Windows IT Pro
Connect With Us
Home > Systems Management > PsList and PsKill

PsList and PsKill

Free tools let you list and kill processes on a remote system

Aug. 30, 2004 Mark Russinovich | Windows IT Pro

In Windows Power Tools, "PsExec" (July 2004), I described how to use one of the Sysinternals PsTools suite's 11 tools. I continue my coverage of the suite this month with two tools that work great together: PsList and PsKill. PsList prints information about the processes running on a system, and PsKill lets you terminate processes. The PsTools are all console applications, work on remote systems as well as local ones with no need to manually install software on the remote systems, and support Windows NT 4.0 and later. You can download the tools for free from www.sysinternals.com.

PsList


Several command-line process-listing utilities are available for NT-based systems, each with varying capabilities. Tlist, for example, comes with the Support Tools for Windows 2000 and with the Debugging Tools for Windows Server 2003 and Windows XP, but it has no remote capability and shows limited information about a process. Tasklist, a tool introduced and bundled with XP, shows more information and works remotely but doesn't work on NT or Win2K. The Windows 2003 and Win2K resource kits also have several tools, but they suffer similar limitations.

PsList works in mixed-installation environments and provides process details not available with other tools. Figure 1 shows the tool's usage information. PsList doesn't require you to be running in an administrator account to use it. If the account from which you run the command isn't valid on a remote system, you can use the -u and -p switches to specify alternative user ID and password credentials on the command line.

If you run PsList without modifying options, it dumps a list of the processes running on a system with statistics for each process, as Figure 2, page 84, shows. The information is, from left to right, the process ID, priority class, number of threads, number of handles, private virtual memory allocated, amount of CPU time consumed, and time running. Excessive handle counts, high private virtual memory usage, and high CPU times can flag buggy applications. The time that a process started can connect the process with the action that started it, such as logging on.

Three switches (-m, -d, and -x) cause PsList to dump different types of process information. Use the -m switch if you want details about virtual and physical memory behavior. The data PsList presents includes the total virtual memory (shared and private) consumed by the process, the amount of physical memory assigned to the process, the private virtual memory allocated by the process, the peak amount of private memory allocated, the number of page faults, and the nonpaged and paged pool allocated by the process.

Processes that leak memory almost always do so by consuming and not releasing private virtual memory, a resource that the paging file must back and that is therefore finite. Leakers typically have ever -increasing private virtual memory allocation, and their peak amount of private memory allocated is a value that's always nearly the same as the current allocation. Task Manager's default memory number is the process's physical memory consumption (not virtual memory consumption), which isn't the correct indicator for a memory leak.

The -d switch shows details about the threads running within processes, including the context switches performed by the thread, the state of the thread (e.g., running, waiting), and the amount of CPU time consumed by the thread. Finally, the -x switch dumps process, memory, and thread detail.

Another switch that can prove useful is the -t switch, which causes PsList to dump the list of processes in process-tree format, which Figure 3 shows. A process tree is the structure that's built as processes create other processes; processes directly beneath another process and indented a few spaces to the right are descendants of the other process. Seeing processes in process-tree format can help you understand a process's purpose. For example, all processes that are children of SERVICES (i.e., the Service Control Manager) host Windows services. Figure 3 shows descendant processes listed and indented under the SERVICES process.

Dynamic Updating


Dumping a static view of all the processes on a system can be useful for auditing purposes or just to get an idea of what a machine is doing; however, a dynamic view of activity is usually more enlightening. When you use the -s switch, PsList updates displayed information at a default rate of once per second; you can use the -r switch to change the refresh rate. When you use only -s or only -s and -r with no additional options, PsList lists the active processes sorted by CPU usage, which effectively makes PsList a lightweight, remote Task Manager tool. PsList calculates CPU usage by comparing two updates, so the CPU usage column isn't updated until the first refresh interval expires. To exit PsList and return to a command prompt, press the Esc key.

The default view when using -s or -s and -r is useful for tracking down CPU hogs, but if you suspect a process is leaking memory, use -s in conjunction with the -m switch. This combination results in process memory statistics in which the processes are sorted by the amount of private virtual memory they've allocated. Figure 4 shows PsList revealing a leaking process. The Leakyapp process has a private virtual memory value that has grown over time and now equals the peak private virtual memory value.

If instead of monitoring process activity, you want a process listing that reflects CPU usage, you should follow the -s switch with 2, which indicates the number of seconds PsList should run before exiting:

pslist \\remote ­s 2

Two seconds gives PsList enough time to calculate CPU usage. If you send the output to a file for archiving, you'll see two process snapshots in the file; the second snapshot shows the process list sorted by CPU usage.

Looking for a Process


PsList takes a process name or a process ID in combination with any of the other command-line options it supports so that you can focus your investigation on one or more particular processes. For example, if you suspect that a process named Leakyapp is leaking memory, you can enter the command

pslist \\remote ­s leakyapp

and watch for changes to the process's private virtual memory allocation. You can also take advantage of PsList's process-specific behavior to write batch files that perform operations based on whether a process is running: PsList returns an error code of 0 if it finds a process that matches the name or PID you specify and an error code of 1 if it doesn't.

How PsList Works


Because I wanted PsList to work with NT 4.0, the tool can't use Windows Management Instrumentation (WMI) the way Tasklist does. Instead, PsList relies on the Performance API, the same API that the Performance Monitor tool uses. Because the Performance API supports a remote interface, PsList doesn't require you to install any special software on the remote systems that you want to monitor. Unfortunately, the Performance API doesn't provide all the information that WMI does, so unlike Tasklist, PsList can't obtain the user name of the account in which a process is running or the list of DLLs loaded into a process.

PsKill


Often, when you display running processes, you see one that you want to stop. The PsKill tool fills that need. The tool takes either a process name or a process ID and terminates all matching processes on the system you specify.

Unlike PsList, PsKill requires that the account from which you run it have administrative privileges on the system you target. This requirement results from the fact that to operate remotely, PsKill, like PsExec (which I described in July), extracts a service from its executable image and copies it to the remote system through the admin$ share, starts the service, sends instructions about what to terminate, and uninstalls and deletes the service after the command has finished. If you need to, you can use the -u and -p switches to specify alternative credentials.

I'm always looking for interesting, real-world examples of PsTools usage that I can share with others. Please send me any stories you have about problems you've solved by using any of these tools.

Discuss this Article 22

shanyuen
on Aug 28, 2006
How to kill process that have same name with another process (ex:winlogon.exe) but have different path without knowing it's PID ? Trojan infecting my computers, then i want to creating batch file that can easily execute to many computers. I can kill that trojan process if pskill have a feature to add file's path parameter.
Anonymous User (not verified)
on Mar 11, 2005
Launch the application from inside a command prompt (Start -> Run -> cmd). These utilities are command programs, not GUI's.
Anonymous User (not verified)
on Jul 19, 2005
**** this program trojan's use it giving me hell.
Tamera (not verified)
on Mar 24, 2009
Good article - helpful
Anonymous User (not verified)
on Mar 17, 2005
Is there a command program similar to PsKill available for Windows Me ? Please let me know at tessierao[at]eth[dot]net Thanks
Anonymous User (not verified)
on Mar 1, 2005
oi
Anonymous User (not verified)
on Feb 21, 2005
I downloaded - unzipped and then when I try to run program it shows up briefly and then goes away. Very fast.
Anonymous User (not verified)
on Mar 10, 2005
really, me to. any reason why would be very helpful.
Hillard (not verified)
on Aug 6, 2005
would be nice to have an example of the cammand to kill example.exe on drive c:\ with pskill on drive J: I say this because McAfee always thinks this file is a virus and deletes it. hkahan@post.havard.edu PS: I need this type of file because Outlook.exe for does not close in taskmanager when closing Outlook 2003. This closing issue is known by MS but they do not offer a solution.
Anonymous User (not verified)
on Mar 12, 2005
you have to right click them and flip though that box till you find a check called "close on exit" and unclick it that will make a .pif (program info file) and you can click on either to run it
Anonymous
on Jul 4, 2011
a very good article, thanks .... I have been much use! Roberta di finanziamenti e <a href="http://prestitiinpdap.cessionequinto-inpdap.com/">prestiti INPDAP</a>
Anonymous User (not verified)
on Mar 15, 2005
yrdy

Please or Register to post comments.

Related Articles
IT/Dev Connections

Las Vegas
September 30th - October 4th

Paul ThurottYou'll have the opportunity to experience:
• The Microsoft
Technology Roadmap
• Office 365 Implementation
• Hyper-V Optimizing
• Windows 8 Deployment
and much more!

Come See Paul Thurrott & Rod Trent in Person!

Early Registration Now Open

Upcoming Training

Mastering System Center 2012

During over 6 hours of training you can join John Savill from your computer as he will walk you through the key components and capabilities of System Center 2012, what’s involved in using the components, and the benefit they can bring to your environment.

Register Now

Current Issue

May 2013 - The NameTranslate object is useful when you need to translate Active Directory object names between different formats, but it's awkward to use from PowerShell. Here's a PowerShell script that eliminates the awkwardness.

CURRENT ISSUE / ARCHIVE / SUBSCRIBE

Windows Forums

Get answers to questions, share tips, and engage with the Windows Community in our Forums.

Featured Products
Windows 8 Tips
Windows 8 Tips

You’ve been told that Microsoft has somehow compromised the beloved desktop environment and ruined it with Metro...

VIP - Premium Membership
For the IT Professional that needs access to training, premium content, discounts, and more, joining our VIP group just...
Testing with Visual Studio 2012

June 25th
Presented by: Brian Minisi

EARLY BIRD DISCOUNT -...

View CatalogView Shopping Cart

WindowsITPro.com
Related Sites
Copyright © 2013 Penton Media, Inc