JohnLM 14 Posted July 21 (edited) Specs: Delphi XE7, Windows 7 64bit laptop. There is a "rundll32.exe" that keeps running every day. Now, I know that this is used in various ways during regular Windows operations, like for instance, when you open the sound volumn applet (via taskbar icon) and select the speaker icon, the "rundll32" activates and runs services. The service is running a HDD file collection activity because my HDD light is on continuously. And after searching around the web for answers, I found many Delphi routines that end or kill a process by program name and process_id. I am using the PID to be more accurate. Then, I wrote an app to detect when this file or service runs and End or Kill its process via its PID, but the process does not end. I think I've tried all the methods that I found and still, this "rundll32.exe" file will not stop running. I am pretty sure that this is a backgroud (scheduled) task that can be turned off somewhere in "services.msc" but that method is not what I want to use in this case. This endeviour has stumped me and I want to figure it out in the route I am in now. Any advice or suggestions or code corrections on how to proceed would be greatly appreciated. function KillProcessTree(const PID: Cardinal): boolean; var hProc, hSnap, hChildProc : THandle; pe : TProcessEntry32; bCont : BOOL; begin Result := true; FillChar(pe, SizeOf(pe), #0); pe.dwSize := SizeOf(pe); hSnap := CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if (hSnap <> INVALID_HANDLE_VALUE) then begin if (Process32First(hSnap, pe)) then begin hProc := OpenProcess(PROCESS_TERMINATE{PROCESS_ALL_ACCESS}, false, PID); if (hProc <> 0) then begin Result := Result and TerminateProcess(hProc, 1); WaitForSingleObject(hProc, INFINITE); CloseHandle(hProc); end; bCont := true; while bCont do begin if (pe.th32ParentProcessID = PID) then begin KillProcessTree(pe.th32ProcessID); hChildProc := OpenProcess(PROCESS_TERMINATE{PROCESS_ALL_ACCESS}, FALSE, pe.th32ProcessID); if (hChildProc <> 0) then begin Result := Result and TerminateProcess(hChildProc, 1); WaitForSingleObject(hChildProc, INFINITE); CloseHandle(hChildProc); end; end; bCont := Process32Next(hSnap, pe); end; end; CloseHandle(hSnap); end; end; and. . . function Killtask2(exefilename: string): integer; Const process_terminate = $0001; Var Continueloop: Bool; Fsnapshothandle: THandle; fprocessentry32: TProcessentry32; Begin Result := 0; Fsnapshothandle := CreateToolhelp32Snapshot (Th32cs_snapprocess, 0); FProcessEntry32.dwsize := Sizeof(FPROCESSENTRY32); Continueloop := Process32First (Fsnapshothandle, FPROCESSENTRY32); while integer (continueloop) <> 0 do begin if (Uppercase(Extractfilename (FProcessEntry32. szexefile)) = Uppercase(Exefilename)) or (Uppercase(FProcessEntry32. Szexefile) = Uppercase(Exefilename)) then Result := Integer(TerminateProcess(OpenProcess(Process_terminate, BOOL (0), FProcessEntry32. Th32processid), 0)); Continueloop := Process32Next(Fsnapshothandle, FPROCESSENTRY32); end; CloseHandle(Fsnapshothandle); End; and this one. . . function KillTask(ExeFileName: string): Integer; const PROCESS_TERMINATE = $0001; var ContinueLoop: BOOL; FSnapshotHandle: THandle; FProcessEntry32: TProcessEntry32; begin Result := 0; FSnapshotHandle := CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); FProcessEntry32.dwSize := SizeOf(FProcessEntry32); ContinueLoop := Process32First(FSnapshotHandle, FProcessEntry32); while Integer(ContinueLoop) <> 0 do begin if ((UpperCase(ExtractFileName(FProcessEntry32.szExeFile)) = UpperCase(ExeFileName)) or (UpperCase(FProcessEntry32.szExeFile) = UpperCase(ExeFileName))) then Result := Integer(TerminateProcess( OpenProcess(PROCESS_TERMINATE, BOOL(0), FProcessEntry32.th32ProcessID), 0)); ContinueLoop := Process32Next(FSnapshotHandle, FProcessEntry32); end; CloseHandle(FSnapshotHandle); end; Edited July 21 by JohnLM Share this post Link to post
JonRobertson 67 Posted July 21 Your app may need elevated rights to kill the process. There are processes that cannot be killed via Task Manager, even when it is elevated. Some other apps (possibly Process Explorer or another utility from Sysinternals) are more aggressive and successful at killing processes. There are many system services cannot be killed and that would include any child processes that those services launch. Have you confirmed which techniques are able to kill this process, outside of writing your own code? That will be necessary to determine which approach would work for your code. If you haven't, I highly recommend determining what is launching the process and what it is doing, using another utility such as Process Monitor from Sysinternals. I have a strong dislike for background processes that consume CPU, I/O, or memory resources. But I research what they are doing and how they were launched to determine whether they are really needed or safe to disable. Share this post Link to post
Brian Evans 104 Posted July 22 The DLL it is running, and its location should give some hints as to what it is as will the contents (strings at least) of that DLL. Best to figure out what it is and uninstall or disabled it. Sometimes software is installed as a device driver, I remember an annoying piece of Lenovo software that was like that. Other things that can eat a lot of disk IO would be Windows Search indexing. Share this post Link to post
JohnLM 14 Posted July 22 Thanks for the responses. Okay, I believe I have found out why my app was failing at closing the "rundll32.exe" (and other running processes). I did not run the app as Admin. I know a few processes that show up in Task Manager and come back again after ending those tasks. For instance, the "HeciServer.exe - Intel(R) Capability Licensing Service Interface" will not close. I know because it has the same ProcesID (PID) but if I run the app as Admin, it closes and relaunches again but with a new PID. In my app I have it so that it shows the PID for each app listed and slated for shutting down via one of the end process funtions I listed in my first post. But I have not tested it on the rundll32.exe yet. I have to wait until it decides to start. I'll know then if the app works for this particular file and report back about it later. Share this post Link to post
JohnLM 14 Posted July 22 Success!! It is working. Serv LN Time in/out PID Action ------------- -- ----------- ---- ------ rundll32.exe 45 12:00:02 AM 6460 killed Now it is time to make some enhancements and add a custom running db list of items to keep track of that come up during the day and review for potential Action. Share this post Link to post