Removing Zombies from process list,...
in [Win32 Kernel]
|
From: Kerem G�mr�kc� on 30 Jun 2008 22:01 Hi, i dropped a "!zombies" on my windows 2000 system and it displayed me some really inavailable processes. Is there any way to remove them from the process list without rebooting the system and manipulating internal kernel data. I mean is there a simple command on kd or another app that can do this for me,...? Thats what one zombie looks like: HandleCount: 1 PointerCount: 1 PROCESS ff6f18e0 SessionId: 0 Cid: 34e0 Peb: 7ffdf000 ParentCid: 00e0 DirBase: 07c74000 ObjectTable: 00000000 TableSize: 0. Image: explorer.exe even "a" spooler is a zombie: HandleCount: 0 PointerCount: 1 PROCESS ffa9bd60 SessionId: 0 Cid: 38c8 Peb: 7ffdf000 ParentCid: 0114 DirBase: 0933f000 ObjectTable: 00000000 TableSize: 0. Image: spoolsv.exe I got zombies on my systems,...:-) Regards Kerem -- -- ----------------------- Beste Gr�sse / Best regards / Votre bien devoue Kerem G�mr�kc� Microsoft Live Space: http://kerem-g.spaces.live.com/ Latest Open-Source Projects: http://entwicklung.junetz.de ----------------------- "This reply is provided as is, without warranty express or implied."
From: Ivan Brugiolo [MSFT] on 30 Jun 2008 22:47 The best way is to find out the process that keeps a handle opened to a zombie process, and kill that process instead. -- -- This posting is provided "AS IS" with no warranties, and confers no rights. Use of any included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm "Kerem G�mr�kc�" <kareem114(a)hotmail.com> wrote in message news:O0l3U9x2IHA.1420(a)TK2MSFTNGP06.phx.gbl... > Hi, > > i dropped a "!zombies" on my windows 2000 system > and it displayed me some really inavailable processes. > Is there any way to remove them from the process list > without rebooting the system and manipulating internal > kernel data. I mean is there a simple command on kd > or another app that can do this for me,...? > > Thats what one zombie looks like: > > HandleCount: 1 PointerCount: 1 > PROCESS ff6f18e0 SessionId: 0 Cid: 34e0 Peb: 7ffdf000 ParentCid: > 00e0 > DirBase: 07c74000 ObjectTable: 00000000 TableSize: 0. > Image: explorer.exe > > even "a" spooler is a zombie: > > HandleCount: 0 PointerCount: 1 > PROCESS ffa9bd60 SessionId: 0 Cid: 38c8 Peb: 7ffdf000 ParentCid: > 0114 > DirBase: 0933f000 ObjectTable: 00000000 TableSize: 0. > Image: spoolsv.exe > > I got zombies on my systems,...:-) > > Regards > > Kerem > > -- > -- > ----------------------- > Beste Gr�sse / Best regards / Votre bien devoue > Kerem G�mr�kc� > Microsoft Live Space: http://kerem-g.spaces.live.com/ > Latest Open-Source Projects: http://entwicklung.junetz.de > ----------------------- > "This reply is provided as is, without warranty express or implied." > >
From: Kerem G�mr�kc� on 30 Jun 2008 23:00 Hi Ivan, the zombies parents are winlogon.exe and services.exe. Buddy,...i think i only have to go for a reboot,....:-( What is that zombie s*** cant windows handle this byitself? Do these Zombies cover any memory, or are they just list entries inside the kernel clients list? Regards K. -- -- ----------------------- Beste Gr�sse / Best regards / Votre bien devoue Kerem G�mr�kc� Microsoft Live Space: http://kerem-g.spaces.live.com/ Latest Open-Source Projects: http://entwicklung.junetz.de ----------------------- "This reply is provided as is, without warranty express or implied." "Ivan Brugiolo [MSFT]" <ivanbrug(a)online.microsoft.com> schrieb im Newsbeitrag news:4275A7D3-F5CE-4AE5-9AB8-FEA2B66F254A(a)microsoft.com... > The best way is to find out the process that keeps a handle opened > to a zombie process, and kill that process instead. > > -- > -- > This posting is provided "AS IS" with no warranties, and confers no rights. > Use of any included script samples are subject to the terms specified at > http://www.microsoft.com/info/cpyright.htm > > > "Kerem G�mr�kc�" <kareem114(a)hotmail.com> wrote in message > news:O0l3U9x2IHA.1420(a)TK2MSFTNGP06.phx.gbl... > > Hi, > > > > i dropped a "!zombies" on my windows 2000 system > > and it displayed me some really inavailable processes. > > Is there any way to remove them from the process list > > without rebooting the system and manipulating internal > > kernel data. I mean is there a simple command on kd > > or another app that can do this for me,...? > > > > Thats what one zombie looks like: > > > > HandleCount: 1 PointerCount: 1 > > PROCESS ff6f18e0 SessionId: 0 Cid: 34e0 Peb: 7ffdf000 ParentCid: > > 00e0 > > DirBase: 07c74000 ObjectTable: 00000000 TableSize: 0. > > Image: explorer.exe > > > > even "a" spooler is a zombie: > > > > HandleCount: 0 PointerCount: 1 > > PROCESS ffa9bd60 SessionId: 0 Cid: 38c8 Peb: 7ffdf000 ParentCid: > > 0114 > > DirBase: 0933f000 ObjectTable: 00000000 TableSize: 0. > > Image: spoolsv.exe > > > > I got zombies on my systems,...:-) > > > > Regards > > > > Kerem > > > > -- > > -- > > ----------------------- > > Beste Gr�sse / Best regards / Votre bien devoue > > Kerem G�mr�kc� > > Microsoft Live Space: http://kerem-g.spaces.live.com/ > > Latest Open-Source Projects: http://entwicklung.junetz.de > > ----------------------- > > "This reply is provided as is, without warranty express or implied." > > > > >
From: Ivan Brugiolo [MSFT] on 2 Jul 2008 13:13 Windows is dealing with zombie processes the best way possible. A zombie process has no handle-table and no address space. It only hold onto the EPROCESS allocation from non-paged pool. The EPROCESS has a the DISPATCHER_HEADER, that is possibly linekd on the wait-list of a thread. If the thread is not actually waiting on that list, it would be incorrect to forcefully remove, because the thread would never had a chance to know the that process died and its handle was signaled. If you have winlogon.exe creating zombies, it would be a big issue. Do you have 3rd party code running there ? That would be very bad. -- -- This posting is provided "AS IS" with no warranties, and confers no rights. Use of any included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm "Kerem G�mr�kc�" <kareem114(a)hotmail.com> wrote in message news:eEmjXey2IHA.4220(a)TK2MSFTNGP06.phx.gbl... > Hi Ivan, > > the zombies parents are winlogon.exe and services.exe. > Buddy,...i think i only have to go for a reboot,....:-( > > What is that zombie s*** cant windows handle this > byitself? Do these Zombies cover any memory, or > are they just list entries inside the kernel clients list? > > Regards > > K. > > > -- > -- > ----------------------- > Beste Gr�sse / Best regards / Votre bien devoue > Kerem G�mr�kc� > Microsoft Live Space: http://kerem-g.spaces.live.com/ > Latest Open-Source Projects: http://entwicklung.junetz.de > ----------------------- > "This reply is provided as is, without warranty express or implied." > > "Ivan Brugiolo [MSFT]" <ivanbrug(a)online.microsoft.com> schrieb im > Newsbeitrag news:4275A7D3-F5CE-4AE5-9AB8-FEA2B66F254A(a)microsoft.com... >> The best way is to find out the process that keeps a handle opened >> to a zombie process, and kill that process instead. >> >> -- >> -- >> This posting is provided "AS IS" with no warranties, and confers no > rights. >> Use of any included script samples are subject to the terms specified at >> http://www.microsoft.com/info/cpyright.htm >> >> >> "Kerem G�mr�kc�" <kareem114(a)hotmail.com> wrote in message >> news:O0l3U9x2IHA.1420(a)TK2MSFTNGP06.phx.gbl... >> > Hi, >> > >> > i dropped a "!zombies" on my windows 2000 system >> > and it displayed me some really inavailable processes. >> > Is there any way to remove them from the process list >> > without rebooting the system and manipulating internal >> > kernel data. I mean is there a simple command on kd >> > or another app that can do this for me,...? >> > >> > Thats what one zombie looks like: >> > >> > HandleCount: 1 PointerCount: 1 >> > PROCESS ff6f18e0 SessionId: 0 Cid: 34e0 Peb: 7ffdf000 ParentCid: >> > 00e0 >> > DirBase: 07c74000 ObjectTable: 00000000 TableSize: 0. >> > Image: explorer.exe >> > >> > even "a" spooler is a zombie: >> > >> > HandleCount: 0 PointerCount: 1 >> > PROCESS ffa9bd60 SessionId: 0 Cid: 38c8 Peb: 7ffdf000 ParentCid: >> > 0114 >> > DirBase: 0933f000 ObjectTable: 00000000 TableSize: 0. >> > Image: spoolsv.exe >> > >> > I got zombies on my systems,...:-) >> > >> > Regards >> > >> > Kerem >> > >> > -- >> > -- >> > ----------------------- >> > Beste Gr�sse / Best regards / Votre bien devoue >> > Kerem G�mr�kc� >> > Microsoft Live Space: http://kerem-g.spaces.live.com/ >> > Latest Open-Source Projects: http://entwicklung.junetz.de >> > ----------------------- >> > "This reply is provided as is, without warranty express or implied." >> > >> > >> > > >
|
Pages: 1 Prev: Retrieving open COM handles from arbitrary PIDs Next: mf.sys can i redistrubute it? |