Quick Tip: Kill frozen Windows 2000 applications with TLIST and KILL

Learn to use the TLIST and the KILL commands to terminate malfunctioning processes in the Windows Task Manager

We’ve all seen situations in which a computer, process, or application locks up. When this occurs, you might choose to open the Windows Task Manager, and terminate the offending process or application. However, you’ve probably noticed that there are some processes that the Task Manager just won’t terminate. When this occurs, there’s another way of getting the job done. In this article, I’ll show you how to use the TLIST and the KILL commands to terminate malfunctioning processes.

Installing the Windows Support Tools
The techniques that I’ll be showing you involve using the TLIST and the KILL command. These commands are a part of the Windows Support Tools, which aren’t installed by default. Instead, these tools are kept on the Windows 2000 installation CD until you manually install them. Installing the support tools requires a little over 18 MB of hard disk space.

To install the Windows Support Tools, log on as an administrator and insert your Windows 2000 installation CD. When you see the Windows 2000 splash screen, select the Browse This CD option. When the browse window opens, navigate through the CD’s directory to the \SUPPORT\TOOLS directory. Next, run the SETUP.EXE program.

Locating the process ID
When you need to terminate a process that has hung, the first thing that you must do is to determine the process ID. There are a couple of different ways of doing this. One way is by opening the Windows Task Manager and looking at the Processes tab. For example, suppose that I wanted to terminate Microsoft Access. As you can see in Figure A, Access is using process ID 2304.

Figure A
You can locate a process’s ID through the Windows Task Manager.

Another way of determining the process ID is by opening a Command Prompt window and entering the TLIST command. As you can see in Figure B, the TLIST command displays the process ID, process name, and, when possible, the application name for each process. If you look at the third line from the bottom in Figure B, you’ll see process 2304, Microsoft Access.

Figure B
The TLIST command can display the process ID, process name, and sometimes, the application name for each process.

Simply entering the TLIST command provides a quick and easy way of displaying all of the processes that are running on your system. However, TLIST has several optional parameters that you can use to gain a wealth of information regarding the processes that are running on your machine.

The actual syntax for TLIST is as follows:
TLIST <<-m <pattern>> | <-t> <PID> | <pattern> | <-P <process_name>>>

The -T parameter displays all of the process information in tree form. The tree is based on dependencies. For example, the TLIST.EXE process runs inside a command prompt window, and is therefore dependent on the command prompt process (CMD.EXE). The command prompt process is dependent on Windows Explorer, and therefore relies on the EXPLORER.EXE process. The -T switch shows you these types of relationships in tree fashion.

The PID option can be used to display all sorts of information on a process. For example, if you enter the TLIST command followed by 2304, the process ID of Microsoft Access from earlier, the TLIST program will tell you everything you ever wanted to know about Access. Included in this summary are things like the executable file, amount of memory being used, the number of threads, the state of each thread, which DLL files are in use, the DLL versions, and more.

The pattern option works much like the PID option. The only difference is that this time, rather than inputting the process ID number, you’re entering the actual name of the process (such as MSACCESS). When you do, you’ll see the same information displayed as when you use the PID option.

-M <pattern>
The -M option can be used to tell you which programs are using a specific DLL file. Simply enter the TLIST command followed by -M and the name of the DLL, and you’ll get a list of the processes that are using it. For example, on my system, I entered TLIST -M LINKINFO.DLL, and got a list indicating that the Program manager and Microsoft Access were both using the DLL.

The -S switch displays a list of the system services used by each service. For example, the Remote Registry Service uses the REGSVC.EXE file.

-P <processname>
If you simply need to locate a process ID for a specific process, you can use the -P option. For example, entering TLIST -P MSACCESS will return the process ID (in this case 2304) for MSACCESS.

The KILL command
Now that you know how to look up all of the necessary information on a process that’s become stuck, let’s take a look at how to terminate the process with the KILL command. The command line syntax of the KILL command is as follows:
KILL [-F] <<PID> | <pattern>>

As you’ve probably already figured out from my explanation of TLIST, the PID is the process ID and the pattern is the name of the process. Therefore, you can shut down a process by simply entering the KILL command followed by one of the two parameters. For example, if I wanted to shut down Microsoft Access, I could do so by entering one of the following two commands:
KILL 2304


Careful with -F
The -F switch parameter in my example above will force a process to shut down. Most of the time, you won’t want to use the -F switch. It’s intended for emergency use only. You can actually use the KILL command combined with the -F parameter to shut down critical systems services, thus resulting in the Blue Screen of Death.

Coincidentally, several years ago I was at Microsoft’s TechEd conference, and one of the speakers had developed a virus based on the KILL -F command. He had used a common utility to create a service that issued the KILL -F command followed by the name of a critical system service. He then configured his service in a way that would cause it to load on startup. The result was that every time the machine would boot, it would instantly go to the Blue Screen of Death because he was killing a low level service. The only way that the speaker was able to undo the damage was to use ERD Commander from Winternals Software to disable the virus service from outside of the operating system.

Editor's Picks

Free Newsletters, In your Inbox