Trying to end a process but failing

[JohnLM 14]

Specs:  Delphi XE7, Windows 7 64bit laptop.

 

There is a "rundll32.exe" that keeps running every day.  Now, I know that this is used in various ways during regular Windows operations, like for instance, when you open the sound volumn applet (via taskbar icon) and select the speaker icon, the "rundll32" activates and runs services. 

 

The service is running a HDD file collection activity because my HDD light is on continuously. 

 

And after searching around the web for answers, I found many Delphi routines that end or kill a process by program name and process_id. I am using the PID to be more accurate. 

 

Then, I wrote an app to detect when this file or service runs and End or Kill its process via its PID, but the process does not end.  I think I've tried all the methods that I found and still, this "rundll32.exe" file will not stop running. 

 

I am pretty sure that this is a backgroud (scheduled) task that can be turned off somewhere in "services.msc" but that method is not what I want to use in this case. This endeviour has stumped me and I want to figure it out in the route I am in now.   Any advice or suggestions or code corrections on how to proceed would be greatly appreciated. 

 

function KillProcessTree(const PID: Cardinal): boolean;
var hProc, hSnap,
    hChildProc  : THandle;
    pe          : TProcessEntry32;
    bCont       : BOOL;
begin
    Result := true;
    FillChar(pe, SizeOf(pe), #0);
    pe.dwSize := SizeOf(pe);

    hSnap := CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);

    if (hSnap <> INVALID_HANDLE_VALUE) then
    begin
        if (Process32First(hSnap, pe)) then
        begin
            hProc := OpenProcess(PROCESS_TERMINATE{PROCESS_ALL_ACCESS}, false, PID);

            if (hProc <> 0) then
            begin
                Result := Result and TerminateProcess(hProc, 1);
                WaitForSingleObject(hProc, INFINITE);
                CloseHandle(hProc);
            end;

            bCont := true;
            while bCont do
            begin
                if (pe.th32ParentProcessID = PID) then
                begin
                    KillProcessTree(pe.th32ProcessID);

                    hChildProc := OpenProcess(PROCESS_TERMINATE{PROCESS_ALL_ACCESS}, FALSE, pe.th32ProcessID);

                    if (hChildProc <> 0) then
                    begin
                        Result := Result and TerminateProcess(hChildProc, 1);
                        WaitForSingleObject(hChildProc, INFINITE);
                        CloseHandle(hChildProc);
                    end;
                end;
                bCont := Process32Next(hSnap, pe);
            end;
        end;

        CloseHandle(hSnap);
    end;
end;

 

and. . . 

 

function Killtask2(exefilename: string): integer;
Const
  process_terminate = $0001;
Var
  Continueloop: Bool;
  Fsnapshothandle: THandle;
  fprocessentry32: TProcessentry32;
Begin
 Result := 0;
 Fsnapshothandle := CreateToolhelp32Snapshot (Th32cs_snapprocess, 0);
 FProcessEntry32.dwsize := Sizeof(FPROCESSENTRY32);
 Continueloop := Process32First (Fsnapshothandle, FPROCESSENTRY32);
 while integer (continueloop) <> 0 do begin
    if (Uppercase(Extractfilename (FProcessEntry32. szexefile)) = Uppercase(Exefilename))
    or (Uppercase(FProcessEntry32. Szexefile) = Uppercase(Exefilename)) then
    Result := Integer(TerminateProcess(OpenProcess(Process_terminate, BOOL (0), FProcessEntry32. Th32processid), 0));
    Continueloop := Process32Next(Fsnapshothandle, FPROCESSENTRY32);
  end;
  CloseHandle(Fsnapshothandle);
End;

 

and this one. . . 

 

function KillTask(ExeFileName: string): Integer;
const
  PROCESS_TERMINATE = $0001;
var
  ContinueLoop: BOOL;
  FSnapshotHandle: THandle;
  FProcessEntry32: TProcessEntry32;
begin
  Result := 0;
  FSnapshotHandle := CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
  FProcessEntry32.dwSize := SizeOf(FProcessEntry32);
  ContinueLoop := Process32First(FSnapshotHandle, FProcessEntry32);

  while Integer(ContinueLoop) <> 0 do
  begin
    if ((UpperCase(ExtractFileName(FProcessEntry32.szExeFile)) =
      UpperCase(ExeFileName)) or (UpperCase(FProcessEntry32.szExeFile) =
      UpperCase(ExeFileName))) then
      Result := Integer(TerminateProcess(
                        OpenProcess(PROCESS_TERMINATE,
                                    BOOL(0),
                                    FProcessEntry32.th32ProcessID),
                                    0));
     ContinueLoop := Process32Next(FSnapshotHandle, FProcessEntry32);
  end;
  CloseHandle(FSnapshotHandle);
end;

 

 

 

Edited July 21 by JohnLM

[JonRobertson 72]

Your app may need elevated rights to kill the process.

 

There are processes that cannot be killed via Task Manager, even when it is elevated. Some other apps (possibly Process Explorer or another utility from Sysinternals) are more aggressive and successful at killing processes. There are many system services cannot be killed and that would include any child processes that those services launch.

 

Have you confirmed which techniques are able to kill this process, outside of writing your own code? That will be necessary to determine which approach would work for your code.

 

If you haven't, I highly recommend determining what is launching the process and what it is doing, using another utility such as Process Monitor from Sysinternals. I have a strong dislike for background processes that consume CPU, I/O, or memory resources. But I research what they are doing and how they were launched to determine whether they are really needed or safe to disable.

[Brian Evans 105]

The DLL it is running, and its location should give some hints as to what it is as will the contents (strings at least) of that DLL. Best to figure out what it is and uninstall or disabled it. 

 

Sometimes software is installed as a device driver, I remember an annoying piece of Lenovo software that was like that. 

Other things that can eat a lot of disk IO would be Windows Search indexing. 

[JohnLM 14]

Thanks for the responses.

 

Okay, I believe I have found out why my app was failing at closing the "rundll32.exe" (and other running processes).  I  did not run the app as Admin. 

 

I know a few processes that show up in Task Manager and come back again after ending those tasks. 

 

For instance, the "HeciServer.exe - Intel(R) Capability Licensing Service Interface" will not close.

 

I know because it has the same ProcesID (PID) but if I run the app as Admin, it closes and relaunches again but with a new PID.  In my app I have it so that it shows the PID for each app listed and slated for shutting down via one of the end process funtions I listed in my first post. 

 

But I have not tested it on the rundll32.exe yet. I have to wait until it decides to start.  I'll know then if the app works for this particular file and report back about it later. 

[JohnLM 14]

Success!!  It is working. 

Serv          LN  Time in/out  PID  Action 
------------- --  -----------  ---- ------
rundll32.exe  45  12:00:02 AM  6460 killed

Now it is time to make some enhancements and add a custom running db list of items to keep track of that come up during the day and review for potential Action.