1
The process explorer.exe has a thread with "start address" starting with "windows.immersiveshell.serviceprovider.dll". It takes a lot of processing power. Additionally, after waking up from sleep it produces three windows of the class "MetroGhostWindow" which take place in the Alt+Tab dialog.
Killing the thread with Process Hacker works excellent and frees resources. But is there a command line tool to do the same?
Anixx
Posted 2016-05-05T12:22:00.893
Reputation: 510
1
Well, this vbs script does the thing for me.
Put a shortcut to it into autostart folder. Put in the same folder as this script utilities nopey and processhacker.
Set objShell = CreateObject("WScript.Shell")
Set objWshScriptExec = objShell.Exec("nopey.exe list threads Explorer.exe")
Set objStdOut = objWshScriptExec.StdOut
Do
strLine = objStdOut.ReadLine
pos=Instr(strLine, "00000000")
If pos<>0 And Op=0 Then Exit Do
Op=Instr(strline, "TID")
Loop
Tid=CLng("&H" & (Mid(strLine, 4,4)))
'WScript.Echo Tid
objShell.Run "ProcessHacker.exe -c -ctype thread -cobject " & Tid & " -caction terminate", 0
It also disables all Metro stuff until Explorer restarted.
P.S. Here is the zip archive with all necessary stuff. Just unpack it and run.
Anixx
Posted 2016-05-05T12:22:00.893
Reputation: 510
again, share a trace so that I can tell you what the thread does, instead of simply killing it. – magicandre1981 – 2016-05-06T04:36:38.610
If this script works for you, you are very lucky. There is no link between the thread you find and windows.immersiveshell.serviceprovider.dll: I wouldn't use it (especially not on start-up) unless I could establish this link, and I have yet to find a command-line tool which does this. With the ordering on my ProcessHacker listing, it finds a completely different thread. – AFH – 2016-05-07T14:51:55.073
@AFH you are right, it is bad solution but I do not have a better one. – Anixx – 2016-05-07T14:57:42.020
0
You can create a command line argument for PH (Process Hacker).
You can do ProcessHacker.exe -c -ctype thread -cobject 1424 -caction terminate
You can get the ID by using Process Explorer to find the TID (Thread ID) of the thread you want to end. To do this you can right click the Process > Properties and you can see the thread you want to end.
Example for me the TID is 7924
Bitten Fleax
Posted 2016-05-05T12:22:00.893
Reputation: 632
I am asking for a command line tool that would terminate a thread by the "start address" substring to be run every time I start the computer. Without using GUI. Terminating the thread using GUI is possible with Process Hacker as I already mentioned in the question. This answer just repeats the information in my question. – Anixx – 2016-05-05T14:17:46.357
Except this answer can be used from within a script or a command line. – Ramhound – 2016-05-05T14:23:45.333
@Ramhound it cannot. It requires starting Process Explorer in GUI to get a TID. Also it takes all info from my comment to the question, from the link I already provided: https://wj32.org/processhacker/forums/viewtopic.php?t=75
– Anixx – 2016-05-05T14:25:43.7331Ah I get you. I am pretty sure Powershell can get the TID's of a process. It is just filtering out by the process name. I will have a look and see. – Bitten Fleax – 2016-05-05T14:30:18.027
@Bitten Fleax but will it allow to get TID from start address? – Anixx – 2016-05-05T14:45:30.143
You could easily make a small application that could be called from a command line, just have it take an argument, and have it call the TerminateThread function.
– Ramhound – 2016-05-05T13:16:08.103@Ramhound I do not know how to do it. Also it has to get as an argument the substring of the entry point name rather than TID. P.S. Why is the downvote? It is not a programming site, is it? – Anixx – 2016-05-05T13:23:11.020
If you want this capability, you will learn how to do it, the problem with the function I provided is it requires a handle to the thread. You are better off just ending the process the thread belongs to, much easier, then attempting to get the handle to a thread to an application that is already running. The last time I checked, voting is annymous, I am shocked they are giving the capability, to see the voting history on a question to new users. – Ramhound – 2016-05-05T13:26:03.433
What you want requires you writting a small command console application, or at the very least, a Powershell script.
– Ramhound – 2016-05-05T13:30:27.877@Ramhound "You are better off just ending the process the thread belongs to" - impossible, it is Explorer.exe, as mentioned in the question. Upon restart of Explorer, the thread will be recreated. "What you want requires you writting a small command console application, or at the very least, a Powershell script." - I do not know PowerShell language. If anyone can provide a solution, it would be great. If a similar utility already exists, it would be also great. – Anixx – 2016-05-05T13:33:57.147
Your request is out of scope for Superuser. We can help you acomplish your goal, we will not write the script or program for you, your request for us to write the script for you isn't reasonable. Handle v4.0 would appear to do what you want though.
– Ramhound – 2016-05-05T13:38:22.197Sysinternals' pslist will show the threads in a program, but its list does not allow you easily to identify the problem thread. I would recommend suspending the thread, rather than killing it, though I have found no command-line tools for either. I would have suggested disabling it, but see this recommendation. You can try the effects of both using procexp: try this before you go further.
– AFH – 2016-05-05T13:39:56.987@Ramhound I thought there is a command line utility for doing so, because Process Hacker can do in. – Anixx – 2016-05-05T13:40:26.850
Process Explroer can do it because somebody wrote it. What you want is possible, but it might not exist, so easier to just do it yourself. So you should start by researching how to do it, so you can write that program, and solve this problem for millions of people. – Ramhound – 2016-05-05T13:42:14.947
@AFH As I said I did it already with Process Hacker (another name for Process Explorer). It works well. – Anixx – 2016-05-05T13:43:17.217
@Ramhound well I fount Process Hacker can kill a thread by the thread ID: https://wj32.org/processhacker/forums/viewtopic.php?t=75 The question is how to get it from the entry point name.
– Anixx – 2016-05-05T13:50:39.687@Anixx - You should do research on how to find which entry points exist for that dll, based on that knowlege, you can try each one until you get the desired result. – Ramhound – 2016-05-05T14:08:31.877
@Ramhound I know the start address substring, how to obtain TID using command line? – Anixx – 2016-05-05T14:19:40.390
I provided you an excellent suggestion how to determine that. – Ramhound – 2016-05-05T14:23:07.253
@Ramhound where? The TID will be different on each process restart. – Anixx – 2016-05-05T14:23:49.430
2
better analyze what the thread does instead of killing it. share a WPR trace so that I can tell you what it does. Install the WPT (part of the Win10 SDK: https://dev.windows.com/en-us/downloads/windows-10-sdk which also works on 8.1), run WPRUI.exe, select "First Level", under Resource select CPU usage and click on start. Now capture 1 minute of the CPU usage. After 1 minute click on Save. Zip the large ETL file (+ NGENPDB folder) into 1 zip, upload the zip (OneDrive, dropbox, google drive) and post the share link here.
– magicandre1981 – 2016-05-05T15:44:24.303