The Detailed Description Using Cmd NTSD Command
The usage is that open cmd and enter the following command can end the process:
Method 1: Using the PID of the end of the process
Command format: ntsd -c q -p pid
Examples: ntsd -cq -p 1332 (ending the explorer.exe process with PID 1332)
Detailed example: explorer.exe 'pid is 1332, but how to get process pid it? In the CMD, enter TASKLIST can get all the current task manager process PID (process is not all exploer.exe 1332)
Method 2: Using the end of the process name
Command format: ntsd -c q -pn ***. exe (***. exe name for the process, exe should not be spared)
Examples: ntsd -c q-pn explorer.exe
The other end of the process of DOS commands can also taskkill:
Command format: taskkill / pid 1234 / f (you can achieve the same effect.)
If the above can not satisfy your curiosity, here are:
ntsd Detailed
There are some high-level processes, tskill and taskkill might not end, then we have a more powerful tool, that is, system debug
Level ntsd. Precisely, ntsd is a system debugging tool, available only to system development-level administrators, but we kill the process or very interesting. Basically, apart from their own management processes WINDOWS system, ntsd can to kill.
Course slightly, and some level of super-rootkit Trojan, or do nothing, but fortunately this level of beef or a little horse.
ntsd debugger at boot time required to connect the user to specify a process. Use TLIST or PVIEWER, you can get an existing
Process process ID, and type ntsd -p pid to debug the process. ntsd command line using the following syntax:
ntsd [options] imagefile
Which, imagefile is the name of the image you want to debug, options are one of the following options:
Option Description -2 to open a character mode for debugging the application of the new window-d to redirect the output to the debug terminal to perform an automatic pass-g
Over the first break point in the subroutine ntsd -g to exit immediately upon termination o enabled debugging multiple processes, the default value is derived from the debugger, a
-P specifies a process to debug the process identified by the process ID-v verbose output generated
For example, suppose inetinfo.exe process ID of 104. Type the following command ntsd debugger to inetinfo process (IIS).
ntsd -p 104
You can also use ntsd start a new process for debugging. For example, ntsd notepad.exe notepad.exe will start a new process and establish a connection with it.
Once connected to a process, you can use various commands to view the stack, set breakpoints, memory dump, and so on.
Command displays all the threads of meaning - a list of KB displays the current thread's stack trace ~ * KB shows all the thread's stack trace shows the current R
U output register frame disassembled code and display the process name and the offset D [type] [] dump memory BP [#]
Set breakpoints BC [] clear one or more breakpoints BD [] disable one or more breakpoints BE [] enable one or more breakpoint BL [] lists a
Or more breakpoints
Personal opinion, there is a very important parameter is the-v argument, we can use it to find a process which articulated the following link library file.
There are many viruses, Trojan horses, or malicious software, like to make their own dynamic library, then the normal procedure of registration to the system load library list, to hide their purpose.
First we need to set ntsd output redirection, it is best to redirect to a text file, to facilitate our analysis.
c: \> set _NT_DEBUG_LOG_FILE_APPEND = c: \ pdw.txt
Note that although the output redirection, but we will still continue to display the output on the screen, and will enter into debug mode, we use the -c
q parameter, you can avoid this problem.
c: \> ntsd -c q -v notepad.exe
Now we pdw.txt file, you can see the notepad.exe file debugging information.
ntsd kill the process using the following parameters.
c: \> ntsd -c q -p PID of the process as long as you provide PID, then you can kill the process.
This address is http://www.computerites.com/computer-skills/2011/12/cmd-ntsd-commands-detailed-description-26.html
Method 1: Using the PID of the end of the process
Command format: ntsd -c q -p pid
Examples: ntsd -cq -p 1332 (ending the explorer.exe process with PID 1332)
Detailed example: explorer.exe 'pid is 1332, but how to get process pid it? In the CMD, enter TASKLIST can get all the current task manager process PID (process is not all exploer.exe 1332)
Method 2: Using the end of the process name
Command format: ntsd -c q -pn ***. exe (***. exe name for the process, exe should not be spared)
Examples: ntsd -c q-pn explorer.exe
The other end of the process of DOS commands can also taskkill:
Command format: taskkill / pid 1234 / f (you can achieve the same effect.)
If the above can not satisfy your curiosity, here are:
ntsd Detailed
There are some high-level processes, tskill and taskkill might not end, then we have a more powerful tool, that is, system debug
Level ntsd. Precisely, ntsd is a system debugging tool, available only to system development-level administrators, but we kill the process or very interesting. Basically, apart from their own management processes WINDOWS system, ntsd can to kill.
Course slightly, and some level of super-rootkit Trojan, or do nothing, but fortunately this level of beef or a little horse.
ntsd debugger at boot time required to connect the user to specify a process. Use TLIST or PVIEWER, you can get an existing
Process process ID, and type ntsd -p pid to debug the process. ntsd command line using the following syntax:
ntsd [options] imagefile
Which, imagefile is the name of the image you want to debug, options are one of the following options:
Option Description -2 to open a character mode for debugging the application of the new window-d to redirect the output to the debug terminal to perform an automatic pass-g
Over the first break point in the subroutine ntsd -g to exit immediately upon termination o enabled debugging multiple processes, the default value is derived from the debugger, a
-P specifies a process to debug the process identified by the process ID-v verbose output generated
For example, suppose inetinfo.exe process ID of 104. Type the following command ntsd debugger to inetinfo process (IIS).
ntsd -p 104
You can also use ntsd start a new process for debugging. For example, ntsd notepad.exe notepad.exe will start a new process and establish a connection with it.
Once connected to a process, you can use various commands to view the stack, set breakpoints, memory dump, and so on.
Command displays all the threads of meaning - a list of KB displays the current thread's stack trace ~ * KB shows all the thread's stack trace shows the current R
U output register frame disassembled code and display the process name and the offset D [type] [] dump memory BP [#]
Set breakpoints BC [] clear one or more breakpoints BD [] disable one or more breakpoints BE [] enable one or more breakpoint BL [] lists a
Or more breakpoints
Personal opinion, there is a very important parameter is the-v argument, we can use it to find a process which articulated the following link library file.
There are many viruses, Trojan horses, or malicious software, like to make their own dynamic library, then the normal procedure of registration to the system load library list, to hide their purpose.
First we need to set ntsd output redirection, it is best to redirect to a text file, to facilitate our analysis.
c: \> set _NT_DEBUG_LOG_FILE_APPEND = c: \ pdw.txt
Note that although the output redirection, but we will still continue to display the output on the screen, and will enter into debug mode, we use the -c
q parameter, you can avoid this problem.
c: \> ntsd -c q -v notepad.exe
Now we pdw.txt file, you can see the notepad.exe file debugging information.
ntsd kill the process using the following parameters.
c: \> ntsd -c q -p PID of the process as long as you provide PID, then you can kill the process.
This address is http://www.computerites.com/computer-skills/2011/12/cmd-ntsd-commands-detailed-description-26.html
No comments:
Post a Comment