Thursday, 3 July 2014

Monitoring Processes and Performance

Monitoring Processes and Performance

An important part of every administrator’s job is to monitor network systems and ensure that everything is running smoothly—or as smoothly as can be expected, anyway. As you learned in the previous chapter, watching the event logs closely can help you detect and track problems with applications, security, and essential services. Often when you detect or suspect a problem, you’ll need to dig deeper to search out the cause of the problem and correct it. Hopefully, by pinpointing the cause of a problem, you can prevent it from happening again.

Managing Applications, Processes, and Performance

Whenever the operating system or a user starts a service, runs an application, or executes a command, Microsoft Windows starts one or more processes to handle the related program. Several command-line utilities are available to help you manage and monitor programs. These utilities include
  • Process Resource Manager (Pmon)  Displays performance statistics, including memory and CPU usage, as well as a list of all processes running on the local system. Used to get a detailed snapshot of resource usage and running processes. Pmon is included in the Windows Resource Kit.
  • Task List (Tasklist)  Lists all running processes by name and process ID. Includes information on the user session and memory usage.
  • Task Kill (Taskkill)  Stops running processes by name or process ID. Using filters, you can also halt processes by process status, session number, CPU time, memory usage, user name, and more.
In the sections that follow, you’ll find detailed discussions on how these command- line tools are used. First, however, let’s look at the ways processes are run and the common problems you may encounter when working with them.

Understanding System and User Processes

Generally, processes that the operating system starts are referred to as system processes; processes that users start are referred to as user processes. Most user processes are run in interactive mode. That is, a user starts the processes interactively with the keyboard or mouse. If the application or program is active and selected, the related interactive process has control over the keyboard and mouse until you switch control by terminating the program or selecting a different one. When a process has control, it’s said to be running “in the foreground.”
Processes can also run in the background, independently of user logon sessions. Background processes do not have control over the keyboard, mouse, or other input devices and are usually run by the operating system. Using the Task Scheduler, users can run processes in the background as well, however, and these processes can operate regardless of whether the user is logged on. For example, if Task Scheduler starts a scheduled task while the user is logged on, the process can continue even when the user logs off.
Windows tracks every process running on a system by image name, process ID, priority, and other parameters that record resource usage. The image name is the name of the executable that started the process, such as Msdtc.exe or Svchost.exe. The process ID is a numeric identifier for the process, such as 2588. The process priority is an indicator of how much of the system’s resources the process should get relative to other running processes. With priority processing, a process with a higher priority gets preference over processes with lower priority and may not have to wait to get processing time, access memory, or work with the file system. A process with lower priority, on the other hand, usually must wait for a higher-priority process to complete its current task before gaining access to the CPU, memory, or the file system.
In a perfect world, processes would run perfectly and would never have problems. The reality is, however, that problems occur and they often appear when you’d least want them to. Common problems include the following:
  • Processes become nonresponsive, such as when an application stops processing requests. When this happens, users may tell you that they can’t access a particular application, that their requests aren’t being handled, or that they were kicked out of the application.
  • Processes fail to release the CPU, such as when you have a runaway process that is using up CPU time. When this happens, the system may appear to be slow or nonresponsive because the runaway process is hogging processor time and is not allowing other processes to complete their tasks.
  • Processes use more memory than they should, such as when an application has a memory leak. When this happens, processes aren’t releasing memory that they’re using properly. As a result, the system’s available memory may gradually decrease over time and as the available memory gets low, the system may be slow to respond to requests or it may become nonresponsive. Memory leaks can also make other programs running on the same system behave erratically.
In most cases, when you detect these or other problems with system processes, you’ll want to stop the process and start it again. You would also want to examine the event logs to see if the cause of the problem can be determined. With memory leaks, you would want to report the memory leak to the developers and see if an update that resolves the problem is available.
Tip 
A periodic restart of an application with a known memory leak is often useful. Restarting the application should allow the operating system to recover any lost memory.

Examining Running Processes

When you want to examine processes that are running on a local or remote system, you can use the Tasklist command-line utility. With Tasklist, you can:
  • Obtain the process ID, status, and other important information about processes running on a system.
  • View the relationship between running processes and services configured on a system.
  • View lists of DLLs used by processes running on a system.
  • Use filters to include or exclude processes from Tasklist queries.
Each of these tasks is discussed in the sections that follow.

Obtaining Detailed Information on Processes

On a local system, you can view a list of running tasks, simply by typing tasklist at the command prompt. As with many other command-line utilities, Tasklist runs by default with the permissions of the currently logged on user and you can also specify the remote computer whose tasks you want to query, and the Run As permissions. To do this, use the expanded syntax, which includes the following parameters:
/s Computer /u [Domain\]User [/p Password]
where Computer is the remote computer name or IP address, Domain is the optional domain name in which the user account is located, User is the name of the user account whose permissions you want to use, and Password is the optional password for the user account. If you don’t specify the domain, the current domain is assumed. If you don’t provide the account password, you are prompted for the password.
To see how the computer and user information can be added to the syntax, consider the following examples:
Query Mailer1 for running tasks:
tasklist /s mailer1
Query 192.168.1.5 for running tasks using the account adatum\wrstanek:
tasklist /s 192.168.1.5 /u adatum\wrstanek
Tip 
The basic output of these commands is in table format. You can also format the output as a list or lines of comma-separated values using /Fo List or /Fo Csv, respectively. Remember you can redirect the output to a file using output redirection (> or >>), such as tasklist /s mailer1 >> current-tasks.log.
Regardless of whether you are working with a local or remote computer, the output should be similar to the following:
Image Name PID Session Name Session# Mem Usage
===================== ====== ============== =========== ============
System Idle Process 0 Console 0 16 K
System 4 Console 0 216 K
smss.exe 420 Console 0 480 K
csrss.exe 472 Console 0 4,420 K
sqlgea.exe 496 Console 0 3,352 K
services.exe 540 Console 0 3,288 K
sqlmon.exe 552 Console 0 32,508 K
sdman.exe 728 Console 0 2,856 K
sdman.exe 788 Console 0 3,840 K
sdman.exe 988 Console 0 4,016 K
sdman.exe 1036 Console 0 2,032 K
sdman.exe 1048 Console 0 15,624 K
spoolsv.exe 1348 Console 0 4,728 K
msdtc.exe 1380 Console 0 3,808 K
The Tasklist fields provide the following information:
  • Image NameThe name of the process or executable running the process.
    Note 
    The first process is named System Idle Process. This special system process is used to track the amount of system resources that aren’t being used. For more information on this process, see the “Monitoring Processes and System Resource Usage” section of this chapter.
  • PID  The process identification number.
  • Session Name  The name of the session from which the process is being run. An entry of console means the process was started locally.
  • Session #  A numerical identifier for the session.
  • Memory Usage  The total amount of memory being used by the process at the specific moment that Tasklist was run.
If you want more detailed information you can specify that verbose mode should be used by including the /V parameter. Verbose mode adds the following columns of data:
  • Status  Current status of the process as Running, Not Responding, or Unknown. A process can be in an Unknown state and still be running and responding normally. A process that is Not Responding, however, more than likely must be stopped or restarted.
  • User Name  User account under which the process is running, listed in domain\user format. For processes started by Windows, you will see the name of the system account used, such as SYSTEM, LOCAL SERVICE, or NETWORK SERVICE, with the domain listed as NT AUTHORITY.
  • CPU Time  The total amount of CPU cycle time used by the process since its start.
  • Window Title  Windows display name of the process if available. Otherwise, the display name is listed as N/A for not available. For example, the Helpctr.exe process is listed with the Windows title Help And Support Center

Viewing the Relationship Between Running Processes and Services

When you use Tasklist with the /Svc parameter, you can examine the relationship between running processes and services configured on the system. In the output, you’ll see the process image name, process ID, and a list of all services that are using the process, similar to that shown in the following example:
Image Name PID Services
========================= ===== ===========================================
System Idle Process 0 N/A
System 4 N/A
smss.exe 408 N/A
csrss.exe 456 N/A
winlogon.exe 484 N/A
services.exe 528 Eventlog, PlugPlay
lsass.exe 540 HTTPFilter, kdc, Netlogon, NtLmSsp,
PolicyAgent, ProtectedStorage, SamSs
svchost.exe 800 RpcSs
svchost.exe 956 Dnscache
svchost.exe 984 LmHosts
svchost.exe 996 AudioSrv, Browser, CryptSvc, dmserver,
EventSystem, helpsvc, lanmanserver,
lanmanworkstation, Netman, Nla, Schedule,
seclogon, SENS, ShellHWDetection, W32Time,
winmgmt, wuauserv, WZCSVC
spoolsv.exe 1300 Spooler
msdtc.exe 1332 MSDTC
dfssvc.exe 1400 Dfs
dns.exe 1436 DNS
svchost.exe 1492 ERSvc
inetinfo.exe 1552 IISADMIN, IMAP4Svc, POP3Svc, RESvc, SMTPSVC
ismserv.exe 1568 IsmServ
ntfrs.exe 1584 NtFrs
svchost.exe 1688 RemoteRegistry
mad.exe 1724 MSExchangeSA
mssearch.exe 1784 MSSEARCH
exmgmt.exe 1824 MSExchangeMGMT
svchost.exe 2000 W3SVC
store.exe 2108 MSExchangeIS
By default, the output is formatted as a table, and you cannot use the list or CSV format. Beyond formatting, the important thing to note here is that services are listed by their abbreviated name, which is the naming style used by Sc, the service controller command-line utility, to manage services.
You can use the correlation between processes and services to help you manage systems. For example, if you think you are having problems with the World Wide Web Publishing Service (W3svc), one step in your troubleshooting process is to begin monitoring the service’s related process or processes. You would want to examine
  • Process status
  • Memory usage
  • CPU time
By tracking these statistics over time, you can watch for changes that could indicate the process has stopped responding, is a runaway process hogging CPU time, or that there is a memory leak.

Viewing Lists of DLLs Being Used by Processes

When you use Tasklist with the /M parameter, you can examine the relationship between running processes and DLLs configured on the system. In the output, you’ll see the process image name, process ID, and a list of all DLLs that the process is using, as shown in the following example:
Image Name PID Modules
========================= ====== =============================================
System Idle Process 0 N/A
System 4 N/A
smss.exe 408 ntdll.dll
csrss.exe 456 ntdll.dll, CSRSRV.dll, basesrv.dll,
winsrv.dll, KERNEL32.dll, USER32.dll,
GDI32.dll, sxs.dll, ADVAPI32.dll, RPCRT4.dll,
Apphelp.dll, VERSION.dll
Knowing which DLL modules a process has loaded can further help you pinpoint what may be causing a process to become nonresponsive, to fail to release the CPU, or to use more memory than it should. In some cases, you might want to check DLL versions to ensure they are the correct DLLs that the system should be running. Here, you would need to consult the Microsoft Knowledge Base or manufacturer documentation to verify DLL versions and other information.
If you are looking for processes using a specified DLL, you can also specify the name of the DLL you are looking for. For example, if you suspect that the printer spooler driver Winspool.drv is causing processes to hang up, you can search for processes that use Winspool.drv instead of Winspool32.drv and check their status and resource usage.
The syntax that you use to specify the DLL to find is
tasklist /m DLLName
where DLLName is the name of the DLL to search for. Tasklist matches the DLL name without regard to the letter case, and you can enter the DLL name in any letter case. Consider the following example:
tasklist /m winspool.drv
In this example, you are looking for processes using Winspool.drv. The output of the command would show the processes using the DLL, with their process IDs, as shown in the following example:
Image Name PID Modules
========================= ====== =============================================
winlogon.exe 484 WINSPOOL.DRV
spoolsv.exe 1300 winspool.drv
explorer.exe 3516 WINSPOOL.DRV
mshta.exe 3704 WINSPOOL.DRV

Filtering Task List Output

Using the /Fi parameter of the Tasklist utility, task lists can be filtered using any of the information fields available, even if the information field isn’t normally included in the output due to the parameters you’ve specified. This means you can specify that you want to see only processes listed with a status of Not Responding, only information for Svchost.exe processes, or only processes that use a large amount of CPU Time.
You designate how a filter should be applied to a particular Tasklist information field using filter operators. The filter operators available are
  • Eq  Equals. If the field contains the specified value, the process is included in the output.
  • Ne  Not equals. If the field contains the specified value, the process is excluded from the output.
  • Gt  Greater than. If the field contains a numeric value and that value is greater than the value specified, the process is included in the output.
  • Lt  Less than. If the field contains a numeric value and that value is less than the value specified, the process is included in the output.
  • Ge  Greater than or equal to. If the field contains a numeric value and that value is greater than or equal to the value specified, the process is included in the output.
  • Le  Less than or equal to. If the field contains a numeric value and that value is less than or equal to the value specified, the process is included in the output.
As Table 7-1 shows, the values that can be used with filter operators depend on the task list information field you use. Remember that all fields are available even if they aren’t normally displayed with the parameters you’ve specified. For example, you can match the status field without using the /V (verbose) flag.

Table 7-1: Filter Operators and Valid Values for Tasklist
Filter Field Name
Valid Operators
Valid Values
CPUTime
eq, ne, gt, lt, ge, le
Any valid time in the format hh:mm:ss
Services
eq, ne
Any valid string of characters
ImageName
eq, ne
Any valid string of characters
MemUsage
eq, ne, gt, lt, ge, le
Any valid integer, expressed in kilobytes (KB)
PID
eq, ne, gt, lt, ge, le
Any valid positive integer
Session
eq, ne, gt, lt, ge, le
Any valid session number
SessionName
eq, ne
Any valid string of characters
Status
eq, ne
Running, Not Responding, Unknown
Username
eq, ne
Any valid user name, with user name only or in domain\user format
WindowTitle
eq, ne
Any valid string of characters
Double quotation marks must be used to enclose the filter string. Consider the following examples to see how filters can be used:
Look for processes that are not responding:
tasklist /fi "status eq not responding"
Note 
When working with remote systems, you can’t filter processes by status or Window title. A work around for this in some cases is to pipe the output through the FIND command, such as tasklist /v /s Mailer1 /u adatum\wrstanek | find /i “not responding”. Note that, in this case, the field you are filtering must be in the output, which is why the /V parameter was added to the example. Further, you should specify that the find command should ignore the letter case of characters by using the /I parameter.
Look for processes on Mailer1 with a CPU time of more than 30 minutes:
tasklist /s Mailer1 /fi "cputime gt 00:30:00"
Look for processes on Mailer1 that use more than 20,000 KB of memory:
tasklist /s Mailer1 /u adatum\wrstanek /fi "memusage gt 20000"
Enter multiple /Fi “Filter” parameters to specify that output must match against multiple filters:
tasklist /s Mailer1 /fi "cputime gt 00:30:00" /fi "memusage gt 20000"

Monitoring Processes and System Resource Usage

Process Resource Monitor (Pmon) displays a snapshot of system resource usage and running processes. When you run this utility by typing pmon at the command prompt, the Process Resource Monitor collects information on the current system resource usage and running processes and displays it in the console window. The statistics are collected again every five seconds and redisplayed automatically. Pmon continues to run until you press the Q key to quit, and any other key you press tells Pmon to update the statistics.
Note 
Pmon output cannot be redirected, and you can only run Pmon on a local computer. To examine the resources of a remote computer, remotely access the computer using Remote Desktop. Further, you cannot use Pmon with the REMOTE command. Pmon redirects command output and is incompatible with the REMOTE command.
Pmon output is in table format with columns and rows of data, as follows:
Memory: 523248K Avail: 300516K PageFlts: 905 InRam Kernel: 2444K P:11496K
Commit: 337868K/ 214648K Limit:1280320K Peak: 345720K Pool N: 8372K P:11648K
Mem Mem Page Flts Commit Usage Pri Hnd Thd Image
CPU CpuTime Usage Diff Faults Diff Charge NonP Page Cnt Cnt Name
39448 64 59570 282 File Cache
96 0:38:42 16 0 0 0 0 0 0 0 0 1 IdleProcess
0 0:00:03 216 0 4080 0 28 0 0 8 1810 59 System
0 0:00:00 480 0 197 0 164 0 5 11 17 3 smss.exe
2 0:00:09 5236 56 2803 24 3216 5 48 13 756 10 csrss.exe
0 0:00:01 4624 0 12878 0 7620 8 50 13 537 21 sqlgea.exe
0 0:00:05 4740 0 2181 0 3932 12 52 9 388 19 services.exe
0 0:00:04 30676 0 19113 0 28856 83 80 9 1040 61 sqlmon.exe
0 0:00:00 2860 0 780 2 1040 23 21 8 242 11 sdman.exe
0 0:00:00 3788 0 1076 0 1272 4 28 8 127 14 sdman.exe
0 0:00:00 944 0 232 0 340 1 7 13 7 1 pmon.exe
0 0:00:00 1776 0 464 0 536 1 25 8 15 1 notepad.exe
As shown, the first two rows of data provide a summary of memory usage. The values are in kilobytes (KB) and provide the following information:
  • Memory, Avail  Provides information on the total RAM on the system. Memory shows the amount of physical RAM. Avail shows the RAM not currently being used and available for use.
  • InRam Kernel  Provides information on the memory used by the operating system kernel. Critical portions of kernel memory must operate in RAM and can’t be paged to virtual memory. This type of kernel memory is listed as InRam Kernel. The rest of kernel memory can be paged to virtual memory and is listed after the InRam Kernel.
  • Commit, Limit, Peak  Provides information on committed physical and virtual memory. Commit lists physical memory which has space reserved on the disk page file, followed by the current amount of committed virtual memory. Limit lists the amount of virtual memory that can be committed without having to extend the paging file(s). Peak lists the maximum memory used by the system since the system was started. If the difference between the total memory available and the committed memory used is consistently small, you might want to add physical memory to the system to improve performance. If the peak memory usage is within 10 percent of the Limit value, you might want to add physical memory or increase the amount of virtual memory or both.
  • Pool N and P  Pooled memory values provide information on the paged pool, which is physical memory used by the operating system that can be written to disk when they are not being used, and the nonpaged pool, which is physical memory used by the operating system that cannot be written to disk and must remain in memory so long as they are allocated. Pool N is the size of the nonpaged pool and the value that follows it (Pool P) is the size of the paged pool.
Following the two rows of memory usage statistics, you’ll find columns of information detailing resource usage for individual processes. These data points provide lots of information about running processes and you can use this information to determine which processes are hogging system resources, such as CPU time and memory. The fields displayed are the following:
  • CPU  The percentage of CPU utilization for the process.
  • CpuTime  The total amount of CPU cycle time used by the process since it was started.
  • Mem Usage  The amount of memory the process is using.
  • Mem Diff  Displays the change in memory usage for the process recorded since the last update.
  • Page Faults  A page fault occurs when a process requests a page in memory and the system can’t find it at the requested location. If the requested page is elsewhere in memory, the fault is called a soft page fault. If the requested page must be retrieved from disk, the fault is called a hard page fault. Most processors can handle large numbers of soft faults. Hard faults, however, can cause significant delays, and if there are a lot of hard faults, you may need to increase the amount of memory or reduce the system cache size. To learn how to determine the volume of hard faults, see the section of this chapter titled “Monitoring Memory Paging for Individual Processes.”
  • Flts Diff  Displays the change in the number of page faults for the process recorded since the last update.
  • Commit Charge  Displays the amount of virtual memory allocated to and reserved for the process.
  • Usage NonP/Page  Shows nonpaged pool and paged pool usage. The non paged pool is an area of system memory for objects that can’t be written to disk. The paged pool is an area of system memory for objects that can be written to disk when they aren’t used. You should note processes that require a high amount of nonpaged pool memory. If there isn’t enough free memory on the server, these processes might be the reason for a high level of page faults.
  • Pri  Shows the priority of the process. Priority determines how much of the system resources are allocated to a process. Standard priorities are Low (4), Below Normal (6), Normal (8), Above Normal (10), High (13), and Real- Time (24). Most processes have a normal priority by default. The highest priority is given to real-time processes. You may also see other priorities. For example, the Idle Process thread has a priority of 0, as this thread doesn’t use CPU time but rather tracks when the CPU is idle. Some system service processes have priority 9 or 11, to give either a slightly higher than normal priority or a slightly above normal priority to an important process.
  • Hnd Cnt  The total number of file handles maintained by the process. Use the handle count to gauge how dependent the process is on the file system. Some processes, such as those used by Microsoft Internet Information Services (IIS), have thousands of open file handles. System memory is required to maintain each file handle.
  • Thd Cnt  The current number of threads that the process is using. Most server applications are multithreaded. Multithreading allows concurrent execution of process requests. Some applications can dynamically control the number of concurrently executing threads to improve application performance. Too many threads, however, can cause the operating system to switch thread contexts too frequently, actually reducing performance.
  • Image Name  The name of the process or executable running the process.
As you examine processes, keep in mind that a single application might start multiple processes. Generally, these processes are dependent on a central process, and from this main process a process tree containing dependent processes is formed. When you terminate processes, you’ll usually want to target the main application process or the application itself rather than dependent processes. This ensures that the application is stopped cleanly.
If you use Pmon to examine running processes, you’ll note three unique processes:
  • File Cache  The file system cache is an area of physical memory that stores recently used pages of data for applications. When you see changes in the file cache, you are seeing I/O activity for applications. Memory usage shows the total physical memory used by the file cache. Page faults shows the number of pages sought but not found in the file system cache and had to be retrieved elsewhere in memory (soft fault) or from disk (hard fault). If you monitor the Flts Diff for the File Cache, you can determine the cache fault rate. A consistently high cache fault rate may indicate the need to increase the amount of physical memory on the system.
  • Idle Process  Unlike other processes that track resource usage, Idle Process tracks the amount of CPU processing time that isn’t being used. Thus, a 99 in the CPU column for the Idle Process means 99 percent of the system resources currently aren’t being used. If you believe that a system is overloaded, you should monitor the idle process. Watch the CPU usage and the total CPU time. If the system consistently has low idle time (meaning high CPU usage), you may want to consider upgrading the processor or even adding processors.
  • System  System shows the resource usage for the local system process.

Stopping Processes

When you want to stop processes that are running on a local or remote system, you can use the Taskkill command-line utility. With Taskkill, you can stop processes by process ID using the /Pid parameter or image name using the /Im parameter. If you want to stop multiple processes by process ID or image name, you can enter multiple /Pid or /Im parameters as well. With image names, however, watch out, because Taskkill will stop all processes that have that image name. Thus if there are three instances of Helpctr.exe running, all three processes would be stopped if you use Taskkill with that image name.
As with Tasklist, Taskkill runs by default with the permissions of the user who is currently logged on and you can also specify the remote computer whose tasks you want to query, and the Run As permissions. To do this, you use the expanded syntax, which includes the following parameters:
/s Computer /u [Domain\]User [/p Password]
where Computer is the remote computer name or IP address, Domain is the optional domain name in which the user account is located, User is the name of the user account whose permissions you want to use, and Password is the optional password for the user account. If you don’t specify the domain, the current domain is assumed. If you don’t provide the account password, you are prompted for the password.
Note 
Sometimes it is necessary to force a process to stop running. Typically, this is necessary when a process stops responding while opening a file, reading or writing data, or performing other read/write operations. To force a process to stop, you use the /F parameter. This parameter is only used with processes running on local systems. Processes stopped on remote systems are always forcefully stopped.
Tip 
As you examine processes, keep in mind that a single application might start multiple processes. Generally, these processes depend on a central process, and from this main process a process tree containing dependent processes is formed. Occasionally, you may want to stop the entire process tree, starting with the parent application process and including any dependent processes, and to do this, you can use the /T parameter.
Consider the following examples to see how Taskkill can be used:
Stop process ID 208:
taskkill /pid 208
Stop all processes with the image name Cmd.exe:
taskkill /im cmd.exe
Stop processes 208, 1346, and 2048 on MAILER1:
taskkill /s Mailer1 /pid 208 /pid 1346 /pid 2048
Force local process 1346 to stop:
taskkill /f /pid 1346
Stop a process tree, starting with process ID 1248 and including all child processes:
taskkill /t /pid 1248
To ensure that only processes matching specific criteria are stopped, you can use all the filters listed in Table 7-1 except Sessionname. For example, you can use a filter to specify that only instances of Cmd.exe that are not responding should be stopped rather than all instances of Cmd.exe (which is the default when you use the /Im parameter).
Taskkill adds a Modules filter with operators EQ and NE to allow you to specify DLL modules that should be excluded or included. As you may recall, you use the Tasklist /m parameter to examine the relationship between running processes and DLLs configured on the system. Using the Taskkill Modules filter with the EQ operator, you could stop all processes using a specific DLL. Using the Taskkill Modules filter with the NE operator, you ensure that processes using a specific DLL are not stopped.
Tip 
When you use filters, you don’t have to specify a specific image name or process ID to work with. This means you can stop processes based solely on whether they match filter criteria. For example, you can specify that you want to stop all processes that aren’t responding.
As with Tasklist, multiple filters can be used as well. Again, double quotation marks must be used to enclose the filter string. Consider the following examples to see how filters can be used with Taskkill:
Stop instances of Cmd.exe that are not responding:
taskkill /im cmd.exe /fi "status eq not responding"
Stop all processes with a process ID greater than 4 if they aren’t responding:
taskkill /fi "pid gt 4" /fi "status eq not responding"
Stop all processes using the Winspool.drv DLL:
taskkill /fi "modules eq winspool.drv"
Caution 
Although the /Im and /Pid flags are not used in the previous example, the process IDs are filtered so that only certain processes are affected. You don’t want to stop the system or system idle process accidentally. Typically, these processes run with a process IDs of 4 and 0 respectively, and if you stop them, the system will stop responding or shut down.

No comments:

Post a Comment