1

Terminating a Process from CMD: Softest to Hardest I was wondering if anyone had experience using command line to terminate processes using taskkill and WIMC. I was wondering if anyone knew the order of how "hard" of a close/terminate these commands are from the command that is the "softest" (least forceful) close to the command that is the "hardest" (most forceful):

My guess would be:

Least/Softest

1) taskkill /im processname.exe

2) wmic process where name="processname.exe" call terminate

3) wmic process where name='processname.exe' delete

4) taskkill /f /im processname.exe

Most/Hardest

I am trying to create a batch command file and wanted to just know the difference between these, to see which I should use. I prefer to use a softer close, check to see if the process is still running, and then try a harder close, and then repeat this until the program is successfully closed. Any info on the difference between any of these would be helpful, especially between using terminate and delete via CMD: WMIC would be helpful, as I cannot find documentation anywhere on them.

user149483
  • 11
  • 1
  • 3
  • Taskkill should be pretty obvious. The /F means forcefully terminate. – Squashman Nov 14 '18 at 20:30
  • Taskkill also uses WMI Win32_Process class. – CatCat Nov 14 '18 at 20:37
  • 1
    For a graphical program a `WM_Close` message is sent to the window asking it to close. A program sends one to itself if it wants to close. Programs choose to process this message and can ignore it and do so like *Do you want to save this file Yes/No* . `TerminateProcess` the program does not get informed, no code runs in the program. It is destroyed. – CatCat Nov 14 '18 at 20:52
  • Console programs are similar. Instead of `WM_Close` it gets a control signal. Windows creates a thread that calls `ExitProcess` (programs can change this). See https://learn.microsoft.com/en-us/windows/console/console-control-handlers. Note there are only two ways to kill a program, ask it to close or destroy it. WMIC always destroys. In Task Manager (Win 7 here) the Application tab asks programs to close and the Process tab destroys applications. – CatCat Nov 14 '18 at 21:51
  • Also see https://learn.microsoft.com/en-us/windows/desktop/api/processthreadsapi/nf-processthreadsapi-terminateprocess and https://learn.microsoft.com/en-us/windows/desktop/winmsg/wm-close – CatCat Nov 14 '18 at 21:51
  • @CatCat Does that mean "wmic call terminate" and "taskkill (without the /f)" use the same process and act the same, but are executed using alternative methods/EXEs? If so, are "Taskkill /f" and "wmic delete" the same too? If not, is there a preferred method (wmic or taskkill) or a preferred order? I am just trying to do the softest close possible and work toward a hard (force) close... Finally, is there something wrong with attempting a soft close, since the request for the program to close can cause additional prompts that the following forceful close will not kill? – user149483 Nov 14 '18 at 21:59
  • @CatCat Sorry, mine just refreshed. I will look at those references. Thanks! – user149483 Nov 14 '18 at 22:00
  • If you open Taskkill in notepad with wordwrap on about ¾ of the way down you'll find all the WMI calls taskkill is using. a few pages below are the API calls. Note it uses `Win32_Process.Terminte`, `TerminateProcess`, and `PostMessage`. – CatCat Nov 14 '18 at 22:01
  • Taskmanager Application tab, Taskkilll without /f, clicking the red x on a window are the same. Taskmanager Process tab, Taskkill /f, and wmic terminate are the same. WMIC works over networks. It cannot access windows on remote computers. Therefore it cannot send a program a WM_Close message. – CatCat Nov 14 '18 at 22:06
  • I'm writing a text editor using only API calls. If you choose *File - Exit* first a `WM_Command` message is sent saying *Exit* been chosen on the menu, I send a `WM_Close` to myself which I receive as a `WM_Destroy`, So I call `PostQuitMessage` and my windows go away and my message loop exits and the program stops running. – CatCat Nov 14 '18 at 22:20
  • You could have run Taskkill in the debugger to see what it does and how it does it. My answer here is a two minute primer on using WinDbg. https://stackoverflow.com/questions/52439321/which-value-has-empty-on-the-stack – CatCat Nov 14 '18 at 22:45

2 Answers2

2

As CatCat mentioned, there are two main ways to terminate a process : WM_CLOSE and TerminateProcess(). I've included two more for completeness sake.

  1. Sending window message WM_CLOSE to the main window of the process. This is the same message an application receives when user clicks X button to close the window. The app may then gracefully shutdown or ask user for confirmation - for example if some work is unsaved.

    taskkill without /f appears to attempt doing that but seems to not always succeed in finding the correct window to close. If the app is supposed to not have a visible window (such as if it only displays an icon in system tray or is a windowless server) it may ignore this message entirely.

    If taskkill does not work for you, it is possible NirCmd: does better job: NirCmd.exe closeprocess iexplore.exe

  2. There is also WM_ENDSESSION message - it it sent by the OS when shutting down (after WM_QUERYENDSESSION). It works pretty much the same way except it is sent to whole application rather then a specific window. Depending on parameters, apps may be requested to save the work into temporary files because the system needs to restart to apply some updates. Some applications react to this message, some don't.

    It should be possible to send these messages manually, but I have not seen it done other than to test how app reacts to shutdown without actually shutting down OS.

  3. WM_QUIT message suggests the application as a whole needs to shut down (more specifically, it is sent to a thread). An application should normally post it to itself after its window is done closing and now it is time to end the process.

    It is possible to manually post the message to every thread of another process but this is hackish and rare, it may crash processes not expecting to be issued this message from outside. I'm not sure if it's a better option than just terminating the process or not.

  4. TerminateProcess() tells the OS to forcefully terminate the process. This is what happens when you click End process button on processes tab in the task manager. The process does not get notified it is being closed - it is just stopped where it was and removed from the memory - no questions, no shutdown, etc. This may cause corruption if some files were being written at that time or data transferred.

    That is what taskkill /f command does. Both wmic process call terminate and wmic process delete appear to also do this although I'm not sure.

Jack White
  • 896
  • 5
  • 7
0

using wmic: print all running process where name of process is cmd.exe wmic process where name="cmd.exe" GET ProcessId, CommandLine,CreationClassName then terminate the specific instance of process by processId (PID) WMIC PROCESS WHERE "ProcessID=13800" CALL TERMINATE

OneTouchForHeight
  • 121
  • 2
  • 10