Contribute: an RKill script for remote sessions - need whitelist

ell said:
yeah, I tried that already on xp media ctr, fail, would like to see it some day, still working on ol' XP! thanks, :D
Click to expand...


Which version of XP did it work on for you? It was my understanding that MCE was based on XP Pro so it should have worked, interesting. Also did you copy tskill to the MCE version when you tried it? It might also be possible to copy taskkill.exe from vista/7 to XP, that would simplify things, however I have not tried that.
 
Last edited:
adam_chevyss said:
Which version of XP did it work on for you? It was my understanding that MCE was based on XP Pro so it should have worked, interesting. Also did you copy tskill to the MCE version when you tried it? It might also be possible to copy taskkill.exe from vista/7 to XP, that would simplify things, however I have not tried that.
Click to expand...

I only ran it on a vista (worked) and MCE (fail), I thought it would have worked too. This is what I ran on the MCE:

@echo off
title Kill all running apps - Bharat Balegere - AgniPulse.com
REM cd c:\windows\System32
for /f "skip=3 tokens=1" %%i in ('TASKLIST /FI "USERNAME eq %userdomain%\%username%" /FI "STATUS eq running"') do (
if not "%%i"=="svchost.exe" (
if not "%%i"=="explorer.exe" (
if not "%%i"=="cmd.exe" (
if not "%%i"=="tasklist.exe" (
if not "%%i"=="mbam.exe" (
if not "%%i"=="program.com" (
if not "%%i"=="program64.com" (
if not "%%i"=="teamviewer.exe" (
if not "%%i"=="Elsinore.ScreenConnect.GuestService.exe" (
if not "%%i"=="Elsinore.ScreenConnect.GuestClient.exe " (
echo.
tskill /f /im "%%i"
echo.
)
)
)
)
)
)
)
)
)
)
)
PAUSE
 
I don't have an MCE machine within access at the moment, could you go to the system32 folder and see if tskill is in there? Also could you remove the "REM" and run it again on the MCE machine if tskill is in there?


If I have time tonight after work I might try to copy taskkill from win 7 to a couple different flavors of XP to see if it works.
 
adam_chevyss said:
I don't have an MCE machine within access at the moment, could you go to the system32 folder and see if tskill is in there? Also could you remove the "REM" and run it again on the MCE machine if tskill is in there?


If I have time tonight after work I might try to copy taskkill from win 7 to a couple different flavors of XP to see if it works.
Click to expand...

yes it is, I removed the REM ran the bat again, maybe I'd better say I'm running MCE in virtualbox here is the error I get:

Invalid parameter(s)
Ends a process.

TSKILL processid | processname [/SERVER:servername] [/ID:sessionid | /A] [/V]

processid Process ID for the process to be terminated.
processname Process name to be terminated.
/SERVER:servername Server containing processID (default is current).
/ID or /A must be specified when using processname
and /SERVER
/ID:sessionid End process running under the specified session.
/A End process running under ALL sessions.
/V Display information about actions being performed.


Press any key to continue . . .

I just ran it on my XP Home bench and got this error:

'TASKLIST' is not recognized as an internal or external command,
operable program or batch file.
Press any key to continue . . .
 
Last edited:
For xp you have to change
Taskkill /f /im "%%i" to tskill "%%i"

Tskill doesn't recognize /f /im switches, just leave them out.
 
Last edited:
adam_chevyss said:
For xp you have to change
Taskkill /f /im "%%i" to tskill "%%i"

Tskill doesn't recognize /f /im switches, just leave them out.
Click to expand...

hmmm, I did this in MCE with and without the REM and got errors listing all the running processes I had, saying it could not find them:

@echo off
title Kill all running apps - Bharat Balegere - AgniPulse.com
cd c:\windows\System32
for /f "skip=3 tokens=1" %%i in ('TASKLIST /FI "USERNAME eq %userdomain%\%username%" /FI "STATUS eq running"') do (
if not "%%i"=="svchost.exe" (
if not "%%i"=="explorer.exe" (
if not "%%i"=="cmd.exe" (
if not "%%i"=="tasklist.exe" (
if not "%%i"=="mbam.exe" (
if not "%%i"=="program.com" (
if not "%%i"=="program64.com" (
if not "%%i"=="teamviewer.exe" (
if not "%%i"=="Elsinore.ScreenConnect.GuestService.ex e" (
if not "%%i"=="Elsinore.ScreenConnect.GuestClient.exe " (
echo.
tskill "%%i"
echo.
)
)
)
)
)
)
)
)
)
)
)
PAUSE
 
I just ran this same bat in XP Home, and got

'TASKLIST' is not recognized as an internal or external command,
operable program or batch file.
Press any key to continue . . .
 
I got the same thing. I even copied taskkill.exe to XP and it failed as well. It looks like XP just doesn't recognize the format of this script or something like that. I would ask in Automation and Scripting area if you want the pros to get this straightened out for you. One name that comes to mind in this area is Methical, you might pm him. I'm sure I could figure it out, but they can get you the answers faster.
 
Cleanup - Aisle 7

I'm going to ask if one of the moderators can clean up this thread. It's gone from the original point of creating a whitelist to a batch file tutorial.
 
eHousecalls.ca said:
A bunch of us do remote work and a bunch of us, at one point, want to be able to kill off a whole lotta files. Rkill is overkill 'cause it'll kill off our remote software. So, let's take this existing BAT and make one that should work for all well-known remote softwares.

EDIT: I've removed the original BAT file from this post as it was causing the thread to be completely hijacked. That discussion needs to be taken to the scripting forum.
Code: 
svchost.exe
explorer.exe
cmd.exe
tasklist.exe

[U][B]Scanners we want left untouched:[/B][/U]
mbam.exe
program.com
program64.com

[U][B]Remote softwares we want left untouched[/B][/U]
teamviewer.exe
TeamViewerQS_en.exe [I] (default file name)[/I]
Elsinore.[COLOR=SeaGreen]ScreenConnect[/COLOR].GuestService.exe
Elsinore.[COLOR=SeaGreen]ScreenConnect[/COLOR].GuestClient.exe
Click to expand...



I have TeamViewer buttons on my website and the quick support downloads "TeamViewerQS.exe" there is no reference to language which I assume "_en" means english. Do you get the TeamViewerQS_en.exe when you download it? I wonder if it has anything to do with being in different countries maybe?
 
I suggest putting CCleaner.exe and CCleaner64.exe in the whitelist as once the processes are stopped you could run CCleaner and possibly remove some or all of the infection if it is in a %temp% location.
 
I'll add CCleaner to the list. Good one. PureRa while I'm at it.

The TeamviewerQS_en.exe is right from TV's download page:
fcbf91f52eb1035481e6cf41bd6f2f67.png



Here's the thread discussing the original BAT file:
http://www.technibble.com/forums/showthread.php?t=10138
 
Very interesting I tried it from their site and I got what you got, with the _en I wonder why when I used their website to create buttons for my website I get a different version. Oh well that is for another thread as well.
 
You must log in or register to reply here.
Back
Top