taskkill.exe

  • File Path: C:\Windows\SysWOW64\taskkill.exe
  • Description: Terminates Processes

Hashes

Type Hash
MD5 1CC726A03B77DBEFC34491C8F7E2F4C3
SHA1 3C3942FD8534E0BAB9BEF34D90491FFFCC8C0A46
SHA256 942E94F84340FA275FECFE87BC1CAEC8F667E9EEA29E67F72E3F2E2546BB3197
SHA384 A3A4C8B1FEDA18230F29740E1AAEC6F616BC4FDE9E9BB9FE6BAB2B5C9BFF2C70DAD815BB9E3A4488B89ACACAE5F4D3C4
SHA512 3E2E89BC87C5A0AE94E6323786D5F73D2A27E4FC5EBD9BA9A9EE37776558318CF2ED3BA62FE0F89C681D0E7EA1C756602354BFA22D06828F4F2EF24218E0DCF3
SSDEEP 1536:vJYuKPT33R0i/7UaM0JrLveqf7+cQka45ui9JrUhxU1cGx1SB:mbnLQwtPf7+cQkauuifUhxLGxsB
IMP 0D3E23DCB6BF63A9EB90D5BED57B4F89
PESHA1 E3890C4CDA436E20A778CFF14F147B486CE22CD6
PE256 5B5B0BF6E2DB4E9845BA34CB576569588365ACAAB71664DD0D1909752A6B3081

Runtime Data

Usage (stdout):


TASKKILL [/S system [/U username [/P [password]]]]
         { [/FI filter] [/PID processid | /IM imagename] } [/T] [/F]

Description:
    This tool is used to terminate tasks by process id (PID) or image name.

Parameter List:
    /S    system           Specifies the remote system to connect to.

    /U    [domain\]user    Specifies the user context under which the
                           command should execute.

    /P    [password]       Specifies the password for the given user
                           context. Prompts for input if omitted.

    /FI   filter           Applies a filter to select a set of tasks.
                           Allows "*" to be used. ex. imagename eq acme*

    /PID  processid        Specifies the PID of the process to be terminated.
                           Use TaskList to get the PID.

    /IM   imagename        Specifies the image name of the process
                           to be terminated. Wildcard '*' can be used
                           to specify all tasks or image names.

    /T                     Terminates the specified process and any
                           child processes which were started by it.

    /F                     Specifies to forcefully terminate the process(es).

    /?                     Displays this help message.

Filters:
    Filter Name   Valid Operators           Valid Value(s)
    -----------   ---------------           -------------------------
    STATUS        eq, ne                    RUNNING |
                                            NOT RESPONDING | UNKNOWN
    IMAGENAME     eq, ne                    Image name
    PID           eq, ne, gt, lt, ge, le    PID value
    SESSION       eq, ne, gt, lt, ge, le    Session number.
    CPUTIME       eq, ne, gt, lt, ge, le    CPU time in the format
                                            of hh:mm:ss.
                                            hh - hours,
                                            mm - minutes, ss - seconds
    MEMUSAGE      eq, ne, gt, lt, ge, le    Memory usage in KB
    USERNAME      eq, ne                    User name in [domain\]user
                                            format
    MODULES       eq, ne                    DLL name
    SERVICES      eq, ne                    Service name
    WINDOWTITLE   eq, ne                    Window title

    NOTE
    ----
    1) Wildcard '*' for /IM switch is accepted only when a filter is applied.
    2) Termination of remote processes will always be done forcefully (/F).
    3) "WINDOWTITLE" and "STATUS" filters are not considered when a remote
       machine is specified.

Examples:
    TASKKILL /IM notepad.exe
    TASKKILL /PID 1230 /PID 1241 /PID 1253 /T
    TASKKILL /F /IM cmd.exe /T 
    TASKKILL /F /FI "PID ge 1000" /FI "WINDOWTITLE ne untitle*"
    TASKKILL /F /FI "USERNAME eq NT AUTHORITY\SYSTEM" /IM notepad.exe
    TASKKILL /S system /U domain\username /FI "USERNAME ne NT*" /IM *
    TASKKILL /S system /U username /P password /FI "IMAGENAME eq note*"

Usage (stderr):

ERROR: Invalid argument/option - '--help'.
Type "TASKKILL /?" for usage.

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\taskkill.exe

Signature

  • Status: Signature verified.
  • Serial: 33000001C422B2F79B793DACB20000000001C4
  • Thumbprint: AE9C1AE54763822EEC42474983D8B635116C8452
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: taskkill.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/70
  • VirusTotal Link: https://www.virustotal.com/gui/file/942e94f84340fa275fecfe87bc1caec8f667e9eea29e67f72e3f2e2546bb3197/detection/

Possible Misuse

The following table contains possible examples of taskkill.exe being misused. While taskkill.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_apt_babyshark.yml - cmd.exe /c taskkill /im cmd.exe DRL 1.0
sigma proc_creation_win_multiple_suspicious_cli.yml - taskkill.exe DRL 1.0
sigma proc_creation_win_susp_del.yml #cmd.exe (PID: 1044 cmdline: 'C:\Windows\System32\cmd.exe' /c taskkill /im A8D4.exe /f & timeout /t 6 & del /f /q 'C:\Users\user~1\AppData\Local\Temp\A8D4.exe' & del C:\ProgramData\*.dll & exit DRL 1.0
sigma proc_creation_win_susp_disable_raccine.yml - 'taskkill ' DRL 1.0
sigma proc_creation_win_susp_spoolsv_child_processes.yml - \taskkill.exe DRL 1.0
sigma proc_creation_win_susp_taskkill.yml title: Suspicious Execution of Taskkill DRL 1.0
sigma proc_creation_win_susp_taskkill.yml taskkill: DRL 1.0
sigma proc_creation_win_susp_taskkill.yml Image\|endswith: \taskkill.exe DRL 1.0
sigma proc_creation_win_susp_taskkill.yml condition: taskkill DRL 1.0
LOLBAS Rundll32.yml - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}  
atomic-red-team T1027.md taskkill /f /im calculator.exe >nul 2>nul MIT License. © 2018 Red Canary
atomic-red-team T1036.md taskkill /IM Calculator.exe /f >$null 2>$null MIT License. © 2018 Red Canary
atomic-red-team T1047.md taskkill /f /im calculator.exe MIT License. © 2018 Red Canary
atomic-red-team T1489.md taskkill.exe /f /im #{process_name} MIT License. © 2018 Red Canary
atomic-red-team T1574.002.md taskkill /F /IM #{process_name} >nul 2>&1 MIT License. © 2018 Red Canary
signature-base apt_golddragon.yar $s3 = “taskkill /f /im daumcleaner.exe” fullword ascii CC BY-NC 4.0
signature-base apt_greenbug.yar $s4 = “taskkill /im winit.exe /f” fullword ascii CC BY-NC 4.0
signature-base apt_irontiger.yar $s5 = “taskkill /im conime.exe” fullword ascii CC BY-NC 4.0
signature-base apt_keyboys.yar $s1 = “taskkill /f /pid %s” fullword ascii CC BY-NC 4.0
signature-base apt_leviathan.yar $x2 = “.Run "taskkill /im mshta.exe” ascii CC BY-NC 4.0
signature-base apt_oilrig.yar $a1 = “taskkill /F /IM cscript.exe” fullword ascii CC BY-NC 4.0
signature-base apt_op_honeybee.yar $x1 = “cmd /c taskkill /im cliconfg.exe /f /t && del /f /q” fullword ascii CC BY-NC 4.0
signature-base apt_winnti_burning_umbrella.yar $s1 = “Taskkill /IM %s /F & %s” fullword ascii CC BY-NC 4.0
signature-base crime_cn_campaign_njrat.yar $a1 = “taskkill /f /im cmd.exe” fullword ascii CC BY-NC 4.0
signature-base crime_cn_campaign_njrat.yar $a2 = “taskkill /f /im mstsc.exe” fullword ascii CC BY-NC 4.0
signature-base crime_cn_campaign_njrat.yar $a3 = “taskkill /f /im taskmgr.exe” fullword ascii CC BY-NC 4.0
signature-base crime_cn_campaign_njrat.yar $a4 = “taskkill /f /im regedit.exe” fullword ascii CC BY-NC 4.0
signature-base crime_cn_campaign_njrat.yar $a5 = “taskkill /f /im mmc.exe” fullword ascii CC BY-NC 4.0
signature-base crime_nansh0u.yar $s1 = “taskkill /im cmd.exe /f” fullword ascii CC BY-NC 4.0
stockpile 95727b87-175c-4a69-8c7a-a5d82746a753.yml taskkill /s \\#{remote.host.fqdn} /FI "Imagename eq s4ndc4t.exe" Apache-2.0
stockpile ece5dde3-d370-4c20-b213-a1f424aa8d03.yml wmic /node:”#{remote.host.fqdn}" /user:”#{domain.user.name}" /password:”#{domain.user.password}" process call create "taskkill /f /im s4ndc4t.exe" Apache-2.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


taskkill

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

Ends one or more tasks or processes. Processes can be ended by process ID or image name. You can use the tasklist command command to determine the process ID (PID) for the process to be ended.

[!NOTE] This command replaces the kill tool.

Syntax

taskkill [/s <computer> [/u [<domain>\]<username> [/p [<password>]]]] {[/fi <filter>] [...] [/pid <processID> | /im <imagename>]} [/f] [/t]

Parameters

Parameter Description
/s <computer> Specifies the name or IP address of a remote computer (do not use backslashes). The default is the local computer.
/u <domain>\<username> Runs the command with the account permissions of the user who is specified by <username> or by <domain>\<username>. The /u parameter can be specified only if /s is also specified. The default is the permissions of the user who is currently logged on to the computer that is issuing the command.
/p <password> Specifies the password of the user account that is specified in the /u parameter.
/fi <filter> Applies a filter to select a set of tasks. You can use more than one filter or use the wildcard character (*) to specify all tasks or image names. The valid filters are listed in the Filter names, operators, and values section of this article.
/pid <processID> Specifies the process ID of the process to be terminated.
/im <imagename> Specifies the image name of the process to be terminated. Use the wildcard character (*) to specify all image names.
/f Specifies that processes be forcefully ended. This parameter is ignored for remote processes; all remote processes are forcefully ended.
/t Ends the specified process and any child processes started by it.
Filter names, operators, and values
Filter Name Valid Operators Valid Value(s)
STATUS eq, ne RUNNING | NOT RESPONDING | UNKNOWN
IMAGENAME eq, ne Image name
PID eq, ne, gt, lt, ge, le PID value
SESSION eq, ne, gt, lt, ge, le Session number
CPUtime eq, ne, gt, lt, ge, le CPU time in the format HH:MM:SS, where MM and SS are between 0 and 59 and HH is any unsigned number
MEMUSAGE eq, ne, gt, lt, ge, le Memory usage in KB
USERNAME eq, ne Any valid user name (<user> or <domain\user>)
SERVICES eq, ne Service name
WINDOWTITLE eq, ne Window title
MODULES eq, ne DLL name

Remarks

  • The WINDOWTITLE and STATUS filters aren’t supported when a remote system is specified.

  • The wildcard character (*) is accepted for the */im option, only when a filter is applied.

  • Ending a remote process is always carried out forcefully, regardless whether the /f option is specified.

  • Providing a computer name to the hostname filter causes a shutdown, stopping all processes.

Examples

To end the processes with process IDs 1230, 1241, and 1253, type:

taskkill /pid 1230 /pid 1241 /pid 1253

To forcefully end the process Notepad.exe if it was started by the system, type:

taskkill /f /fi "USERNAME eq NT AUTHORITY\SYSTEM" /im notepad.exe

To end all processes on the remote computer Srvmain with an image name beginning with note, while using the credentials for the user account Hiropln, type:

taskkill /s srvmain /u maindom\hiropln /p p@ssW23 /fi "IMAGENAME eq note*" /im *

To end the process with the process ID 2134 and any child processes that it started, but only if those processes were started by the Administrator account, type:

taskkill /pid 2134 /t /fi "username eq administrator"

To end all processes that have a process ID greater than or equal to 1000, regardless of their image names, type:

taskkill /f /fi "PID ge 1000" /im *

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.