Sign in to follow this  
Followers 0
llewxam

Persistent Process Killer V3

44 posts in this topic

#1 ·  Posted (edited)

I've done a few versions of this idea, think I may have posted one a while back, but this is my latest take on it. I use it to help remove spyware that likes to keep popping up, and that like to suppress other apps from running.

To use it, just run it and double-click the process you want killed, and click as many as you need to kill. For a little extra "bang", run it with the "/nuke" switch and it will kill everything not set as an exception in an effort to kill whatever may prevent it from starting normally.

$exceptionList has many, but probably not all, vital processes for WinXP and Win7, I have not tested it on WinVista but can't imagine there would be problems. However, anybody who has suggestions on additions/removals from the exception list please let me know. For that matter, any improvements at all are welcome.

I compile this as PPK3, if you are going to compile it as something different, make sure you replace "PPK3.exe" in the $exceptionList or it will kill itself as soon as possible :mellow:

Enjoy

#NoTrayIcon
#region ;**** Directives created by AutoIt3Wrapper_GUI ****
#AutoIt3Wrapper_UseUpx=n
#AutoIt3Wrapper_Run_Tidy=y
#endregion ;**** Directives created by AutoIt3Wrapper_GUI ****

;~ Coded by Ian Maxwell (llewxam)
;~ AutoIt 3.3.6.1

#include <WindowsConstants.au3>                     ;needed for $WS_CAPTION, $WS_VSCROLL, $WM_COMMAND
#include <array.au3>                                ;needed for _ArrayAdd, _ArrayDelete, _ArrayUnique, _ArraySort, _ArrayBinarySearch
#include <ProgressConstants.au3>                    ;needed for $PBS_SMOOTH, $PBS_MARQUEE
#include <GuiListBox.au3>                           ;needed for $LBS_NOTIFY, $LBS_SORT, $LBS_NOSEL, $GUI_RUNDEFMSG, _GUICtrlListBox_* functions

AdlibRegister("_Alive", 50)
AdlibRegister("_Scan")

$exceptionList = "PPK3.exe,[System Process],System,smss.exe,csrss.exe,wininit.exe,csrss.exe,services.exe,winlogon.exe,lsass.exe,lsm.exe,svchost.exe,atiesrxx.exe,audiodg.exe,CTAudSvc.exe,atieclxx.exe,spoolsv.exe,taskhost.exe,dwm.exe,explorer.exe,rundll32.exe,GoogleCrashHandler.exe,MOM.exe,CCC.exe,SearchIndexer.exe,wmpnetwk.exe,SearchProtocolHost.exe,SearchFilterHost.exe,dllhost.exe,mpcmdrun.exe,msiexec.exe,unsecapp.exe,vds.exe,WmiPrvSE.exe"
$exceptions = StringSplit($exceptionList, ",") ;list of what not to kill
Local $pList[1] ;list of running processes
$pListOld = $pList ;to compare a previous process list, so $liveProc is only updated if the process list changes
Local $killList[1] ;list of processes to kill
$liveProcCount = 0 ;tally of processes running
$killProcCount = 0 ;tally of processes to be killed
$killListTrimmed = False ;flag for detecting when $killList has been trimmed
$goNuclear = False ;flag set by /nuke command line switch
$started = False ;used in Nuke mode to avoid crashes due to no GUI


;check for and run nuke
If $CmdLine[0] Then ;many viruses/spyware apps suppress EXEs from running, nuke mode is meant to sneak
    For $c = 1 To $CmdLine[0] ;PPK in before it can be suppressed.  Just run "ppk /nuke" or "ppk nuke" repeatedly until it starts
        If StringLower($CmdLine[$c]) == "/nuke" Or StringLower($CmdLine[$c]) == "nuke" Then $goNuclear = True
    Next
EndIf
If $goNuclear == True Then
    $pListRaw = ProcessList()
    If @error Then
        MsgBox(48, "ERROR", "The process list could not be built!")
        Exit
    EndIf
    Local $pListTemp[1] ;used to get the list of running processes down to a 1-dimensional array
    For $a = 1 To $pListRaw[0][0]
        _ArrayAdd($pListTemp, $pListRaw[$a][0])
    Next
    _ArrayDelete($pListTemp, 0)
    $pList = _ArrayUnique($pListTemp)

    If $pList[0] > 0 Then
        Local $killList[1]
        For $a = 1 To $pList[0]
            For $b = 1 To $exceptions[0]
                If StringLower($pList[$a]) == StringLower($exceptions[$b]) Then ContinueLoop (2)
            Next
            _Execute($pList[$a])
            _ArrayAdd($killList, $pList[$a])
        Next
    EndIf
    _ArrayDelete($killList, 0)
    $goNuclear = False
EndIf


;configure GUI
$vert = ((@DesktopHeight - 80) / 3) - 40
$PPKGUI = GUICreate("Persistent Process Killer", 200, @DesktopHeight - 70, @DesktopWidth - 205, 0, $WS_CAPTION)
$alive = GUICtrlCreateProgress(5, 5, 190, 20, BitOR($PBS_SMOOTH, $PBS_MARQUEE)) ;just to let the user know the app is still running
$aliveStatus = 0
$closeButton = GUICtrlCreateButton("Close", 75, 35, 50, 20)
$liveProcLabel = GUICtrlCreateLabel("Running Processes:", 5, 65, 190)
$liveProc = GUICtrlCreateList("", 5, 80, 190, $vert, BitOR($WS_VSCROLL, $LBS_NOTIFY, $LBS_SORT))
$killProcLabel = GUICtrlCreateLabel("Processes to Kill:", 5, $vert + 85, 190)
$killProc = GUICtrlCreateList("", 5, $vert + 100, 190, $vert, BitOR($WS_VSCROLL, $LBS_NOTIFY, $LBS_SORT))
GUICtrlCreateLabel("Errors:", 5, $vert * 2 + 105)
$errors = GUICtrlCreateList("", 5, $vert * 2 + 120, 190, $vert, BitOR($WS_VSCROLL, $LBS_SORT, $LBS_NOSEL))
GUISetState(@SW_SHOW, $PPKGUI)
GUIRegisterMsg($WM_COMMAND, "_WM_COMMAND")
WinSetOnTop("Persistent Process Killer", "", 1)


;perform initial scan for running processes
$pListRaw = ProcessList()
If @error Then
    MsgBox(48, "ERROR", "The process list could not be built!")
    Exit
EndIf
Local $pListTemp[1]
For $a = 1 To $pListRaw[0][0]
    _ArrayAdd($pListTemp, $pListRaw[$a][0])
Next
_ArrayDelete($pListTemp, 0)
$pList = _ArrayUnique($pListTemp)

If $pList[0] > 0 Then
    For $a = 1 To $pList[0]
        For $b = 1 To $exceptions[0]
            If StringLower($pList[$a]) == StringLower($exceptions[$b]) Then ContinueLoop (2)
        Next
        GUICtrlSetData($liveProc, $pList[$a])
        $liveProcCount += 1
    Next
EndIf
GUICtrlSetData($liveProcLabel, "Running Processes: " & $liveProcCount)

For $a = 1 To UBound($killList) - 1
    GUICtrlSetData($killProc, $killList[$a])
    $killProcCount += 1
Next
GUICtrlSetData($killProcLabel, "Processes to Kill: " & $killProcCount)

$started = True ;now all GUI controls will be used


;main loop
Do
    $msg = GUIGetMsg()
    If $msg = $closeButton Then _Exit()

    For $a = 1 To UBound($killList) - 1

        ;placed this check at beginning and end of loop so when $killList is decreased an out-of-range error will be avoided
        If $killListTrimmed == True Then
            $killListTrimmed = False
            ExitLoop
        EndIf

        If ProcessExists($killList[$a]) Then
            _Execute($killList[$a])
        EndIf

        If $killListTrimmed == True Then
            $killListTrimmed = False
            ExitLoop
        EndIf
    Next
Until 1 = 2


Func _Scan()
    If $started == True Then
        $pListOld = $pList
        $pListRaw = ProcessList()
        If @error Then
            MsgBox(48, "ERROR", "The process list could not be built!")
            Exit
        EndIf

        Local $pListTemp[1]
        For $a = 1 To $pListRaw[0][0]
            _ArrayAdd($pListTemp, $pListRaw[$a][0])
        Next
        _ArrayDelete($pListTemp, 0)
        $pList = _ArrayUnique($pListTemp)

        If $pList[0] > 0 Then
            $refresh = False ;assume a refresh of $liveProc is not needed

            If $pList[0] <> $pListOld[0] Then
                $refresh = True ;different number of elements = refresh needed
            Else
                For $z = 1 To $pList[0]
                    If $pList[$z] <> $pListOld[$z] Then $refresh = True ;something is not matching up, so a refresh is needed
                Next
            EndIf

            If $refresh = True Then
                $liveProcCount = 0
                _GUICtrlListBox_BeginUpdate($liveProc)
                _GUICtrlListBox_ResetContent($liveProc)
                For $a = 1 To $pList[0]
                    For $b = 1 To $exceptions[0]
                        If StringLower($pList[$a]) == StringLower($exceptions[$b]) Then ContinueLoop (2)
                    Next
                    _GUICtrlListBox_AddString($liveProc, $pList[$a])
                    $liveProcCount += 1
                Next
                _GUICtrlListBox_EndUpdate($liveProc)
                GUICtrlSetData($liveProcLabel, "Running Processes: " & $liveProcCount)
            EndIf
        EndIf
    EndIf
    Return
EndFunc   ;==>_Scan


Func _Execute($victim)
    $killed = False
    $delay = TimerInit()
    Do
        ProcessClose($victim)
        If @error Then
            $status = @error
        Else
            $killed = True
            ExitLoop
        EndIf
        Sleep(50)
    Until TimerDiff($delay) > 1000

    If $killed = False Then
        If $started == True Then
            GUICtrlSetData($errors, $victim & " could not be killed! (" & $status & ")")
            _ArraySort($killList)
            $index = _ArrayBinarySearch($killList, $victim)
            _ArrayDelete($killList, $index)
            _GUICtrlListBox_BeginUpdate($killProc)
            _GUICtrlListBox_ResetContent($killProc)
            For $a = 1 To UBound($killList) - 1
                GUICtrlSetData($killProc, $killList[$a])
            Next
            _GUICtrlListBox_EndUpdate($killProc)
            $killProcCount -= 1
            GUICtrlSetData($killProcLabel, "Processes to Kill: " & $killProcCount)
            $killListTrimmed = True
        EndIf
    EndIf
    Return
EndFunc   ;==>_Execute


Func _liveProc_DoubleClick()
    $sListItem = GUICtrlRead($liveProc)
    If $sListItem <> "" Then
        _ArrayAdd($killList, $sListItem)
        $killProcCount += 1
        GUICtrlSetData($killProc, $sListItem)
        GUICtrlSetData($killProcLabel, "Processes to Kill: " & $killProcCount)
    EndIf
    Return
EndFunc   ;==>_liveProc_DoubleClick


Func _killProc_DoubleClick()
    $sListItem = GUICtrlRead($killProc)
    If $sListItem <> "" Then
        $killProcCount = 0
        _ArraySort($killList)
        $index = _ArrayBinarySearch($killList, $sListItem)
        _ArrayDelete($killList, $index)
        _GUICtrlListBox_BeginUpdate($killProc)
        _GUICtrlListBox_ResetContent($killProc)
        For $a = 1 To UBound($killList) - 1
            GUICtrlSetData($killProc, $killList[$a])
            $killProcCount += 1
        Next
        _GUICtrlListBox_EndUpdate($killProc)
        GUICtrlSetData($killProcLabel, "Processes to Kill: " & $killProcCount)
        $killListTrimmed = True
    EndIf
    Return
EndFunc   ;==>_killProc_DoubleClick


Func _WM_COMMAND($hWnd, $msg, $wParam, $lParam)
    Local $nNotifyCode = BitShift($wParam, 16)
    Local $nID = BitAND($wParam, 0xFFFF)
    Local Const $LBN_DBLCLK = 2

    Switch $nID
        Case $liveProc
            Switch $nNotifyCode
                Case $LBN_DBLCLK
                    _liveProc_DoubleClick()
            EndSwitch
        Case $killProc
            Switch $nNotifyCode
                Case $LBN_DBLCLK
                    _killProc_DoubleClick()
            EndSwitch
    EndSwitch
    Return $GUI_RUNDEFMSG
EndFunc   ;==>_WM_COMMAND


Func _Alive()
    If $started = True Then
        $aliveStatus += 2
        If $aliveStatus > 102 Then $aliveStatus = 0
        GUICtrlSetData($alive, $aliveStatus)
    EndIf
    Return
EndFunc   ;==>_Alive


Func _Exit()
    $reallyQuit = MsgBox(4, "Quit?", "Are you sure you want to quit?")
    If $reallyQuit = 6 Then Exit
    Return
EndFunc   ;==>_Exit
Edited by llewxam
1 person likes this

My projects:

  • IP Scanner - Multi-threaded ping tool to scan your available networks for used and available IP addresses, shows ping times, resolves IPs in to host names, and allows individual IPs to be pinged.
  • INFSniff - Great technicians tool - a tool which scans DriverPacks archives for INF files and parses out the HWIDs to a database file, and rapidly scans the local machine's HWIDs, searches the database for matches, and installs them.
  • PPK3 (Persistent Process Killer V3) - Another for the techs - suppress running processes that you need to keep away, helpful when fighting spyware/viruses.
  • Sync Tool - Folder sync tool with lots of real time information and several checking methods.
  • USMT Front End - Front End for Microsoft's User State Migration Tool, including all files needed for USMT 3.01 and 4.01, 32 bit and 64 bit versions.
  • Audit Tool - Computer audit tool to gather vital hardware, Windows, and Office information for IT managers and field techs. Capabilities include creating a customized site agent.
  • CSV Viewer - Displays CSV files with automatic column sizing and font selection. Lines can also be copied to the clipboard for data extraction.
  • MyDirStat - Lists number and size of files on a drive or specified path, allows for deletion within the app.
  • 2048 Game - My version of 2048, fun tile game.
  • Juice Lab - Ecigarette liquid making calculator.
  • Data Protector - Secure notes to save sensitive information.
  • VHD Footer - Add a footer to a forensic hard drive image to allow it to be mounted or used as a virtual machine hard drive.
  • Find in File - Searches files containing a specified phrase.

Share this post


Link to post
Share on other sites



Updated with many changes

Ian


My projects:

  • IP Scanner - Multi-threaded ping tool to scan your available networks for used and available IP addresses, shows ping times, resolves IPs in to host names, and allows individual IPs to be pinged.
  • INFSniff - Great technicians tool - a tool which scans DriverPacks archives for INF files and parses out the HWIDs to a database file, and rapidly scans the local machine's HWIDs, searches the database for matches, and installs them.
  • PPK3 (Persistent Process Killer V3) - Another for the techs - suppress running processes that you need to keep away, helpful when fighting spyware/viruses.
  • Sync Tool - Folder sync tool with lots of real time information and several checking methods.
  • USMT Front End - Front End for Microsoft's User State Migration Tool, including all files needed for USMT 3.01 and 4.01, 32 bit and 64 bit versions.
  • Audit Tool - Computer audit tool to gather vital hardware, Windows, and Office information for IT managers and field techs. Capabilities include creating a customized site agent.
  • CSV Viewer - Displays CSV files with automatic column sizing and font selection. Lines can also be copied to the clipboard for data extraction.
  • MyDirStat - Lists number and size of files on a drive or specified path, allows for deletion within the app.
  • 2048 Game - My version of 2048, fun tile game.
  • Juice Lab - Ecigarette liquid making calculator.
  • Data Protector - Secure notes to save sensitive information.
  • VHD Footer - Add a footer to a forensic hard drive image to allow it to be mounted or used as a virtual machine hard drive.
  • Find in File - Searches files containing a specified phrase.

Share this post


Link to post
Share on other sites

I have not had the missfortune of encountering any malware that kills unknown processes so my app has functioned despite not being protected or aggressive... If I happen to chance upon such a beast, maybe I'll run your app. :mellow:

Sugestion:

When your app has cycled through processes and killed wanted items... you could afford the luxury of checking old list against new list, so you don't have to update the whole list every second, since it is flashing... Though I'd agree prettyness is not a first priority.

Bug:

If a process cannot be killed, the app could not display closedialogue...

/Manko


Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...

Share this post


Link to post
Share on other sites

I have not had the missfortune of encountering any malware that kills unknown processes so my app has functioned despite not being protected or aggressive... If I happen to chance upon such a beast, maybe I'll run your app. :mellow:

Sugestion:

When your app has cycled through processes and killed wanted items... you could afford the luxury of checking old list against new list, so you don't have to update the whole list every second, since it is flashing... Though I'd agree prettyness is not a first priority.

Bug:

If a process cannot be killed, the app could not display closedialogue...

/Manko

The flickering Listbox is annoying, and I was trying to get away with a quick fix, comparing the arrays using _ArrayToString, finally realized that it being a 2D array was probably why it was failing, and I wasted more time than it would have taken to do it myself!! :P That is something I plan on doing tonight.

I also had the beginnings of an error check on hung ProcessClose commands, but since it was unfinished I took it out of the version I posted here. Again, I hope to do that soon.

Thanks for the comments

Ian


My projects:

  • IP Scanner - Multi-threaded ping tool to scan your available networks for used and available IP addresses, shows ping times, resolves IPs in to host names, and allows individual IPs to be pinged.
  • INFSniff - Great technicians tool - a tool which scans DriverPacks archives for INF files and parses out the HWIDs to a database file, and rapidly scans the local machine's HWIDs, searches the database for matches, and installs them.
  • PPK3 (Persistent Process Killer V3) - Another for the techs - suppress running processes that you need to keep away, helpful when fighting spyware/viruses.
  • Sync Tool - Folder sync tool with lots of real time information and several checking methods.
  • USMT Front End - Front End for Microsoft's User State Migration Tool, including all files needed for USMT 3.01 and 4.01, 32 bit and 64 bit versions.
  • Audit Tool - Computer audit tool to gather vital hardware, Windows, and Office information for IT managers and field techs. Capabilities include creating a customized site agent.
  • CSV Viewer - Displays CSV files with automatic column sizing and font selection. Lines can also be copied to the clipboard for data extraction.
  • MyDirStat - Lists number and size of files on a drive or specified path, allows for deletion within the app.
  • 2048 Game - My version of 2048, fun tile game.
  • Juice Lab - Ecigarette liquid making calculator.
  • Data Protector - Secure notes to save sensitive information.
  • VHD Footer - Add a footer to a forensic hard drive image to allow it to be mounted or used as a virtual machine hard drive.
  • Find in File - Searches files containing a specified phrase.

Share this post


Link to post
Share on other sites

New changes:

List flicker is fixed

Fancy auto-size thingy so it fits any desktop height properly ( :P )

Basic error handler and error Listbox

Function dedicated to killing

I'm afraid the cosmetic changes and inclusion of an error list were overkill, in my testing on a non-infected computer, the only way I could get a ProcessClose to fail was by only allowing 40 milliseconds for it to work, and the only @error ever generated for that was "TerminateProcess Failed" (duh), so the usefulness of that is debatable. Maybe there is a smarter way for that to work, but if there is an issue at least it will be reported.

Also, since the flicker is fixed and since that caused a side-effect of making it easier to double-click the process you want killed (the refresh used to mess with the selected item so longer periods with no refresh was needed), the AdlibRegister for the _Scan function has been shortened to the default 250MS. So, now every quarter-second the process list will be updated, and it is much less annoying! :mellow:

Enjoy

Ian


My projects:

  • IP Scanner - Multi-threaded ping tool to scan your available networks for used and available IP addresses, shows ping times, resolves IPs in to host names, and allows individual IPs to be pinged.
  • INFSniff - Great technicians tool - a tool which scans DriverPacks archives for INF files and parses out the HWIDs to a database file, and rapidly scans the local machine's HWIDs, searches the database for matches, and installs them.
  • PPK3 (Persistent Process Killer V3) - Another for the techs - suppress running processes that you need to keep away, helpful when fighting spyware/viruses.
  • Sync Tool - Folder sync tool with lots of real time information and several checking methods.
  • USMT Front End - Front End for Microsoft's User State Migration Tool, including all files needed for USMT 3.01 and 4.01, 32 bit and 64 bit versions.
  • Audit Tool - Computer audit tool to gather vital hardware, Windows, and Office information for IT managers and field techs. Capabilities include creating a customized site agent.
  • CSV Viewer - Displays CSV files with automatic column sizing and font selection. Lines can also be copied to the clipboard for data extraction.
  • MyDirStat - Lists number and size of files on a drive or specified path, allows for deletion within the app.
  • 2048 Game - My version of 2048, fun tile game.
  • Juice Lab - Ecigarette liquid making calculator.
  • Data Protector - Secure notes to save sensitive information.
  • VHD Footer - Add a footer to a forensic hard drive image to allow it to be mounted or used as a virtual machine hard drive.
  • Find in File - Searches files containing a specified phrase.

Share this post


Link to post
Share on other sites

G'day Ian

Looks REAL useful. I've added it to my "tools". I know it will come in handy.

A couple of things I thought may be a good addition to the program.

1.

Quite oftern the mouse is dead on infected computers. As well as double click what about adding "Space" and/or "enter" to select processes to be killed.

2.

Have you thought about multiple selection.

I've run into virus that restart the computer if any "one" of it's parts are killed off. So a quick kill of ALL parts would be useful.

NUKE goes some of the way but I'd like to leave everything running EXCEPT the items I select.

A complete NUKE may leave the computer non-functional BUT is a great option and in most cases will work perfectly.

Thanks for the great program!

John Morrison

aka

Storm-E

Share this post


Link to post
Share on other sites

@storme:Multi killing will probably not work, unless they're suspended, they will still have time to discover what's happening since they are killed in sequence, not "all at once"... ...or maybe luck is on our side and they don't check fast enough... :mellow:


Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...

Share this post


Link to post
Share on other sites

@Manko

I was checking out the update to ProDLLer and was greedily looking over the Force Terminate code, might have to use that in PPK! As is right now, unkilled processes can cause PPK to lock up, so your suspend and terminate might be very useful!!

@Storm-E

Not sure if I'll go the route you're thinking, but I'm thinking of having the /nuke option add everything to the $killList array so it will persistently kill what nuke kills (that much is done), then have a double-click to selectively remove items that nuke found. That should allow the same result as your suggestion. As for the keyboard shortcuts, WHEW, I'm a keyboard shortcut fanatic but can't even imagine how hard it would be to fight some nasty virii/spyware with keyboard only!! I'll ponder that one, but hopefully the persistent /nuke will serve the same purpose.

(Side-note, what about plugging in a USB mouse after you have noticed the problem? Hopefully Plug&Pray would get you a pointer going...)

Thanks

Ian


My projects:

  • IP Scanner - Multi-threaded ping tool to scan your available networks for used and available IP addresses, shows ping times, resolves IPs in to host names, and allows individual IPs to be pinged.
  • INFSniff - Great technicians tool - a tool which scans DriverPacks archives for INF files and parses out the HWIDs to a database file, and rapidly scans the local machine's HWIDs, searches the database for matches, and installs them.
  • PPK3 (Persistent Process Killer V3) - Another for the techs - suppress running processes that you need to keep away, helpful when fighting spyware/viruses.
  • Sync Tool - Folder sync tool with lots of real time information and several checking methods.
  • USMT Front End - Front End for Microsoft's User State Migration Tool, including all files needed for USMT 3.01 and 4.01, 32 bit and 64 bit versions.
  • Audit Tool - Computer audit tool to gather vital hardware, Windows, and Office information for IT managers and field techs. Capabilities include creating a customized site agent.
  • CSV Viewer - Displays CSV files with automatic column sizing and font selection. Lines can also be copied to the clipboard for data extraction.
  • MyDirStat - Lists number and size of files on a drive or specified path, allows for deletion within the app.
  • 2048 Game - My version of 2048, fun tile game.
  • Juice Lab - Ecigarette liquid making calculator.
  • Data Protector - Secure notes to save sensitive information.
  • VHD Footer - Add a footer to a forensic hard drive image to allow it to be mounted or used as a virtual machine hard drive.
  • Find in File - Searches files containing a specified phrase.

Share this post


Link to post
Share on other sites

@Storm-E

Not sure if I'll go the route you're thinking, but I'm thinking of having the /nuke option add everything to the $killList array so it will persistently kill what nuke kills (that much is done), then have a double-click to selectively remove items that nuke found. That should allow the same result as your suggestion.

I've been usign KILLBOX in the past to kill the various bits I want to. Nuke should work in most cases. I was just thinking of a few situations that "I think" nuke would make worse. But it is a minority.

As for the keyboard shortcuts, WHEW, I'm a keyboard shortcut fanatic but can't even imagine how hard it would be to fight some nasty virii/spyware with keyboard only!! I'll ponder that one, but hopefully the persistent /nuke will serve the same purpose.

(Side-note, what about plugging in a USB mouse after you have noticed the problem? Hopefully Plug&Pray would get you a pointer going...)

I've had to do it before and it isn't fun BUT there are a lot of keyboard short cuts that help a lot.

The only think you need to add is to be able to hit the "enter" to kill the selected item. The list is already navagatable by keyboard all that is missing is the select.

Share this post


Link to post
Share on other sites

@storme:Multi killing will probably not work, unless they're suspended, they will still have time to discover what's happening since they are killed in sequence, not "all at once"... ...or maybe luck is on our side and they don't check fast enough... :mellow:

Most of the virus I have run into don't restart the other parts immeditaly. This could be because they don't check fast enough (it is only a seconadary function) or they delay the restart to confuse the virus removers (Us).

So in most cases killing them quickly in sequence (ie selecting them all then killing them) in one cycle of the program should work.

HMMM just a thought, as long as the virus doesn't have a "kill the computer if i'm messed with" function just clicking on all the virus processes one at a time then letting PPK should kill them all on subsequent passes.

So a multi select isn't realy needed.

Share this post


Link to post
Share on other sites

This is a very nice tool you have created! I am gonna definately use parts of it in my maintenance tool. Thanks for shareing!

Share this post


Link to post
Share on other sites

This is a very nice tool you have created! I am gonna definately use parts of it in my maintenance tool. Thanks for shareing!

You're very welcome, I have a few new tricks I may update with shortly.

Thanks

Ian


My projects:

  • IP Scanner - Multi-threaded ping tool to scan your available networks for used and available IP addresses, shows ping times, resolves IPs in to host names, and allows individual IPs to be pinged.
  • INFSniff - Great technicians tool - a tool which scans DriverPacks archives for INF files and parses out the HWIDs to a database file, and rapidly scans the local machine's HWIDs, searches the database for matches, and installs them.
  • PPK3 (Persistent Process Killer V3) - Another for the techs - suppress running processes that you need to keep away, helpful when fighting spyware/viruses.
  • Sync Tool - Folder sync tool with lots of real time information and several checking methods.
  • USMT Front End - Front End for Microsoft's User State Migration Tool, including all files needed for USMT 3.01 and 4.01, 32 bit and 64 bit versions.
  • Audit Tool - Computer audit tool to gather vital hardware, Windows, and Office information for IT managers and field techs. Capabilities include creating a customized site agent.
  • CSV Viewer - Displays CSV files with automatic column sizing and font selection. Lines can also be copied to the clipboard for data extraction.
  • MyDirStat - Lists number and size of files on a drive or specified path, allows for deletion within the app.
  • 2048 Game - My version of 2048, fun tile game.
  • Juice Lab - Ecigarette liquid making calculator.
  • Data Protector - Secure notes to save sensitive information.
  • VHD Footer - Add a footer to a forensic hard drive image to allow it to be mounted or used as a virtual machine hard drive.
  • Find in File - Searches files containing a specified phrase.

Share this post


Link to post
Share on other sites

Another pretty major update. Things you'll see this time around:

  • Nuke mode is persistent (adds to $killList)
  • Counters for running processes and processes to be killed
  • Double-clicking an item in "Processes to Kill" will remove it from the kill list

I also have stripped the PIDs from ProcessList() since I didn't filter by PID anyway, that allowed some convenience functions like _ArrayUnique and _ArrayBinarySearch to be used rather than having to code something like that myself.

As always there are things I'd love to add given the time, but this is a good update for now.

Enjoy

Ian


My projects:

  • IP Scanner - Multi-threaded ping tool to scan your available networks for used and available IP addresses, shows ping times, resolves IPs in to host names, and allows individual IPs to be pinged.
  • INFSniff - Great technicians tool - a tool which scans DriverPacks archives for INF files and parses out the HWIDs to a database file, and rapidly scans the local machine's HWIDs, searches the database for matches, and installs them.
  • PPK3 (Persistent Process Killer V3) - Another for the techs - suppress running processes that you need to keep away, helpful when fighting spyware/viruses.
  • Sync Tool - Folder sync tool with lots of real time information and several checking methods.
  • USMT Front End - Front End for Microsoft's User State Migration Tool, including all files needed for USMT 3.01 and 4.01, 32 bit and 64 bit versions.
  • Audit Tool - Computer audit tool to gather vital hardware, Windows, and Office information for IT managers and field techs. Capabilities include creating a customized site agent.
  • CSV Viewer - Displays CSV files with automatic column sizing and font selection. Lines can also be copied to the clipboard for data extraction.
  • MyDirStat - Lists number and size of files on a drive or specified path, allows for deletion within the app.
  • 2048 Game - My version of 2048, fun tile game.
  • Juice Lab - Ecigarette liquid making calculator.
  • Data Protector - Secure notes to save sensitive information.
  • VHD Footer - Add a footer to a forensic hard drive image to allow it to be mounted or used as a virtual machine hard drive.
  • Find in File - Searches files containing a specified phrase.

Share this post


Link to post
Share on other sites

Another pretty major update. Things you'll see this time around:

Looking good. I've added this to my "box of tricks".

I can't report how it works "in practice" as I haven't had to use it yet.

But I know from experience that it will be handy.

Thanks

John Morrison

aka

Storm-E

Share this post


Link to post
Share on other sites

hi this program is great. do u mind if i use it and some of your code please?

thanks


Drunken Frat-Boy Monkey Garbage

Share this post


Link to post
Share on other sites

hi this program is great. do u mind if i use it and some of your code please?

thanks

Feel free, and if you make any helpful changes post it back so they can be included!

(One idea a coworker gave me recently was to add a function to not only kill the process but get the process' path and delete it - suspend and remove the malware in one shot! I have not put much time in to that idea yet as I have too many other projects right now and would probably have to use some other process UDFs to pull it off, but may try some time soon so check back on this thread periodically)

Thanks

Ian


My projects:

  • IP Scanner - Multi-threaded ping tool to scan your available networks for used and available IP addresses, shows ping times, resolves IPs in to host names, and allows individual IPs to be pinged.
  • INFSniff - Great technicians tool - a tool which scans DriverPacks archives for INF files and parses out the HWIDs to a database file, and rapidly scans the local machine's HWIDs, searches the database for matches, and installs them.
  • PPK3 (Persistent Process Killer V3) - Another for the techs - suppress running processes that you need to keep away, helpful when fighting spyware/viruses.
  • Sync Tool - Folder sync tool with lots of real time information and several checking methods.
  • USMT Front End - Front End for Microsoft's User State Migration Tool, including all files needed for USMT 3.01 and 4.01, 32 bit and 64 bit versions.
  • Audit Tool - Computer audit tool to gather vital hardware, Windows, and Office information for IT managers and field techs. Capabilities include creating a customized site agent.
  • CSV Viewer - Displays CSV files with automatic column sizing and font selection. Lines can also be copied to the clipboard for data extraction.
  • MyDirStat - Lists number and size of files on a drive or specified path, allows for deletion within the app.
  • 2048 Game - My version of 2048, fun tile game.
  • Juice Lab - Ecigarette liquid making calculator.
  • Data Protector - Secure notes to save sensitive information.
  • VHD Footer - Add a footer to a forensic hard drive image to allow it to be mounted or used as a virtual machine hard drive.
  • Find in File - Searches files containing a specified phrase.

Share this post


Link to post
Share on other sites

#17 ·  Posted (edited)

Thanks ill have a little go at your co-workers idea myself.

EDIT: ive just found this and i beleive it already finds a process's location

jamie

Edited by engjcowi

Drunken Frat-Boy Monkey Garbage

Share this post


Link to post
Share on other sites

Hi

i've made a small edition to the program which has helped me out.

I added this to the gui

$closeButton = GUICtrlCreateButton("Close", 85, 35, 50, 20)
$processgoogleButton = GUICtrlCreateButton("Google", 135, 35, 50, 20)
$processlibraryButton = GUICtrlCreateButton("Process Library", 5, 35, 80, 20)

and added this to the main loop under the close button code

If $msg = $processgoogleButton Then ShellExecute("http://www.google.com/search?hl=en&q=" & GUICtrlRead($liveProc) & "&btnG=Search")
    If $msg = $processlibraryButton Then ShellExecute("http://www.processlibrary.com/search/?q=" & GUICtrlRead($liveProc))

This way if your unsure about the process you can quickly search for it in either google or process library.


Drunken Frat-Boy Monkey Garbage

Share this post


Link to post
Share on other sites

Hi Guys

Ive been working on finding the process's path and then be able to delete that process and im nearly there. Ive found the process, found the process's command line if you so want it however i just cant seem to delete the running process after its been shut down. Im probably missing something really simple but its been a long day. Anyway i hope someone can help as i feel its nearing its full potential :huh2:

Hope this is what you were after Ian. Ill keep trying

Credits to the following posts which helped ALOT

jamie

#NoTrayIcon
#Region ;**** Directives created by AutoIt3Wrapper_GUI ****
#AutoIt3Wrapper_UseUpx=n
#AutoIt3Wrapper_Run_Tidy=y
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****

;~ Coded by Ian Maxwell (llewxam)
;~ AutoIt 3.3.6.1
;~ Amended by Jamie Cowin
;~ Code for getting command line options from here http://www.autoitscript.com/forum/topic/88214-winapi-getcommandlinefrompid-from-any-process/
;~ Code for getting exe location from pid from here http://www.autoitscript.com/forum/topic/49888-find-the-path-of-a-exe-files-running-the-the-handlepid/

#include <WindowsConstants.au3>                     ;needed for $WS_CAPTION, $WS_VSCROLL, $WM_COMMAND
#include <array.au3>                                ;needed for _ArrayAdd, _ArrayDelete, _ArrayUnique, _ArraySort, _ArrayBinarySearch
#include <ProgressConstants.au3>                    ;needed for $PBS_SMOOTH, $PBS_MARQUEE
#include <GuiListBox.au3>                           ;needed for $LBS_NOTIFY, $LBS_SORT, $LBS_NOSEL, $GUI_RUNDEFMSG, _GUICtrlListBox_* functions
#include <WinAPI.au3>



_GetPrivilege_SEDEBUG() ; I need this for tricky processes. Not needed for most...

AdlibRegister("_Alive", 50)
AdlibRegister("_Scan")

$exceptionList = "PPK3.exe,[System Process],System,smss.exe,csrss.exe,wininit.exe,csrss.exe,services.exe,winlogon.exe,lsass.exe,lsm.exe,svchost.exe,atiesrxx.exe,audiodg.exe,CTAudSvc.exe,atieclxx.exe,spoolsv.exe,taskhost.exe,dwm.exe,explorer.exe,rundll32.exe,GoogleCrashHandler.exe,MOM.exe,CCC.exe,SearchIndexer.exe,wmpnetwk.exe,SearchProtocolHost.exe,SearchFilterHost.exe,dllhost.exe,mpcmdrun.exe,msiexec.exe,unsecapp.exe,vds.exe,WmiPrvSE.exe"
$exceptions = StringSplit($exceptionList, ",") ;list of what not to kill
Local $pList[1] ;list of running processes
$pListOld = $pList ;to compare a previous process list, so $liveProc is only updated if the process list changes
Local $killList[1] ;list of processes to kill
$liveProcCount = 0 ;tally of processes running
$killProcCount = 0 ;tally of processes to be killed
$killListTrimmed = False ;flag for detecting when $killList has been trimmed
$goNuclear = False ;flag set by /nuke command line switch
$started = False ;used in Nuke mode to avoid crashes due to no GUI


;check for and run nuke
If $CmdLine[0] Then ;many viruses/spyware apps suppress EXEs from running, nuke mode is meant to sneak
    For $c = 1 To $CmdLine[0] ;PPK in before it can be suppressed.  Just run "ppk /nuke" or "ppk nuke" repeatedly until it starts
        If StringLower($CmdLine[$c]) == "/nuke" Or StringLower($CmdLine[$c]) == "nuke" Then $goNuclear = True
    Next
EndIf
If $goNuclear == True Then
    $pListRaw = ProcessList()
    If @error Then
        MsgBox(48, "ERROR", "The process list could not be built!")
        Exit
    EndIf
    Local $pListTemp[1] ;used to get the list of running processes down to a 1-dimensional array
    For $a = 1 To $pListRaw[0][0]
        _ArrayAdd($pListTemp, $pListRaw[$a][0])
    Next
    _ArrayDelete($pListTemp, 0)
    $pList = _ArrayUnique($pListTemp)

    If $pList[0] > 0 Then
        Local $killList[1]
        For $a = 1 To $pList[0]
            For $b = 1 To $exceptions[0]
                If StringLower($pList[$a]) == StringLower($exceptions[$b]) Then ContinueLoop (2)
            Next
            _Execute($pList[$a])
            _ArrayAdd($killList, $pList[$a])
        Next
    EndIf
    _ArrayDelete($killList, 0)
    $goNuclear = False
EndIf


;configure GUI
$vert = ((@DesktopHeight - 80) / 3) - 40
$PPKGUI = GUICreate("Persistent Process Killer", 200, @DesktopHeight - 70, @DesktopWidth - 205, 0, $WS_CAPTION)
$alive = GUICtrlCreateProgress(5, 5, 190, 20, BitOR($PBS_SMOOTH, $PBS_MARQUEE)) ;just to let the user know the app is still running
$aliveStatus = 0
$closeButton = GUICtrlCreateButton("Close", 85, 25, 50, 20)
$processgoogleButton = GUICtrlCreateButton("Google", 135, 25, 50, 20)
$processlibraryButton = GUICtrlCreateButton("Process Library", 5, 25, 80, 20)
$processdeleteButton = GUICtrlCreateButton("Delete Process", 5, 45, 80, 20)
$processparamsButton = GUICtrlCreateButton("Process Parameters", 85, 45, 100, 20)

$liveProcLabel = GUICtrlCreateLabel("Running Processes:", 5, 65, 190)
$liveProc = GUICtrlCreateList("", 5, 80, 190, $vert, BitOR($WS_VSCROLL, $LBS_NOTIFY, $LBS_SORT))
$killProcLabel = GUICtrlCreateLabel("Processes to Kill:", 5, $vert + 85, 190)
$killProc = GUICtrlCreateList("", 5, $vert + 100, 190, $vert, BitOR($WS_VSCROLL, $LBS_NOTIFY, $LBS_SORT))
GUICtrlCreateLabel("Errors:", 5, $vert * 2 + 105)
$errors = GUICtrlCreateList("", 5, $vert * 2 + 120, 190, $vert, BitOR($WS_VSCROLL, $LBS_SORT, $LBS_NOSEL))
GUISetState(@SW_SHOW, $PPKGUI)
GUIRegisterMsg($WM_COMMAND, "_WM_COMMAND")
WinSetOnTop("Persistent Process Killer", "", 1)


;perform initial scan for running processes
$pListRaw = ProcessList()
If @error Then
    MsgBox(48, "ERROR", "The process list could not be built!")
    Exit
EndIf
Local $pListTemp[1]
For $a = 1 To $pListRaw[0][0]
    _ArrayAdd($pListTemp, $pListRaw[$a][0])
Next
_ArrayDelete($pListTemp, 0)
$pList = _ArrayUnique($pListTemp)

If $pList[0] > 0 Then
    For $a = 1 To $pList[0]
        For $b = 1 To $exceptions[0]
            If StringLower($pList[$a]) == StringLower($exceptions[$b]) Then ContinueLoop (2)
        Next
        GUICtrlSetData($liveProc, $pList[$a])
        $liveProcCount += 1
    Next
EndIf
GUICtrlSetData($liveProcLabel, "Running Processes: " & $liveProcCount)

For $a = 1 To UBound($killList) - 1
    GUICtrlSetData($killProc, $killList[$a])
    $killProcCount += 1
Next
GUICtrlSetData($killProcLabel, "Processes to Kill: " & $killProcCount)

$started = True ;now all GUI controls will be used


;main loop
Do
    $msg = GUIGetMsg()
    If $msg = $closeButton Then _Exit()
    If $msg = $processgoogleButton Then ShellExecute("http://www.google.com/search?hl=en&q=" & GUICtrlRead($liveProc) & "&btnG=Search")
    If $msg = $processlibraryButton Then ShellExecute("http://www.processlibrary.com/search/?q=" & GUICtrlRead($liveProc))
    If $msg = $processparamsButton Then Processparams()
    If $msg = $processdeleteButton Then DeleteProcess()

    ;
    ;
    For $a = 1 To UBound($killList) - 1

        ;placed this check at beginning and end of loop so when $killList is decreased an out-of-range error will be avoided
        If $killListTrimmed == True Then
            $killListTrimmed = False
            ExitLoop
        EndIf

        If ProcessExists($killList[$a]) Then
            _Execute($killList[$a])
        EndIf

        If $killListTrimmed == True Then
            $killListTrimmed = False
            ExitLoop
        EndIf
    Next
Until 1 = 2


Func _Scan()
    If $started == True Then
        $pListOld = $pList
        $pListRaw = ProcessList()
        If @error Then
            MsgBox(48, "ERROR", "The process list could not be built!")
            Exit
        EndIf

        Local $pListTemp[1]
        For $a = 1 To $pListRaw[0][0]
            _ArrayAdd($pListTemp, $pListRaw[$a][0])
        Next
        _ArrayDelete($pListTemp, 0)
        $pList = _ArrayUnique($pListTemp)

        If $pList[0] > 0 Then
            $refresh = False ;assume a refresh of $liveProc is not needed

            If $pList[0] <> $pListOld[0] Then
                $refresh = True ;different number of elements = refresh needed
            Else
                For $z = 1 To $pList[0]
                    If $pList[$z] <> $pListOld[$z] Then $refresh = True ;something is not matching up, so a refresh is needed
                Next
            EndIf

            If $refresh = True Then
                $liveProcCount = 0
                _GUICtrlListBox_BeginUpdate($liveProc)
                _GUICtrlListBox_ResetContent($liveProc)
                For $a = 1 To $pList[0]
                    For $b = 1 To $exceptions[0]
                        If StringLower($pList[$a]) == StringLower($exceptions[$b]) Then ContinueLoop (2)
                    Next
                    _GUICtrlListBox_AddString($liveProc, $pList[$a])
                    $liveProcCount += 1
                Next
                _GUICtrlListBox_EndUpdate($liveProc)
                GUICtrlSetData($liveProcLabel, "Running Processes: " & $liveProcCount)
            EndIf
        EndIf
    EndIf
    Return
EndFunc   ;==>_Scan


Func _Execute($victim)
    $killed = False
    $delay = TimerInit()
    Do
        ProcessClose($victim)
        If @error Then
            $status = @error
        Else
            $killed = True
            ExitLoop
        EndIf
        Sleep(50)
    Until TimerDiff($delay) > 1000

    If $killed = False Then
        If $started == True Then
            GUICtrlSetData($errors, $victim & " could not be killed! (" & $status & ")")
            _ArraySort($killList)
            $index = _ArrayBinarySearch($killList, $victim)
            _ArrayDelete($killList, $index)
            _GUICtrlListBox_BeginUpdate($killProc)
            _GUICtrlListBox_ResetContent($killProc)
            For $a = 1 To UBound($killList) - 1
                GUICtrlSetData($killProc, $killList[$a])
            Next
            _GUICtrlListBox_EndUpdate($killProc)
            $killProcCount -= 1
            GUICtrlSetData($killProcLabel, "Processes to Kill: " & $killProcCount)
            $killListTrimmed = True
        EndIf
    EndIf
    Return
EndFunc   ;==>_Execute


Func _liveProc_DoubleClick()
    $sListItem = GUICtrlRead($liveProc)
    If $sListItem <> "" Then
        _ArrayAdd($killList, $sListItem)
        $killProcCount += 1
        GUICtrlSetData($killProc, $sListItem)
        GUICtrlSetData($killProcLabel, "Processes to Kill: " & $killProcCount)
    EndIf
    Return
EndFunc   ;==>_liveProc_DoubleClick


Func _killProc_DoubleClick()
    $sListItem = GUICtrlRead($killProc)
    If $sListItem <> "" Then
        $killProcCount = 0
        _ArraySort($killList)
        $index = _ArrayBinarySearch($killList, $sListItem)
        _ArrayDelete($killList, $index)
        _GUICtrlListBox_BeginUpdate($killProc)
        _GUICtrlListBox_ResetContent($killProc)
        For $a = 1 To UBound($killList) - 1
            GUICtrlSetData($killProc, $killList[$a])
            $killProcCount += 1
        Next
        _GUICtrlListBox_EndUpdate($killProc)
        GUICtrlSetData($killProcLabel, "Processes to Kill: " & $killProcCount)
        $killListTrimmed = True
    EndIf
    Return
EndFunc   ;==>_killProc_DoubleClick


Func _WM_COMMAND($hWnd, $msg, $wParam, $lParam)
    Local $nNotifyCode = BitShift($wParam, 16)
    Local $nID = BitAND($wParam, 0xFFFF)
    Local Const $LBN_DBLCLK = 2

    Switch $nID
        Case $liveProc
            Switch $nNotifyCode
                Case $LBN_DBLCLK
                    _liveProc_DoubleClick()
            EndSwitch
        Case $killProc
            Switch $nNotifyCode
                Case $LBN_DBLCLK
                    _killProc_DoubleClick()
            EndSwitch
    EndSwitch
    Return $GUI_RUNDEFMSG
EndFunc   ;==>_WM_COMMAND


Func _Alive()
    If $started = True Then
        $aliveStatus += 2
        If $aliveStatus > 102 Then $aliveStatus = 0
        GUICtrlSetData($alive, $aliveStatus)
    EndIf
    Return
EndFunc   ;==>_Alive


Func _Exit()
    $reallyQuit = MsgBox(4, "Quit?", "Are you sure you want to quit?")
    If $reallyQuit = 6 Then Exit
    Return
EndFunc   ;==>_Exit


Func Processparams()
    $filecom = GUICtrlRead($liveProc)
    ;ConsoleWrite($filecom)
    $list = ProcessList($filecom)
    For $i = 1 To $list[0][0]
        ;MsgBox(0, $list[$i][0], $list[$i][1])
    Next
    ;ConsoleWrite($list[1][1])
    MsgBox(4096, "Parameters", _WinAPI_GetCommandLineFromPID($list[1][1])) ;get parameters

    ;_WinGetPath($list[1][1]))


EndFunc   ;==>Processparams

Func DeleteProcess()
    $delfile = GUICtrlRead($liveProc) ; could change to the killproc list to maybe make safer and get rid of processclose in this func ?????

    ConsoleWrite($delfile & @LF)
    $list = ProcessList($delfile)
    For $i = 1 To $list[0][0]
        ;MsgBox(0, $list[$i][0], $list[$i][1])
    Next
    ;ConsoleWrite($list[1][1] & @LF)

    $filetodelete = _WinGetPath($list[1][1])
    ConsoleWrite($filetodelete & @LF)

    If $filetodelete = "" Then
        ConsoleWrite("No Path Found" & @LF)
    Else
        ConsoleWrite("Path Found Closing and Deleting Process" & @LF)
        ProcessClose($delfile)
        FileDelete($filetodelete)
        If @error = 0 Then ConsoleWrite("Cannot Delete" & @LF)
    EndIf



EndFunc   ;==>DeleteProcess


;Gets Path via PID
Func _WinGetPath($PID = "")
    $colItems = ""
    $objWMIService = ObjGet("winmgmts:\\" & @ComputerName & "\root\CIMV2")
    $colItems = $objWMIService.ExecQuery("SELECT * FROM Win32_Process WHERE ProcessId = " & $PID, "WQL", _
            0x10 + 0x20)
    If IsObj($colItems) Then
        For $objItem In $colItems
            If $objItem.ExecutablePath Then Return $objItem.ExecutablePath
        Next
    EndIf
EndFunc   ;==>_WinGetPath

Func _WinAPI_GetCommandLineFromPID($PID)
    $ret1 = DllCall("kernel32.dll", 'int', 'OpenProcess', 'int', $PROCESS_VM_READ + $PROCESS_QUERY_INFORMATION, 'int', False, 'int', $PID)
    $tag_PROCESS_BASIC_INFORMATION = "int ExitStatus;" & _
            "ptr PebBaseAddress;" & _
            "ptr AffinityMask;" & _
            "ptr BasePriority;" & _
            "ulong UniqueProcessId;" & _
            "ulong InheritedFromUniqueProcessId;"
    $PBI = DllStructCreate($tag_PROCESS_BASIC_INFORMATION)
    DllCall("ntdll.dll", "int", "ZwQueryInformationProcess", "hwnd", $ret1[0], "int", 0, "ptr", DllStructGetPtr($PBI), "int", _
            DllStructGetSize($PBI), "int", 0)
    $dw = DllStructCreate("ptr")
    DllCall("kernel32.dll", "int", "ReadProcessMemory", "hwnd", $ret1[0], _
            "ptr", DllStructGetData($PBI, 2) + 0x10, _ ; PebBaseAddress+16 bytes <-- ptr _PROCESS_PARAMETERS
            "ptr", DllStructGetPtr($dw), "int", 4, "ptr", 0)
    $unicode_string = DllStructCreate("ushort Length;ushort MaxLength;ptr String")
    DllCall("kernel32.dll", "int", "ReadProcessMemory", "hwnd", $ret1[0], _
            "ptr", DllStructGetData($dw, 1) + 0x40, _ ; _PROCESS_PARAMETERS+64 bytes <-- ptr CommandLine Offset (UNICODE_STRING struct) - Win XP / Vista.
            "ptr", DllStructGetPtr($unicode_string), "int", DllStructGetSize($unicode_string), "ptr", 0)
    $ret = DllCall("kernel32.dll", "int", "ReadProcessMemory", "hwnd", $ret1[0], _
            "ptr", DllStructGetData($unicode_string, "String"), _ ; <-- ptr Commandline Unicode String
            "wstr", 0, "int", DllStructGetData($unicode_string, "Length") + 2, "int*", 0) ; read Length + terminating NULL (2 bytes in unicode)
    DllCall("kernel32.dll", 'int', 'CloseHandle', "hwnd", $ret1[0])
    ConsoleWrite($ret[3] & @LF)
    If $ret[5] Then Return $ret[3] ; If bytes returned, return commandline...
    Return "Program run with no Parameters" ; Getting empty string is correct behaviour when there is no commandline to be had...
EndFunc   ;==>_WinAPI_GetCommandLineFromPID

; ####################### Below Func is Part of example - Needed to get commandline from more processes. ############
; ####################### Thanks for this function, wraithdu! (Didn't know it was your.) :) #########################

Func _GetPrivilege_SEDEBUG()
    Local $tagLUIDANDATTRIB = "int64 Luid;dword Attributes"
    Local $count = 1
    Local $tagTOKENPRIVILEGES = "dword PrivilegeCount;byte LUIDandATTRIB[" & $count * 12 & "]" ; count of LUID structs * sizeof LUID struct
    Local $TOKEN_ADJUST_PRIVILEGES = 0x20
    Local $call = DllCall("advapi32.dll", "int", "OpenProcessToken", "ptr", _WinAPI_GetCurrentProcess(), "dword", $TOKEN_ADJUST_PRIVILEGES, "ptr*", "")
    Local $hToken = $call[3]
    $call = DllCall("advapi32.dll", "int", "LookupPrivilegeValue", "str", Chr(0), "str", "SeDebugPrivilege", "int64*", "")
    ;msgbox(0,"",$call[3] & " " & _WinAPI_GetLastErrorMessage())
    Local $iLuid = $call[3]
    Local $TP = DllStructCreate($tagTOKENPRIVILEGES)
    Local $LUID = DllStructCreate($tagLUIDANDATTRIB, DllStructGetPtr($TP, "LUIDandATTRIB"))
    DllStructSetData($TP, "PrivilegeCount", $count)
    DllStructSetData($LUID, "Luid", $iLuid)
    DllStructSetData($LUID, "Attributes", $SE_PRIVILEGE_ENABLED)
    $call = DllCall("advapi32.dll", "int", "AdjustTokenPrivileges", "ptr", $hToken, "int", 0, "ptr", DllStructGetPtr($TP), "dword", 0, "ptr", Chr(0), "ptr", Chr(0))
    Return ($call[0] <> 0) ; $call[0] <> 0 is success
EndFunc   ;==>_GetPrivilege_SEDEBUG

Drunken Frat-Boy Monkey Garbage

Share this post


Link to post
Share on other sites

Hi Guys

Ive been working on finding the process's path and then be able to delete that process and im nearly there. Ive found the process, found the process's command line if you so want it however i just cant seem to delete the running process after its been shut down. Im probably missing something really simple but its been a long day. Anyway i hope someone can help as i feel its nearing its full potential :huh2:

Hope this is what you were after Ian. Ill keep trying

Credits to the following posts which helped ALOT

jamie

#NoTrayIcon
#Region ;**** Directives created by AutoIt3Wrapper_GUI ****
#AutoIt3Wrapper_UseUpx=n
#AutoIt3Wrapper_Run_Tidy=y
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****

;~ Coded by Ian Maxwell (llewxam)
;~ AutoIt 3.3.6.1
;~ Amended by Jamie Cowin
;~ Code for getting command line options from here http://www.autoitscript.com/forum/topic/88214-winapi-getcommandlinefrompid-from-any-process/
;~ Code for getting exe location from pid from here http://www.autoitscript.com/forum/topic/49888-find-the-path-of-a-exe-files-running-the-the-handlepid/

#include <WindowsConstants.au3>                     ;needed for $WS_CAPTION, $WS_VSCROLL, $WM_COMMAND
#include <array.au3>                                ;needed for _ArrayAdd, _ArrayDelete, _ArrayUnique, _ArraySort, _ArrayBinarySearch
#include <ProgressConstants.au3>                    ;needed for $PBS_SMOOTH, $PBS_MARQUEE
#include <GuiListBox.au3>                           ;needed for $LBS_NOTIFY, $LBS_SORT, $LBS_NOSEL, $GUI_RUNDEFMSG, _GUICtrlListBox_* functions
#include <WinAPI.au3>



_GetPrivilege_SEDEBUG() ; I need this for tricky processes. Not needed for most...

AdlibRegister("_Alive", 50)
AdlibRegister("_Scan")

$exceptionList = "PPK3.exe,[System Process],System,smss.exe,csrss.exe,wininit.exe,csrss.exe,services.exe,winlogon.exe,lsass.exe,lsm.exe,svchost.exe,atiesrxx.exe,audiodg.exe,CTAudSvc.exe,atieclxx.exe,spoolsv.exe,taskhost.exe,dwm.exe,explorer.exe,rundll32.exe,GoogleCrashHandler.exe,MOM.exe,CCC.exe,SearchIndexer.exe,wmpnetwk.exe,SearchProtocolHost.exe,SearchFilterHost.exe,dllhost.exe,mpcmdrun.exe,msiexec.exe,unsecapp.exe,vds.exe,WmiPrvSE.exe"
$exceptions = StringSplit($exceptionList, ",") ;list of what not to kill
Local $pList[1] ;list of running processes
$pListOld = $pList ;to compare a previous process list, so $liveProc is only updated if the process list changes
Local $killList[1] ;list of processes to kill
$liveProcCount = 0 ;tally of processes running
$killProcCount = 0 ;tally of processes to be killed
$killListTrimmed = False ;flag for detecting when $killList has been trimmed
$goNuclear = False ;flag set by /nuke command line switch
$started = False ;used in Nuke mode to avoid crashes due to no GUI


;check for and run nuke
If $CmdLine[0] Then ;many viruses/spyware apps suppress EXEs from running, nuke mode is meant to sneak
    For $c = 1 To $CmdLine[0] ;PPK in before it can be suppressed.  Just run "ppk /nuke" or "ppk nuke" repeatedly until it starts
        If StringLower($CmdLine[$c]) == "/nuke" Or StringLower($CmdLine[$c]) == "nuke" Then $goNuclear = True
    Next
EndIf
If $goNuclear == True Then
    $pListRaw = ProcessList()
    If @error Then
        MsgBox(48, "ERROR", "The process list could not be built!")
        Exit
    EndIf
    Local $pListTemp[1] ;used to get the list of running processes down to a 1-dimensional array
    For $a = 1 To $pListRaw[0][0]
        _ArrayAdd($pListTemp, $pListRaw[$a][0])
    Next
    _ArrayDelete($pListTemp, 0)
    $pList = _ArrayUnique($pListTemp)

    If $pList[0] > 0 Then
        Local $killList[1]
        For $a = 1 To $pList[0]
            For $b = 1 To $exceptions[0]
                If StringLower($pList[$a]) == StringLower($exceptions[$b]) Then ContinueLoop (2)
            Next
            _Execute($pList[$a])
            _ArrayAdd($killList, $pList[$a])
        Next
    EndIf
    _ArrayDelete($killList, 0)
    $goNuclear = False
EndIf


;configure GUI
$vert = ((@DesktopHeight - 80) / 3) - 40
$PPKGUI = GUICreate("Persistent Process Killer", 200, @DesktopHeight - 70, @DesktopWidth - 205, 0, $WS_CAPTION)
$alive = GUICtrlCreateProgress(5, 5, 190, 20, BitOR($PBS_SMOOTH, $PBS_MARQUEE)) ;just to let the user know the app is still running
$aliveStatus = 0
$closeButton = GUICtrlCreateButton("Close", 85, 25, 50, 20)
$processgoogleButton = GUICtrlCreateButton("Google", 135, 25, 50, 20)
$processlibraryButton = GUICtrlCreateButton("Process Library", 5, 25, 80, 20)
$processdeleteButton = GUICtrlCreateButton("Delete Process", 5, 45, 80, 20)
$processparamsButton = GUICtrlCreateButton("Process Parameters", 85, 45, 100, 20)

$liveProcLabel = GUICtrlCreateLabel("Running Processes:", 5, 65, 190)
$liveProc = GUICtrlCreateList("", 5, 80, 190, $vert, BitOR($WS_VSCROLL, $LBS_NOTIFY, $LBS_SORT))
$killProcLabel = GUICtrlCreateLabel("Processes to Kill:", 5, $vert + 85, 190)
$killProc = GUICtrlCreateList("", 5, $vert + 100, 190, $vert, BitOR($WS_VSCROLL, $LBS_NOTIFY, $LBS_SORT))
GUICtrlCreateLabel("Errors:", 5, $vert * 2 + 105)
$errors = GUICtrlCreateList("", 5, $vert * 2 + 120, 190, $vert, BitOR($WS_VSCROLL, $LBS_SORT, $LBS_NOSEL))
GUISetState(@SW_SHOW, $PPKGUI)
GUIRegisterMsg($WM_COMMAND, "_WM_COMMAND")
WinSetOnTop("Persistent Process Killer", "", 1)


;perform initial scan for running processes
$pListRaw = ProcessList()
If @error Then
    MsgBox(48, "ERROR", "The process list could not be built!")
    Exit
EndIf
Local $pListTemp[1]
For $a = 1 To $pListRaw[0][0]
    _ArrayAdd($pListTemp, $pListRaw[$a][0])
Next
_ArrayDelete($pListTemp, 0)
$pList = _ArrayUnique($pListTemp)

If $pList[0] > 0 Then
    For $a = 1 To $pList[0]
        For $b = 1 To $exceptions[0]
            If StringLower($pList[$a]) == StringLower($exceptions[$b]) Then ContinueLoop (2)
        Next
        GUICtrlSetData($liveProc, $pList[$a])
        $liveProcCount += 1
    Next
EndIf
GUICtrlSetData($liveProcLabel, "Running Processes: " & $liveProcCount)

For $a = 1 To UBound($killList) - 1
    GUICtrlSetData($killProc, $killList[$a])
    $killProcCount += 1
Next
GUICtrlSetData($killProcLabel, "Processes to Kill: " & $killProcCount)

$started = True ;now all GUI controls will be used


;main loop
Do
    $msg = GUIGetMsg()
    If $msg = $closeButton Then _Exit()
    If $msg = $processgoogleButton Then ShellExecute("http://www.google.com/search?hl=en&q=" & GUICtrlRead($liveProc) & "&btnG=Search")
    If $msg = $processlibraryButton Then ShellExecute("http://www.processlibrary.com/search/?q=" & GUICtrlRead($liveProc))
    If $msg = $processparamsButton Then Processparams()
    If $msg = $processdeleteButton Then DeleteProcess()

    ;
    ;
    For $a = 1 To UBound($killList) - 1

        ;placed this check at beginning and end of loop so when $killList is decreased an out-of-range error will be avoided
        If $killListTrimmed == True Then
            $killListTrimmed = False
            ExitLoop
        EndIf

        If ProcessExists($killList[$a]) Then
            _Execute($killList[$a])
        EndIf

        If $killListTrimmed == True Then
            $killListTrimmed = False
            ExitLoop
        EndIf
    Next
Until 1 = 2


Func _Scan()
    If $started == True Then
        $pListOld = $pList
        $pListRaw = ProcessList()
        If @error Then
            MsgBox(48, "ERROR", "The process list could not be built!")
            Exit
        EndIf

        Local $pListTemp[1]
        For $a = 1 To $pListRaw[0][0]
            _ArrayAdd($pListTemp, $pListRaw[$a][0])
        Next
        _ArrayDelete($pListTemp, 0)
        $pList = _ArrayUnique($pListTemp)

        If $pList[0] > 0 Then
            $refresh = False ;assume a refresh of $liveProc is not needed

            If $pList[0] <> $pListOld[0] Then
                $refresh = True ;different number of elements = refresh needed
            Else
                For $z = 1 To $pList[0]
                    If $pList[$z] <> $pListOld[$z] Then $refresh = True ;something is not matching up, so a refresh is needed
                Next
            EndIf

            If $refresh = True Then
                $liveProcCount = 0
                _GUICtrlListBox_BeginUpdate($liveProc)
                _GUICtrlListBox_ResetContent($liveProc)
                For $a = 1 To $pList[0]
                    For $b = 1 To $exceptions[0]
                        If StringLower($pList[$a]) == StringLower($exceptions[$b]) Then ContinueLoop (2)
                    Next
                    _GUICtrlListBox_AddString($liveProc, $pList[$a])
                    $liveProcCount += 1
                Next
                _GUICtrlListBox_EndUpdate($liveProc)
                GUICtrlSetData($liveProcLabel, "Running Processes: " & $liveProcCount)
            EndIf
        EndIf
    EndIf
    Return
EndFunc   ;==>_Scan


Func _Execute($victim)
    $killed = False
    $delay = TimerInit()
    Do
        ProcessClose($victim)
        If @error Then
            $status = @error
        Else
            $killed = True
            ExitLoop
        EndIf
        Sleep(50)
    Until TimerDiff($delay) > 1000

    If $killed = False Then
        If $started == True Then
            GUICtrlSetData($errors, $victim & " could not be killed! (" & $status & ")")
            _ArraySort($killList)
            $index = _ArrayBinarySearch($killList, $victim)
            _ArrayDelete($killList, $index)
            _GUICtrlListBox_BeginUpdate($killProc)
            _GUICtrlListBox_ResetContent($killProc)
            For $a = 1 To UBound($killList) - 1
                GUICtrlSetData($killProc, $killList[$a])
            Next
            _GUICtrlListBox_EndUpdate($killProc)
            $killProcCount -= 1
            GUICtrlSetData($killProcLabel, "Processes to Kill: " & $killProcCount)
            $killListTrimmed = True
        EndIf
    EndIf
    Return
EndFunc   ;==>_Execute


Func _liveProc_DoubleClick()
    $sListItem = GUICtrlRead($liveProc)
    If $sListItem <> "" Then
        _ArrayAdd($killList, $sListItem)
        $killProcCount += 1
        GUICtrlSetData($killProc, $sListItem)
        GUICtrlSetData($killProcLabel, "Processes to Kill: " & $killProcCount)
    EndIf
    Return
EndFunc   ;==>_liveProc_DoubleClick


Func _killProc_DoubleClick()
    $sListItem = GUICtrlRead($killProc)
    If $sListItem <> "" Then
        $killProcCount = 0
        _ArraySort($killList)
        $index = _ArrayBinarySearch($killList, $sListItem)
        _ArrayDelete($killList, $index)
        _GUICtrlListBox_BeginUpdate($killProc)
        _GUICtrlListBox_ResetContent($killProc)
        For $a = 1 To UBound($killList) - 1
            GUICtrlSetData($killProc, $killList[$a])
            $killProcCount += 1
        Next
        _GUICtrlListBox_EndUpdate($killProc)
        GUICtrlSetData($killProcLabel, "Processes to Kill: " & $killProcCount)
        $killListTrimmed = True
    EndIf
    Return
EndFunc   ;==>_killProc_DoubleClick


Func _WM_COMMAND($hWnd, $msg, $wParam, $lParam)
    Local $nNotifyCode = BitShift($wParam, 16)
    Local $nID = BitAND($wParam, 0xFFFF)
    Local Const $LBN_DBLCLK = 2

    Switch $nID
        Case $liveProc
            Switch $nNotifyCode
                Case $LBN_DBLCLK
                    _liveProc_DoubleClick()
            EndSwitch
        Case $killProc
            Switch $nNotifyCode
                Case $LBN_DBLCLK
                    _killProc_DoubleClick()
            EndSwitch
    EndSwitch
    Return $GUI_RUNDEFMSG
EndFunc   ;==>_WM_COMMAND


Func _Alive()
    If $started = True Then
        $aliveStatus += 2
        If $aliveStatus > 102 Then $aliveStatus = 0
        GUICtrlSetData($alive, $aliveStatus)
    EndIf
    Return
EndFunc   ;==>_Alive


Func _Exit()
    $reallyQuit = MsgBox(4, "Quit?", "Are you sure you want to quit?")
    If $reallyQuit = 6 Then Exit
    Return
EndFunc   ;==>_Exit


Func Processparams()
    $filecom = GUICtrlRead($liveProc)
    ;ConsoleWrite($filecom)
    $list = ProcessList($filecom)
    For $i = 1 To $list[0][0]
        ;MsgBox(0, $list[$i][0], $list[$i][1])
    Next
    ;ConsoleWrite($list[1][1])
    MsgBox(4096, "Parameters", _WinAPI_GetCommandLineFromPID($list[1][1])) ;get parameters

    ;_WinGetPath($list[1][1]))


EndFunc   ;==>Processparams

Func DeleteProcess()
    $delfile = GUICtrlRead($liveProc) ; could change to the killproc list to maybe make safer and get rid of processclose in this func ?????

    ConsoleWrite($delfile & @LF)
    $list = ProcessList($delfile)
    For $i = 1 To $list[0][0]
        ;MsgBox(0, $list[$i][0], $list[$i][1])
    Next
    ;ConsoleWrite($list[1][1] & @LF)

    $filetodelete = _WinGetPath($list[1][1])
    ConsoleWrite($filetodelete & @LF)

    If $filetodelete = "" Then
        ConsoleWrite("No Path Found" & @LF)
    Else
        ConsoleWrite("Path Found Closing and Deleting Process" & @LF)
        ProcessClose($delfile)
        FileDelete($filetodelete)
        If @error = 0 Then ConsoleWrite("Cannot Delete" & @LF)
    EndIf



EndFunc   ;==>DeleteProcess


;Gets Path via PID
Func _WinGetPath($PID = "")
    $colItems = ""
    $objWMIService = ObjGet("winmgmts:\\" & @ComputerName & "\root\CIMV2")
    $colItems = $objWMIService.ExecQuery("SELECT * FROM Win32_Process WHERE ProcessId = " & $PID, "WQL", _
            0x10 + 0x20)
    If IsObj($colItems) Then
        For $objItem In $colItems
            If $objItem.ExecutablePath Then Return $objItem.ExecutablePath
        Next
    EndIf
EndFunc   ;==>_WinGetPath

Func _WinAPI_GetCommandLineFromPID($PID)
    $ret1 = DllCall("kernel32.dll", 'int', 'OpenProcess', 'int', $PROCESS_VM_READ + $PROCESS_QUERY_INFORMATION, 'int', False, 'int', $PID)
    $tag_PROCESS_BASIC_INFORMATION = "int ExitStatus;" & _
            "ptr PebBaseAddress;" & _
            "ptr AffinityMask;" & _
            "ptr BasePriority;" & _
            "ulong UniqueProcessId;" & _
            "ulong InheritedFromUniqueProcessId;"
    $PBI = DllStructCreate($tag_PROCESS_BASIC_INFORMATION)
    DllCall("ntdll.dll", "int", "ZwQueryInformationProcess", "hwnd", $ret1[0], "int", 0, "ptr", DllStructGetPtr($PBI), "int", _
            DllStructGetSize($PBI), "int", 0)
    $dw = DllStructCreate("ptr")
    DllCall("kernel32.dll", "int", "ReadProcessMemory", "hwnd", $ret1[0], _
            "ptr", DllStructGetData($PBI, 2) + 0x10, _ ; PebBaseAddress+16 bytes <-- ptr _PROCESS_PARAMETERS
            "ptr", DllStructGetPtr($dw), "int", 4, "ptr", 0)
    $unicode_string = DllStructCreate("ushort Length;ushort MaxLength;ptr String")
    DllCall("kernel32.dll", "int", "ReadProcessMemory", "hwnd", $ret1[0], _
            "ptr", DllStructGetData($dw, 1) + 0x40, _ ; _PROCESS_PARAMETERS+64 bytes <-- ptr CommandLine Offset (UNICODE_STRING struct) - Win XP / Vista.
            "ptr", DllStructGetPtr($unicode_string), "int", DllStructGetSize($unicode_string), "ptr", 0)
    $ret = DllCall("kernel32.dll", "int", "ReadProcessMemory", "hwnd", $ret1[0], _
            "ptr", DllStructGetData($unicode_string, "String"), _ ; <-- ptr Commandline Unicode String
            "wstr", 0, "int", DllStructGetData($unicode_string, "Length") + 2, "int*", 0) ; read Length + terminating NULL (2 bytes in unicode)
    DllCall("kernel32.dll", 'int', 'CloseHandle', "hwnd", $ret1[0])
    ConsoleWrite($ret[3] & @LF)
    If $ret[5] Then Return $ret[3] ; If bytes returned, return commandline...
    Return "Program run with no Parameters" ; Getting empty string is correct behaviour when there is no commandline to be had...
EndFunc   ;==>_WinAPI_GetCommandLineFromPID

; ####################### Below Func is Part of example - Needed to get commandline from more processes. ############
; ####################### Thanks for this function, wraithdu! (Didn't know it was your.) :) #########################

Func _GetPrivilege_SEDEBUG()
    Local $tagLUIDANDATTRIB = "int64 Luid;dword Attributes"
    Local $count = 1
    Local $tagTOKENPRIVILEGES = "dword PrivilegeCount;byte LUIDandATTRIB[" & $count * 12 & "]" ; count of LUID structs * sizeof LUID struct
    Local $TOKEN_ADJUST_PRIVILEGES = 0x20
    Local $call = DllCall("advapi32.dll", "int", "OpenProcessToken", "ptr", _WinAPI_GetCurrentProcess(), "dword", $TOKEN_ADJUST_PRIVILEGES, "ptr*", "")
    Local $hToken = $call[3]
    $call = DllCall("advapi32.dll", "int", "LookupPrivilegeValue", "str", Chr(0), "str", "SeDebugPrivilege", "int64*", "")
    ;msgbox(0,"",$call[3] & " " & _WinAPI_GetLastErrorMessage())
    Local $iLuid = $call[3]
    Local $TP = DllStructCreate($tagTOKENPRIVILEGES)
    Local $LUID = DllStructCreate($tagLUIDANDATTRIB, DllStructGetPtr($TP, "LUIDandATTRIB"))
    DllStructSetData($TP, "PrivilegeCount", $count)
    DllStructSetData($LUID, "Luid", $iLuid)
    DllStructSetData($LUID, "Attributes", $SE_PRIVILEGE_ENABLED)
    $call = DllCall("advapi32.dll", "int", "AdjustTokenPrivileges", "ptr", $hToken, "int", 0, "ptr", DllStructGetPtr($TP), "dword", 0, "ptr", Chr(0), "ptr", Chr(0))
    Return ($call[0] <> 0) ; $call[0] <> 0 is success
EndFunc   ;==>_GetPrivilege_SEDEBUG

Very nice work! ;)

The problem you were having was you weren't giving the ProcessClose enough time to do it's job before the FileDelete kicked in. I made a tiny tweak:

Func DeleteProcess()
    $delfile = GUICtrlRead($liveProc) ; could change to the killproc list to maybe make safer and get rid of processclose in this func ?????

    ConsoleWrite($delfile & @LF)
    $list = ProcessList($delfile)
    For $i = 1 To $list[0][0]
        ;MsgBox(0, $list[$i][0], $list[$i][1])
    Next
    ;ConsoleWrite($list[1][1] & @LF)

    $filetodelete = _WinGetPath($list[1][1])
    ConsoleWrite($filetodelete & @LF)

    If $filetodelete = "" Then
        ConsoleWrite("No Path Found" & @LF)
    Else
        ConsoleWrite("Path Found Closing and Deleting Process" & @LF)
        ProcessClose($delfile)
        ProcessWaitClose($delfile)
        FileDelete($filetodelete)
        If @error Then ConsoleWrite("Cannot Delete" & @LF)
    EndIf
EndFunc   ;==>DeleteProcess

This one worked fine - at least on my non-virus-infected computer!! :alien:

Thanks a lot for doing this, I will do a little more tweaking and include the changes in an update!

Ian


My projects:

  • IP Scanner - Multi-threaded ping tool to scan your available networks for used and available IP addresses, shows ping times, resolves IPs in to host names, and allows individual IPs to be pinged.
  • INFSniff - Great technicians tool - a tool which scans DriverPacks archives for INF files and parses out the HWIDs to a database file, and rapidly scans the local machine's HWIDs, searches the database for matches, and installs them.
  • PPK3 (Persistent Process Killer V3) - Another for the techs - suppress running processes that you need to keep away, helpful when fighting spyware/viruses.
  • Sync Tool - Folder sync tool with lots of real time information and several checking methods.
  • USMT Front End - Front End for Microsoft's User State Migration Tool, including all files needed for USMT 3.01 and 4.01, 32 bit and 64 bit versions.
  • Audit Tool - Computer audit tool to gather vital hardware, Windows, and Office information for IT managers and field techs. Capabilities include creating a customized site agent.
  • CSV Viewer - Displays CSV files with automatic column sizing and font selection. Lines can also be copied to the clipboard for data extraction.
  • MyDirStat - Lists number and size of files on a drive or specified path, allows for deletion within the app.
  • 2048 Game - My version of 2048, fun tile game.
  • Juice Lab - Ecigarette liquid making calculator.
  • Data Protector - Secure notes to save sensitive information.
  • VHD Footer - Add a footer to a forensic hard drive image to allow it to be mounted or used as a virtual machine hard drive.
  • Find in File - Searches files containing a specified phrase.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0