explorer.exe 作为 windows 中的父进程
explorer.exe as the parent process in windows
我正在使用以下命令终止 cmd 中的一些任务:
taskkill /f /im software* /t
它完成了工作并用 IMAGENAME 杀死了所有任务;但是,看着它给我的东西,我看到了一些有趣的东西。往下看:
SUCCESS: The process with PID 14712 (child process of PID 9068) has been terminated.
SUCCESS: The process with PID 12184 (child process of PID 9068) has been terminated.
SUCCESS: The process with PID 16344 (child process of PID 9068) has been terminated.
SUCCESS: The process with PID 6816 (child process of PID 9068) has been terminated.
SUCCESS: The process with PID 10656 (child process of PID 9068) has been terminated.
SUCCESS: The process with PID 14912 (child process of PID 9068) has been terminated.
SUCCESS: The process with PID 11908 (child process of PID 9068) has been terminated.
SUCCESS: The process with PID 9068 (child process of PID 10060) has been terminated.
因此,正如预期的那样,所有进程都附加到一个集中任务 PID = 9068。但是,该进程也是 PID = 10060 的子进程,它是 explorer.exe 的 PID。此职位没有 GUI。所以我很惊讶地看到它是 explorer.
的子进程
那么,这里有一个问题:windows中的explorer.exe下会有什么样的进程?
更新:
问题:如果我想避免杀死(使用taskkill)直接是子进程的任何进程explorer.exe,我该如何处理?
这就是我目前所拥有的。首先我们需要得到 pid for explorer.exe:
TASKLIST /NH /FI "IMAGENAME eq explorer.exe"
然后,我正在考虑编写一个函数,它需要 pid 来杀死,检查它的父进程,如果父 pid 是 explorer.exe,它终止进程,如果没有,则杀死进程。这应该全部发生在同一个函数中,以避免处理评论中提到的动态 pid。
我可以使用以下方法找到每个 pid 的父进程:
wmic process get processid,parentprocessid,executablepath|find "process id goes here")
非常感谢您帮助我编写函数。
父进程与子进程是图形应用程序、控制台应用程序还是服务应用程序无关。如果 Explorer 是父级,则仅表示 Explorer 调用了 CreateProcess or that another process called CreateProcess or CreateProcessAsUser and substituted a handle for Explorer as the child's PROC_THREAD_ATTRIBUTE_PARENT_PROCESS.
例如,如果用户在资源管理器中双击 .py 脚本图标,shell 查找文件关联(例如使用 IQueryAssociations 接口的内部实现)并执行以脚本作为参数的相应程序,带有类似 "C:\Windows\py.exe" "path\to\script.py" 的命令。如果直接执行,Explorer 会使用此命令行作为参数调用 CreateProcess。如果是 "run as administrator",Explorer 将请求发送到应用程序信息服务,该服务通过 CreateProcessAsUser 创建提升的进程,并通过上述进程创建属性将 Explorer 设置为父进程。
以下 .bat 脚本可以帮助理解 parent/child 进程及其行为…
@ECHO OFF
SETLOCAL EnableExtensions DisableDelayedExpansion
echo "%~1%~2%~3" | findstr /I "\? \/h \-h">NUL 2>&1
if %errorlevel% EQU 0 goto :usage
set "_explorerName=explorer.exe"
set "_NameToKill=%~1"
set "_Terminate=%~2"
set "_KillForce=%~3"
if NOT defined _NameToKill if not [%1]==[] (
rem debugging
set "_NameToKill=CMD.EXE"
rem debugging: start a child process
start "" /MIN notepad.exe
)
for /F "tokens=1,2 delims=," %%G in ('
TASKLIST /NH /FI "IMAGENAME eq %_explorerName%" /FO CSV
') do (
set "_explorerPID=%%~H"
)
ECHO checking '%_NameToKill%*' as child of %_explorerName% ^(PID=%_explorerPID%^)
for /F "skip=1 tokens=1-3" %%G in ('
wmic process WHERE "Name like '%_NameToKill%%%' and ParentProcessId=%_explorerPID%" get Name^,ParentProcessId^,ProcessId^,Status
') do (
if NOT "%%H"=="" (
echo %%G
for /F "skip=1 tokens=1-3" %%g in ('
2^>NUL wmic process WHERE "ParentProcessId=%%I" get Name^,ParentProcessId^,ProcessId^,Status
') do (
if NOT "%%h"=="" (
echo ProcessId=%%i, ParentProcessId=%%h, %%g child of %%G ^(%%I^)
if defined _Terminate (
if /I "%%~g"=="conhost.exe" (
rem debugging
taskkill /PID %%i /T
) else (
taskkill /PID %%i %_Terminate% %_KillForce%
)
echo(
)
)
)
echo ParentProcessId=%%H, ProcessId=%%I, %%G child of %_explorerName% ^(%_explorerPID%^)
if defined _Terminate (
taskkill /PID %%I /T
echo(-
)
)
)
if [%1]==[] goto :usage
:endlocal
ENDLOCAL
goto :eof
:usage
echo USAGE:
echo %~nx0 -? ^| /? ^| /h ^| -h this help message
echo %~nx0 list all childs of %_explorerName%
echo %~nx0 ^<processName^> [/T] [/F] list all childs of a process
echo %~nx0 "" [/T] [/F] a particular test case for cmd.exe
echo(
echo Optional parameters /T and /F ^(or -T and -F^): see taskkill /?
goto :endlocal
我正在使用以下命令终止 cmd 中的一些任务:
taskkill /f /im software* /t
它完成了工作并用 IMAGENAME 杀死了所有任务;但是,看着它给我的东西,我看到了一些有趣的东西。往下看:
SUCCESS: The process with PID 14712 (child process of PID 9068) has been terminated. SUCCESS: The process with PID 12184 (child process of PID 9068) has been terminated. SUCCESS: The process with PID 16344 (child process of PID 9068) has been terminated. SUCCESS: The process with PID 6816 (child process of PID 9068) has been terminated. SUCCESS: The process with PID 10656 (child process of PID 9068) has been terminated. SUCCESS: The process with PID 14912 (child process of PID 9068) has been terminated. SUCCESS: The process with PID 11908 (child process of PID 9068) has been terminated. SUCCESS: The process with PID 9068 (child process of PID 10060) has been terminated.
因此,正如预期的那样,所有进程都附加到一个集中任务 PID = 9068。但是,该进程也是 PID = 10060 的子进程,它是 explorer.exe 的 PID。此职位没有 GUI。所以我很惊讶地看到它是 explorer.
那么,这里有一个问题:windows中的explorer.exe下会有什么样的进程?
更新:
问题:如果我想避免杀死(使用taskkill)直接是子进程的任何进程explorer.exe,我该如何处理?
这就是我目前所拥有的。首先我们需要得到 pid for explorer.exe:
TASKLIST /NH /FI "IMAGENAME eq explorer.exe"
然后,我正在考虑编写一个函数,它需要 pid 来杀死,检查它的父进程,如果父 pid 是 explorer.exe,它终止进程,如果没有,则杀死进程。这应该全部发生在同一个函数中,以避免处理评论中提到的动态 pid。
我可以使用以下方法找到每个 pid 的父进程:
wmic process get processid,parentprocessid,executablepath|find "process id goes here")
非常感谢您帮助我编写函数。
父进程与子进程是图形应用程序、控制台应用程序还是服务应用程序无关。如果 Explorer 是父级,则仅表示 Explorer 调用了 CreateProcess or that another process called CreateProcess or CreateProcessAsUser and substituted a handle for Explorer as the child's PROC_THREAD_ATTRIBUTE_PARENT_PROCESS.
例如,如果用户在资源管理器中双击 .py 脚本图标,shell 查找文件关联(例如使用 IQueryAssociations 接口的内部实现)并执行以脚本作为参数的相应程序,带有类似 "C:\Windows\py.exe" "path\to\script.py" 的命令。如果直接执行,Explorer 会使用此命令行作为参数调用 CreateProcess。如果是 "run as administrator",Explorer 将请求发送到应用程序信息服务,该服务通过 CreateProcessAsUser 创建提升的进程,并通过上述进程创建属性将 Explorer 设置为父进程。
以下 .bat 脚本可以帮助理解 parent/child 进程及其行为…
@ECHO OFF
SETLOCAL EnableExtensions DisableDelayedExpansion
echo "%~1%~2%~3" | findstr /I "\? \/h \-h">NUL 2>&1
if %errorlevel% EQU 0 goto :usage
set "_explorerName=explorer.exe"
set "_NameToKill=%~1"
set "_Terminate=%~2"
set "_KillForce=%~3"
if NOT defined _NameToKill if not [%1]==[] (
rem debugging
set "_NameToKill=CMD.EXE"
rem debugging: start a child process
start "" /MIN notepad.exe
)
for /F "tokens=1,2 delims=," %%G in ('
TASKLIST /NH /FI "IMAGENAME eq %_explorerName%" /FO CSV
') do (
set "_explorerPID=%%~H"
)
ECHO checking '%_NameToKill%*' as child of %_explorerName% ^(PID=%_explorerPID%^)
for /F "skip=1 tokens=1-3" %%G in ('
wmic process WHERE "Name like '%_NameToKill%%%' and ParentProcessId=%_explorerPID%" get Name^,ParentProcessId^,ProcessId^,Status
') do (
if NOT "%%H"=="" (
echo %%G
for /F "skip=1 tokens=1-3" %%g in ('
2^>NUL wmic process WHERE "ParentProcessId=%%I" get Name^,ParentProcessId^,ProcessId^,Status
') do (
if NOT "%%h"=="" (
echo ProcessId=%%i, ParentProcessId=%%h, %%g child of %%G ^(%%I^)
if defined _Terminate (
if /I "%%~g"=="conhost.exe" (
rem debugging
taskkill /PID %%i /T
) else (
taskkill /PID %%i %_Terminate% %_KillForce%
)
echo(
)
)
)
echo ParentProcessId=%%H, ProcessId=%%I, %%G child of %_explorerName% ^(%_explorerPID%^)
if defined _Terminate (
taskkill /PID %%I /T
echo(-
)
)
)
if [%1]==[] goto :usage
:endlocal
ENDLOCAL
goto :eof
:usage
echo USAGE:
echo %~nx0 -? ^| /? ^| /h ^| -h this help message
echo %~nx0 list all childs of %_explorerName%
echo %~nx0 ^<processName^> [/T] [/F] list all childs of a process
echo %~nx0 "" [/T] [/F] a particular test case for cmd.exe
echo(
echo Optional parameters /T and /F ^(or -T and -F^): see taskkill /?
goto :endlocal