Kill all Process except system processes?

[Danyfirex]

Hi mates. i looking for a way to kill all processes excluding those necessary for the system.

Maybe comparing a list of necessaries procsses but I don't find the way.

I'm may mind I thing something like this:

Local $list = ProcessList()
For $i = 1 To $list[0][0]
if  $list[$i][0] <> ;how put here my processes list to be exclude.
else
exit loop
endif
Next

[BrewManNH]

Why would you want to do this? How do you plan on determining which processes are necessary and which aren't? This doesn't seem like a well thought out plan at this stage. If you do this, here's a partial list of things that could happen

• you completely corrupt some file that is being written to by the process you just killed,
• you trash the registry,
• the computer blue screens/reboots/shuts down,
• you make the system unbootable afterwards because of one of the above

Are you really sure you want to do this?

[Danyfirex]

I am developing an application to remove malware, and I need to kill all processes to eliminate the virus more efficiently. I have the list of processes needed for the system but I can not do that function.

[BrewManNH]

Reboot in safe mode, it's is far and away a lot easier.

[Danyfirex]

Yes I know. But sometimes malwares does not let us start on safe mode. for that I need this funtion to be able to run the code even on normal mode killing all processes to prevent crash the system and the script work correctly

Sorry for my bad english.

I make this script, but I'm not sure if is the best way.

local $p[4]; list of system processes necesary "Example"
$p[0] = "chrome.exe"
$p[1] = "svchost.exe"
$p[2] ="csrss.exe"
$p[3] ="system.exe"


Local $list = ProcessList()
For $i = 1 To $list[0][0]
for $a = 0 to 3
If $list[$i][0] <> $p[$a] Then
;here script to kill
Else
MsgBox(0, $list[$i][0], "Igual")
EndIf
Next
next

Edited June 28, 2012 by Danyfirex

[AZJIO]

Danyfirex

[Danyfirex]

thank you BrewManNH

thank you AZJIO for the script I'll look it.

Edited June 28, 2012 by Danyfirex

[Skitty]

Just throwing this out there.

Here's an array I used in my unlocker script in my signature.

I had the need to avoid duping handles in system critical processes (which was not necessary).

I initially attempted to determine what processes had the "system Critical" attribute (I.E., processes that have made a call to SetProcessIsCritical) set but dropped it in favor of a simpler and more accurate array of known process names.

Global Const $Critical[13] = [ _; things to ignore
        'winlogon.exe', _
        'services.exe', _
        'csrss.exe', _
        'smss.exe', _
        'lsass.exe', _
        'alg.exe', _
        'svchost.exe', _
        'spoolsv.exe', _
        'wdfmgr.exe', _
        'dwm.exe', _
        'logonui.exe', _
        'wininit.exe', _
        'lsm.exe' _
        ]

[Danyfirex]

thank you ApudAngelorum

[Boss007]

Just throwing this out there.

Here's an array I used in my unlocker script in my signature.

I had the need to avoid duping handles in system critical processes (which was not necessary).

I initially attempted to determine what processes had the "system Critical" attribute (I.E., processes that have made a call to SetProcessIsCritical) set but dropped it in favor of a simpler and more accurate array of known process names.

Global Const $Critical[13] = [ _; things to ignore
'winlogon.exe', _
'services.exe', _
'csrss.exe', _
'smss.exe', _
'lsass.exe', _
'alg.exe', _
'svchost.exe', _
'spoolsv.exe', _
'wdfmgr.exe', _
'dwm.exe', _
'logonui.exe', _
'wininit.exe', _
'lsm.exe' _
]

. I have been removing malware manualy for quite some time.I always kill all local and network events of svchost.exe

and then kill all non critical system events of svchost, which is normally but not always identifiable by size there is only 1 critical system event of svchost.exe instance that should not be killed, the one with the largest memory usage.This svchost normally identifies first allocation of services which always goes to microsoft o/s. svchost services are triggered by processes that are running on the host machine. it does not reveal which process has triggered it off.There are many viruses that use svchost as a mask.svchost is only a generic name for many services that run from the dll libraries and it is common to have many instances of it running ,hence the elimination process.. If any one writes a script specifically to deal with svchost I'd love to have a copy!!

[Danyfirex]

good point Boss007 for that my script has some code to compare and now if is legitimate of windows.

[Skitty]

. I have been removing malware manualy for quite some time.I always kill all local and network events of svchost.exe

and then kill all non critical system events of svchost, which is normally but not always identifiable by size there is only 1 critical system event of svchost.exe instance that should not be killed, the one with the largest memory usage.This svchost normally identifies first allocation of services which always goes to microsoft o/s. svchost services are triggered by processes that are running on the host machine. it does not reveal which process has triggered it off.There are many viruses that use svchost as a mask.svchost is only a generic name for many services that run from the dll libraries and it is common to have many instances of it running ,hence the elimination process.. If any one writes a script specifically to deal with svchost I'd love to have a copy!!

Why not just make a list of active services, disable most of them and inspect things from there?

Anyway, when I suspect I have something, I just re-install windows to avoid going through all that.

I don't like using AVs for some reason, might be a bad decision but then again, Common Sense 2012 is one hell of an AV.