're not just looking for an utility otherwise Super User may be a better place to ask). I also assume your application has all the required permissions to do it (examples are without any error checking).

Hard Way

First get all the threads of a given process then call the SuspendThread function to stop each one (and ResumeThread to resume). It works but some applications may crash or hung because a thread may be stopped in any point and the order of suspend/resume is unpredictable (for example this may cause a dead lock). For a single threaded application this may not be an issue.

void suspend(DWORD processId)
{
    HANDLE hThreadSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);

    THREADENTRY32 threadEntry; 
    threadEntry.dwSize = sizeof(THREADENTRY32);

    Thread32First(hThreadSnapshot, &threadEntry);

    do
    {
        if (threadEntry.th32OwnerProcessID == processId)
        {
            HANDLE hThread = OpenThread(THREAD_ALL_ACCESS, FALSE,
                threadEntry.th32ThreadID);
            
            SuspendThread(hThread);
            CloseHandle(hThread);
        }
    } while (Thread32Next(hThreadSnapshot, &threadEntry));

    CloseHandle(hThreadSnapshot);
}

Please note that this function is even too much naive, to resume threads you should skip threads that was suspended and it's easy to cause a dead-lock because of suspend/resume order. For single threaded applications it's prolix but it works.

Undocumented way

Starting from Windows XP there is the NtSuspendProcess but it's undocumented. Read this post (or this article) for a code example (reference for undocumented functions: news://comp.os.ms-windows.programmer.win32).

typedef LONG (NTAPI *NtSuspendProcess)(IN HANDLE ProcessHandle);

void suspend(DWORD processId)
{
    HANDLE processHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, processId));

    NtSuspendProcess pfnNtSuspendProcess = (NtSuspendProcess)GetProcAddress(
        GetModuleHandle("ntdll"), "NtSuspendProcess");

    pfnNtSuspendProcess(processHandle);
    CloseHandle(processHandle);
}

"Debugger" Way

To suspend a program is what usually a debugger does, to do it you can use the DebugActiveProcess function. It'll suspend the process execution (with all threads all together). To resume you may use DebugActiveProcessStop.

This function lets you stop a process (given its Process ID), syntax is very simple: just pass the ID of the process you want to stop et-voila. If you'll make a command line application you'll need to keep its instance running to keep the process suspended (or it'll be terminated). See the Remarks section on MSDN for details.

void suspend(DWORD processId)
{
    DebugActiveProcess(processId);
}

From Command Line

As I said Windows command line has not any utility to do that but you can invoke a Windows API function from PowerShell. First install Invoke-WindowsApi script then you can write this:

Invoke-WindowsApi "kernel32" ([bool]) "DebugActiveProcess" @([int]) @(process_id_here)

Of course if you need it often you can make an alias for that.

Lojcs
  • 47
  • 6
Adriano Repetti
  • 65,416
  • 20
  • 137
  • 208
  • What do you mean when you say "install Invoke-WindowsApi"? – MemphiZ Nov 24 '14 at 03:25
  • @MemphiZ it's a small cmdlet (`Invoke-WindowsApi`) that let you _invoke_ a _Windows API_ (`PASCAL` calling convention, commonly `WINAPI`) C function. It's not part of PowerShell then it must be separately downloaded and _installed_. – Adriano Repetti Nov 24 '14 at 08:25
  • 4
    The first sentence of your very good answer is wrong. Yes, you CAN do it from the commandline! Download PsSuspend from www.sysinternals.com. This little tool can even suspend processes, that run on another computer. https://technet.microsoft.com/en-us/sysinternals/bb897540.aspx – Elmue Aug 29 '15 at 14:41
  • That's why I said "...if you're looking for an utility then...". SysInternals has an utility for almost everything! – Adriano Repetti Aug 29 '15 at 19:12
  • @AdrianoRepetti, If you'd ensure that you'd resume in the opposite order of suspension, why would there be a deadlock? – Pacerier Jan 29 '17 at 12:05
  • Simplest reason is because you do not suspend them all together then you alter normal program timing suspending them one by one. Yes, it _should not_ happen we acquire two locks...but you will see it (too) often. Even in the best case we changed normal program behavior. – Adriano Repetti Jan 29 '17 at 16:48
  • 2
    Will these processes show as "Suspended" in the Status column of Task Manager? – CMCDragonkai Jan 30 '17 at 04:09
  • @AdrianoRepetti, We had simply *slowed* down or delayed the steps of the normal program behavior isn't it? The steps themselves are still unchanged. – Pacerier Jan 30 '17 at 16:52
  • @cm with the _undocumented_ function it's marked as suspended, with the debugger way it's not. In the other case...I don't know! – Adriano Repetti Jan 30 '17 at 18:44
  • @pace given that nested locks are almost always a symptom of bad design and latent errors but that we "see" them too often, Imagine two threads which locks AB and BA (obviously in some more nested call, an event?). They're queued in sequence but 1 is faster than 2 and you won't ever (probably) see the deadlock. We suspend 12 and resume 21 however now 1 is "slowed down" and 2 gets the lock on B when 1 already has lock on A. There are for sure even more cases (probably also more simple thsnbthus). Besides deadlock malfunctioning is even more subtle because locks might timeout and then? – Adriano Repetti Jan 30 '17 at 18:54
  • None of the APIs can suspend `winlogon.exe` process with admin. But pssuspend can. – Biswapriyo Jan 13 '18 at 18:14
  • 2
    @Pacerier - Programmers sometimes unintentionally create 'race conditions' in programs with multiple threads. Race conditions mean that the program is somehow dependent on the order in which things being done by two independently executing parts of the program do things. It's like you know your friend always finishes a certain task quicker than you do, and so you depend on that. But if your friend is held up somehow, then suddenly that's no longer the case. Programs are delicate. You can adjust, maybe. A program can't. – Omnifarious May 10 '18 at 14:42
  • 3
    Just to be clear: if a program deadlocked, that's a bug in that program. No code should deadlock due to unexpected timings. A general-purpose OS (meaning not an RTOS) has the right to indefinitely put any and all of your threads on hold in any order imaginable, even when things are working as intended. I understand that real-life programs always have bugs, but I hate it when people normalize this as in: "well that's not normal behavior, you suspended a thread I didn't expect so anything can happen". – relatively_random Feb 02 '21 at 15:50
103

Without any external tool you can simply accomplish this on Windows 7, 8 or 10, by opening up the Resource monitor and on the CPU or Overview tab right clicking on the process and selecting Suspend Process. The Resource monitor can be started from the Performance tab of the Task manager.

Sigroad
  • 1,771
  • 3
  • 20
  • 17
  • @Sigroad, Is resmon.exe doing the same thing as Adriano's answer? – Pacerier Jan 29 '17 at 12:10
  • @Pacerier Unfortunately, I am not aware of how resmon.exe works internally. – Sigroad Feb 01 '17 at 17:35
  • 2
    Somehow I missed it the first time, but now I see the option for this when right-clicking on the process in Sysinternals' Process Explorer `procexp.exe` as well! – Pysis Sep 28 '17 at 15:22
42

I use (a very old) process explorer from SysInternals (procexp.exe). It is a replacement / addition to the standard Task manager, you can suspend a process from there.

Edit: Microsoft has bought over SysInternals, url: procExp.exe

Other than that you can set the process priority to low so that it does not get in the way of other processes, but this will not suspend the process.

Zordey
  • 656
  • 5
  • 10
  • 1
    this answers the question almost perfectly, dont know why it didnt get more upvotes. – Lauer Jan 17 '13 at 18:01
  • Can you suspend a process, put your computer to sleep, then restart the process again when it wakes up? I have a utility that needs to run for several days (total), but I don't want to leave my computer on 24/7. – posfan12 Sep 23 '16 at 02:12
  • @posfan12 Why not just put the computer to sleep? As an unrelated example, when one of my windows was minimized, it already had a low background priority of 4 from about 24 to 4. [shivesh suman's answer](https://stackoverflow.com/a/15969868/1091943) seems to cover a better option in the same software. – Pysis Sep 28 '17 at 16:02
  • "Why not just put the computer to sleep?" Because I don't want the process interrupted completely. – posfan12 Oct 20 '17 at 01:20
  • @posfan12 if you hibernate your computer no processes will be interrupted. Suspend in this thread btw means something else, it is just stopping the cpu scheduling, it will not save it to disk or survive a reboot. (And in both methods some things like sockets might time out) – eckes Dec 20 '22 at 21:38
24

PsSuspend command line utility from SysInternals suite. It suspends / resumes a process by its id.

Vadzim
  • 24,954
  • 11
  • 143
  • 151
AlexeyDaryin
  • 903
  • 6
  • 15
15

Well, Process Explorer has a suspend option. You can right click a process in the process column and select suspend. Once you are ready to resume it again right click and this time select resume. Process Explorer can be obtained from here:

http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

Tobias Kienzler
  • 25,759
  • 22
  • 127
  • 221
shivesh suman
  • 1,511
  • 18
  • 26
9

PsSuspend, as mentioned by Vadzim, even suspends/resumes a process by its name, not only by pid.

I use both PsSuspend and PsList (another tool from the PsTools suite) in a simple toggle script for the OneDrive process: if I need more bandwidth, I suspend the OneDrive sync, afterwards I resume the process by issuing the same mini script:

PsList -d onedrive|find/i "suspend" && PsSuspend -r onedrive || PsSuspend onedrive

PsSuspend command line utility from SysInternals suite. It suspends / resumes a process by its id.

Stijn Bousard
  • 331
  • 2
  • 8
0
#pragma comment(lib,"ntdll.lib")
EXTERN_C NTSTATUS NTAPI NtSuspendProcess(IN HANDLE ProcessHandle);

void SuspendSelf(){
    NtSuspendProcess(GetCurrentProcess());
}

ntdll contains the exported function NtSuspendProcess, pass the handle to a process to do the trick.