- AccessChk: View effective permissions on files and folders - Thu, Apr 13 2023
- Read NTFS permissions: View read, write, and deny access information with AccessEnum - Wed, Mar 29 2023
- Kill Windows a process with Tskill and Taskkill - Mon, Mar 13 2023
Both Tskill and Taskkill have been available since Windows XP as built-in tools. As with PsKill, they can both kill a Windows process locally or remotely. Administrative privileges are required if you want to terminate a process from another user or with a higher security context. Let's have a closer look at how you can kill Windows processes with these tools.
Kill a Windows process with Tskill
Tskill is a simple tool with only a few options. It can terminate a process based on process ID (PID) or process name. Wildcard characters are accepted as well. Tskill can be used locally or remotely.
The basic syntax is as follows:
tskill 5564 tskill mspaint tskill mspa*
The Tskill documentation on the Microsoft website tells you that the tool ends a process running in a session on a Remote Desktop Services (RDS) host server. This can be useful when terminating processes by wildcard or from remote servers.
You can specify the session in which you want to kill the remote process. Use /ID:sessionid to specify a session or /A to kill the Windows process under all sessions. These options are only required when you kill a process by its name or a wildcard, as multiple users may run the same process name on an RDS server. Terminating a remote process by its PID does not require these options, as the PID is always unique. By default, Tskill does not produce any output. This can be changed using the /V switch. I recommend using this switch for such operations so that you can see the output.
Kill a Windows process with Taskkill
Compared to Tskill, Taskkill has many more features, as can be seen in the help message. It allows you to kill a Windows process from a local or remote system, use different credentials, filter to select a set of tasks, or terminate a process tree.
The basic syntax is as follows:
taskkill /IM mspaint.exe taskkill /IM mspa* taskkill /PID 1258 taskkill /PID 5589 /T
Note that the .exe suffix is required if you don't use a wildcard. Typing only mspaint will return "ERROR: The process mspaint not found." The help message also says that wildcards in the /IM option can only be used together with the filter (/FI option), which is not true. The /T option is used to kill the entire process tree.
Taskkill can also kill a Windows process softly. It sends a kill signal to the application, allowing it to save its data and end properly. For example, if you use Taskkill to terminate a Word process that has unsaved changes, Word will ask you if you want to save the data. To forcefully kill a Windows process, use the /F option. Note that terminating a process on a remote system is always done forcefully.
Killing a process on a remote system requires administrative rights on the target system. Taskkill allows you to specify alternate credentials for such actions using the /U and /P options. If you don't add the /P option, you will be prompted for the password. The syntax is as follows:
taskkill /S myserver /IM mspaint.exe taskkill /S myserver /U LAB\admin /P Passw0rd /PID 1234
Taskkill also allows you to use filters to specify a set of processes to be terminated. For example, you may want to kill all processes that have higher memory usage than 100 MB. Or you may want to kill all processes running under a specific user. This is done using the following syntax:
taskkill /F /FI "MEMUSAGE gt 102400" taskkill /F /FI "USERNAME eq LAB\Admin"
You can also combine both conditions and kill all Windows processes for the Admin user that use more than 100 MB of memory. Simply specify the /FI option twice.
taskkill /F /FI "MEMUSAGE gt 102400"/FI "USERNAME eq LAB\Admin"
Use the help message to see all filtering options. Note that using filters incorrectly may result in the termination of critical system processes or processes you don't want terminated.
Subscribe to 4sysops newsletter!
Final words
In this post, you have learned how to use Tskill and Taskkill to kill a Windows process on local or remote systems. As you have seen, both tools offer more features than Sysinternals PsKill. In addition, they are built into Windows, so no download is required. As always, be careful with the process you are killing. Inappropriate actions might lead to data loss or system crash.
I’ve been using tskill ever since it came out with Citrix WinFrame. It is a fantastic – quick & dirty tool. I’ve run into circumstances where tskill worked and taskkill did not. (It’s very rare, but it does happen). One important and parallel tool to use with it is qprocess. It’s part of the suite of terminal server utilities and they all have nearly identical syntax. (The related tools include qwinsta, quser, qappsrv, tskill, tsdiscon, reset, logoff, etc.). The main thing is you can use qprocess to quickly identify which processes belong to a specific user session in a terminal server. You can query by checking the session id, the username, the program name, etc. With a little practice it becomes second nature to just run a quick qwinsta/quser, qprocess, tskill.
As a bonus, it you use qprocess with no arguments, you get all your own processes on the system you are logged into.
It’s nice to see an article actually discussing the tool 🙂
David F.
Wow Citrix WinFrame? It was based on Windows NT 3.51. You must be around for a while. 😉
Absolutely 🙂
I started with WInFrame in 97, and absolutely loved it.
David F.
Yeah I love it too. We had a huge system where we offered access to CD-ROM-based bibliographies for 50,000 students. I wouldn’t trust a Windows-based system with such a task anymore.