I need some help here.
I am currently trying to kill any process that isn't in a whitelist (command line) like so, however it is not working.:
@echo off
setlocal
set "whitelist=DcomLaunch RPCSS LocalServiceNetworkRestricted netsvcs LocalService LocalSystemNetworkRestricted NetworkService LocalServiceAndNoImpersonation taskhostex cmd dwm conhost services smss SearchIndexer Isass Explorer csrss conhost cftmon"
for /f "tokens=2 delims=," %%I in (
'wmic process get executablepath^,status /format:csv ^| find "\"'
) do (
set "proc=%%~I"
setlocal enabledelayedexpansion
set /p "=%%~I: "<NUL
wmic path win32_process get CommandLine | findstr /i "%whitelist%" >NUL && (
echo OK
) || (
echo UNACCEPTABLE!
taskkill /im "%%~nxI" /f
)
endlocal
)
wmic path win32_process get CommandLine | findstr /i "%whitelist%"
In above command, findstr would look for a match in entire wmic output so it will find a match always. For instance, at least cmd would match because wmic runs in a cmd window. Next commented code snippet should work however it gives different results if elevated (run as administrator).
set "whitelist=DcomLaunch RPCSS LocalServiceNetworkRestricted netsvcs LocalService LocalSystemNetworkRestricted NetworkService LocalServiceAndNoImpersonation taskhostex cmd dwm conhost services smss SearchIndexer Isass Explorer csrss conhost cftmon"
rem add windows VITAL processes !!! incomplete !!!
set "whitelist=svchost ctfmon lsass winlogon %whitelist%"
for /f "tokens=2,3 delims=," %%I in (
'wmic process get executablepath^,ProcessID^,status^,WindowsVersion /format:csv ^| find "\"'
) do (
set "proc=%%~I"
set "procID=%%~J"
setlocal enabledelayedexpansion
rem debugging: set /p "=%%~I: "<NUL
rem debug try: wmic path win32_process where "ProcessID=%%J" get Name 2>NUL | findstr /i "%whitelist%">NUL 2>&1 && (
rem debug try: wmic path win32_process get executablepath 2>NUL | findstr /i "!proc:/=//!">NUL 2>&1 && (
wmic path win32_process where "ProcessID=%%J" get CommandLine 2>NUL | findstr /i "%whitelist%">NUL 2>&1 && (
rem suppress "No Instance(s) Available" report in above line: 2>NUL
echo OK %%J "%%~I"
) || (
rem UNWANTED: here come inactive processes "cmd", "wmic", "find"
rem and maybe more ones that were active in FOR %%I execution time
rem (but loop continues); let's filter them here:
tasklist /FI "PID eq %%J" /NH | find "%%J" >NUL 2>&1 && (
echo NO %%J "%%~I"
rem taskkill /PID "%%~J" /f
) || (
echo XX %%J "%%~I"
rem inactive at the moment
)
)
endlocal
)
Essential Processes needed to run Windows (next list may be a bit out of date):
… here is a list of the essential processes that Windows needs to run correctly.
- System Idle Process
- explorer.exe
- taskmgr.exe
- spoolsv.exe
- lsass.exe
- csrss.exe
- smss.exe
- winlogon.exe
- svchost.exe – (There will be a few of these)
- services.exe
By shutting down anything other than these processes, stand alone Windows should operate fine, however if any of these processes are shutdown, Windows will start to become unstable or unusable.