The usage is to open cmd and enter the following command to end the process:
Method 1: Use the PID of the process to end the process
Command format: ntsd -c q -p pid
Command example: ntsd -c q -p 1332 (end process with PID 1332)
Example details: The pid is 1332, but how to get the pid of the process? Enter TASKLIST under CMD to get the PID of all processes in the current task manager (not all processes are 1332)
Method 2: End the process using the process name
Command format: ntsd -c q -pn ***.exe (***.exe is the process name, exe cannot be saved)
Command example: ntsd -c q -pn
Another DOS command that can end the process is taskkill:
Command format: taskkill /pid 1234 /f (The same effect can be achieved.)
If the above cannot satisfy your curiosity, the following are:
ntsd detailed explanation
There are some high-level processes, and tskill and taskkill may not be able to end, so we have a more powerful tool, that is, system debug
Level ntsd. To be precise, ntsd is a system debugging tool that is only provided to system development-level administrators, but it is still very pleasant for us to kill processes. Basically, except for the WINDOWS system's own management process, ntsd can be killed.
Of course, some rootkit-level super *s are still powerless, but fortunately there are still few such *s.
ntsd debugger requires the user to specify a process to connect to when it is started. Using TLIST or PVIEWER, you can get an existing one
The process ID of the process, and then type ntsd -p pid to debug the process. The ntsd command line uses the following syntax:
ntsd [options] imagefile
where imagefile is the image name to be debugged, options is one of the following options:
Option Description -2 Open a new window for application for debugging character mode -d redirects the output to the debug terminal -g enables execution to be automatically opened
Passing the first breakpoint -G makes ntsd exit immediately when the subroutine terminates o enables debugging of multiple processes, the default value is a derived from the debugger
Each process-p specifies that the process identified by the process ID is used to generate detailed output.
For example, assume that the process ID is 104. Type the following command to connect the ntsd debugger to the inetinfo process (IIS).
ntsd -p 104
You can also use ntsd to start a new process for debugging. For example, ntsd will start a new entry
and establish a connection with it.
Once connected to a process, you can use various commands to view the stack, set breakpoints, dump memory, and more.
Command meaning ~ Display a list of all threads KB Show the stack track of the current thread ~*KB Show the stack track of all threads R Show the current
The register of the frame outputs U disassembled code and displays the process name and offset D[type][< range>]Dump memory BP[#]
Set breakpoint BC[]Clear one or more breakpoints BD[]Disable one or more breakpoints BE[< bp>]Enable one or more breakpoints BL[]List one
or multiple breakpoints
Personal opinion, there is a very important parameter that is the -v parameter. Through it, we can find out which connection library files are attached to a process.
There are many viruses, *s, or malware that like to make themselves into dynamic libraries and then register them in the loading library list of normal programs in the system to achieve the purpose of hiding oneself.
First of all, we need to set up the output redirection of ntsd, preferably redirecting to a text file for our analysis and research.
c:\>set _NT_DEBUG_LOG_FILE_APPEND=c:\
Note that although the output is redirected, our output will continue to be displayed on the screen and will enter debug mode. We use -c
The q parameter can avoid this problem.
c:\>ntsd -c q -v
Now we can see the debugging information of the file in our file.
ntsd kills the process with the following parameters.
c:\>ntsd -c q -p PID As long as you can provide the PID of the process, you can kill the process.
Method 1: Use the PID of the process to end the process
Command format: ntsd -c q -p pid
Command example: ntsd -c q -p 1332 (end process with PID 1332)
Example details: The pid is 1332, but how to get the pid of the process? Enter TASKLIST under CMD to get the PID of all processes in the current task manager (not all processes are 1332)
Method 2: End the process using the process name
Command format: ntsd -c q -pn ***.exe (***.exe is the process name, exe cannot be saved)
Command example: ntsd -c q -pn
Another DOS command that can end the process is taskkill:
Command format: taskkill /pid 1234 /f (The same effect can be achieved.)
If the above cannot satisfy your curiosity, the following are:
ntsd detailed explanation
There are some high-level processes, and tskill and taskkill may not be able to end, so we have a more powerful tool, that is, system debug
Level ntsd. To be precise, ntsd is a system debugging tool that is only provided to system development-level administrators, but it is still very pleasant for us to kill processes. Basically, except for the WINDOWS system's own management process, ntsd can be killed.
Of course, some rootkit-level super *s are still powerless, but fortunately there are still few such *s.
ntsd debugger requires the user to specify a process to connect to when it is started. Using TLIST or PVIEWER, you can get an existing one
The process ID of the process, and then type ntsd -p pid to debug the process. The ntsd command line uses the following syntax:
ntsd [options] imagefile
where imagefile is the image name to be debugged, options is one of the following options:
Option Description -2 Open a new window for application for debugging character mode -d redirects the output to the debug terminal -g enables execution to be automatically opened
Passing the first breakpoint -G makes ntsd exit immediately when the subroutine terminates o enables debugging of multiple processes, the default value is a derived from the debugger
Each process-p specifies that the process identified by the process ID is used to generate detailed output.
For example, assume that the process ID is 104. Type the following command to connect the ntsd debugger to the inetinfo process (IIS).
ntsd -p 104
You can also use ntsd to start a new process for debugging. For example, ntsd will start a new entry
and establish a connection with it.
Once connected to a process, you can use various commands to view the stack, set breakpoints, dump memory, and more.
Command meaning ~ Display a list of all threads KB Show the stack track of the current thread ~*KB Show the stack track of all threads R Show the current
The register of the frame outputs U disassembled code and displays the process name and offset D[type][< range>]Dump memory BP[#]
Set breakpoint BC[]Clear one or more breakpoints BD[]Disable one or more breakpoints BE[< bp>]Enable one or more breakpoints BL[]List one
or multiple breakpoints
Personal opinion, there is a very important parameter that is the -v parameter. Through it, we can find out which connection library files are attached to a process.
There are many viruses, *s, or malware that like to make themselves into dynamic libraries and then register them in the loading library list of normal programs in the system to achieve the purpose of hiding oneself.
First of all, we need to set up the output redirection of ntsd, preferably redirecting to a text file for our analysis and research.
c:\>set _NT_DEBUG_LOG_FILE_APPEND=c:\
Note that although the output is redirected, our output will continue to be displayed on the screen and will enter debug mode. We use -c
The q parameter can avoid this problem.
c:\>ntsd -c q -v
Now we can see the debugging information of the file in our file.
ntsd kills the process with the following parameters.
c:\>ntsd -c q -p PID As long as you can provide the PID of the process, you can kill the process.