Contribute: an RKill script for remote sessions - need whitelist

Xander

Xander

Banned
Reaction score
66
Location
Niagara region, Ontario
A bunch of us do remote work and a bunch of us, at one point, want to be able to kill off a whole lotta files. Rkill is overkill 'cause it'll kill off our remote software. So, let's take this existing BAT and make one that should work for all well-known remote softwares.

EDIT: I've removed the original BAT file from this post as it was causing the thread to be completely hijacked. That discussion needs to be taken to the scripting forum.
Code: 
svchost.exe
explorer.exe
cmd.exe
tasklist.exe

[U][B]Scanners (etc) we want left untouched:[/B][/U]
mbam.exe
program.com
program64.com
ccleaner.exe
ccleaner64.exe
Purera.exe

[U][B]Remote softwares we want left untouched[/B][/U]
teamviewer.exe
TeamViewerQS_en.exe [I] (default file name)[/I]
TeamViewerQS.exe
Elsinore.[COLOR=SeaGreen]ScreenConnect[/COLOR].GuestService.exe
Elsinore.[COLOR=SeaGreen]ScreenConnect[/COLOR].GuestClient.exe
 
Last edited:
Hi Xander;

I have done this before... twice :)

In VBS

In VBS again - But it generates a restore.bat file so you can restore the terminated applications if needed.

Take what you want from these, and put it into your own.

Take whatever you want from any of my scripts, and use as your own as well.
 
Thanks, Methical - but the goal of this thread is to compile the names of the executables so that anyone doing remote support can have a single script regardless of which remote app they're using. The whitelist rather than the method. I threw in the batch itself so that no one else would have to dig it up. I may opt for the second VBS in the end but I wanted to see if we can get a good, universal whitelist compiled.
 
I WAS interested in such a list for KillEmAll as well, for a short time......

HOWEVER.....

The issue I ran into while trying to support the various remote software packages out there, is that everyone's might be UNIQUE....

i.e. my day job uses Teamviewer. So is that Teamviewer.exe, TeamviewerQS.exe, or what? Neither. They have renamed the app "CPU Support.exe" as I'm sure have most people who use a custom branded Teamviewer quick support. And then what about other remote software packages, do people have them custom-named as well? The only solution seems to be MD5 or some other method of identifying the EXE; however that will change from version to version in all apps, and still would change for custom branded Teamviewer quick support EXEs...

So I quickly gave up, and just excluded the app that WE use and not worry about all the others out there... So officially KillEmAll will target your remote support app, unfortunately, but not mine.

You can't please everyone all of the time.
 
True, we can't foresee everybody who customizes the name of their app but, given that we do have a lot of folks with various levels of experience, ("I've got years of experience but what is 'imaging' ?") so, by making a more-or-less Master list, it might help some.
 
FoolishTech said:
I WAS interested in such a list for KillEmAll as well, for a short time......

HOWEVER.....

The issue I ran into while trying to support the various remote software packages out there, is that everyone's might be UNIQUE....

i.e. my day job uses Teamviewer. So is that Teamviewer.exe, TeamviewerQS.exe, or what? Neither. They have renamed the app "CPU Support.exe" as I'm sure have most people who use a custom branded Teamviewer quick support. And then what about other remote software packages, do people have them custom-named as well? The only solution seems to be MD5 or some other method of identifying the EXE; however that will change from version to version in all apps, and still would change for custom branded Teamviewer quick support EXEs...

So I quickly gave up, and just excluded the app that WE use and not worry about all the others out there... So officially KillEmAll will target your remote support app, unfortunately, but not mine.

You can't please everyone all of the time.
Click to expand...

@FoolishTech - Is there any way to add to KillEmAll's whitelist ourselves? That would be nice because I like using KillEmAll. It seems to do what I want other than terminating my remote software as you mentioned because it is renamed.
 
kevinjhaag said:
@FoolishTech - Is there any way to add to KillEmAll's whitelist ourselves? That would be nice because I like using KillEmAll. It seems to do what I want other than terminating my remote software as you mentioned because it is renamed.
Click to expand...

As you know there is currently no user accessible whitelist for KillEmAll... I originally made the decision to bury the whitelist inside the code instead of using an external (and user editable) file, merely for speed of execution, which is very important for it to do it's job before the malware kills KillEmAll!

But I realize there are other good reasons to run KillEmAll not just for terminating the malware that terminates other processes...

So you're making me revisit the idea of a user editable whitelist... I'll see what I can come up with. I'm working on another addition to D7 at the moment but when I get finished with this, I'll look into the possibility of a KillEmAll whitelist.
 
KillEmAll

FoolishTech said:
As you know there is currently no user accessible whitelist for KillEmAll... I originally made the decision to bury the whitelist inside the code instead of using an external (and user editable) file, merely for speed of execution, which is very important for it to do it's job before the malware kills KillEmAll!

But I realize there are other good reasons to run KillEmAll not just for terminating the malware that terminates other processes...

So you're making me revisit the idea of a user editable whitelist... I'll see what I can come up with. I'm working on another addition to D7 at the moment but when I get finished with this, I'll look into the possibility of a KillEmAll whitelist.
Click to expand...

That's ok. I was just wondering. If its going to cripple KillEmAll in any way then I would just keep it the way it is. I'll just use this RKill script for my remote sessions. Thanks for all your work, FoolishTech tho.
 
kevinjhaag said:
That's ok. I was just wondering. If its going to cripple KillEmAll in any way then I would just keep it the way it is. I'll just use this RKill script for my remote sessions. Thanks for all your work, FoolishTech tho.
Click to expand...

It's been a productive day! I got my first new D7 addition about half-way in place, and I also checked out the KEA idea.

I haven't run any speed tests on the code, but I did implement a whitelist for you.

I have KEA check for a whitelist and if it doesn't exist, it will continue it's default behavior with no impact on performance, however if it does find the whitelist, it will use it accordingly; the impact on performance should be minimal in this case, providing your whitelist is small.

As a side note, although KEA does block certain processes if they aren't in the proper directory, (e.g. svchost.exe and other Windows processes) the KEA whitelist will be generic and not specific to any predetermined paths; meaning you add the executable name only no path, and it will be allowed no matter what directory it is in.

I will have it polished and ready for release soon.
 
FoolishTech said:
It's been a productive day! I got my first new D7 addition about half-way in place, and I also checked out the KEA idea.

I haven't run any speed tests on the code, but I did implement a whitelist for you.

I have KEA check for a whitelist and if it doesn't exist, it will continue it's default behavior with no impact on performance, however if it does find the whitelist, it will use it accordingly; the impact on performance should be minimal in this case, providing your whitelist is small.

As a side note, although KEA does block certain processes if they aren't in the proper directory, (e.g. svchost.exe and other Windows processes) the KEA whitelist will be generic and not specific to any predetermined paths; meaning you add the executable name only no path, and it will be allowed no matter what directory it is in.

I will have it polished and ready for release soon.
Click to expand...

Sounds GREAT! Your the MAN! Thanks so much for your hard work! Have a good day sir.
 
I'm a noob when it comes to scripting, anyways I copied and pasted the script above into notepad and named it rkill_remote.bat. Then I connected remotely to a vista machine and started chrome and google earth, then transferred the bat over and ran it, a black box for a second then nothing. Did I miss something? shouldn't chrome and earth been closed?
 
One thing to keep in mind is taskkill is for Vista or 7 as XP had tskill on Professional. Now since your using Vista it should have worked. You might try typing REM and then put a space before cd C:\Windows\System32 like this.

REM CD C:\Windows\System32.
That will make it ignore that line, not sure if it will make a difference, but worth a try. You could also type PAUSE at the end of the batch file. This will make the black window stay open once the process is done allowing you to see errors.

edit: duh, taskkill is located in system32, but should still work without going to that directory.
 
Last edited:
adam_chevyss said:
One thing to keep in mind is taskkill is for Vista or 7 as XP had tskill on Professional. Now since your using Vista it should have worked. You might try typing REM and then put a space before cd C:\Windows\System32 like this.

REM CD C:\Windows\System32.
That will make it ignore that line, not sure if it will make a difference, but worth a try. You could also type PAUSE at the end of the batch file. This will make the black window stay open once the process is done allowing you to see errors.
Click to expand...

Still same issue, did I do it right?:

@echo off
title Kill all running apps - Bharat Balegere - AgniPulse.com
REM cd c:\windows\System32
for /f "skip=3 tokens=1" %%i in ('TASKLIST /FI "USERNAME eq %userdomain%\%username%" /FI "STATUS eq running"') do (
if not "%%i"=="svchost.exe" (
if not "%%i"=="explorer.exe" (
if not "%%i"=="cmd.exe" (
if not "%%i"=="tasklist.exe" (
if not "%%i"=="mbam.exe" (
if not "%%i"=="program.com" (
if not "%%i"=="program64.com" (\
if not "%%i"=="teamviewer.exe" (\
if not "%%i"=="Elsinore.ScreenConnect.GuestService.exe" (
if not "%%i"=="Elsinore.ScreenConnect.GuestClient.exe" (
REM ^^ THIS IS WHERE WE ADD ALL THE FILENAMES WE DON'T WANT KILLED
echo.
taskkill /f /im "%%i"
echo.
)
)
)
)
)
)
REM We might also want to throw in some basic registry fixes for
REM things like resetting proxies and whatnot.
PAUSE
 
adam_chevyss said:
Looks good as for the changes, I didn't look the script over real well the first time, but I see this now.

if not "%%i"=="program64.com" (\
if not "%%i"=="teamviewer.exe" (\
if not "%%i"=="Elsinore.ScreenConnect.GuestService.ex e" (

remove the\ from the first two lines and remove the space on the .ex e on the third line to be .exe and see what happens.
Click to expand...

I'm running the bat on a 32bit vista from a 64bit vista.
 
That is fine, as long as you copy the .bat to the client machine and run it from there it should work.

I also added more ) at the end to match the "whitelist"

@echo off
title Kill all running apps - Bharat Balegere - AgniPulse.com
REM cd c:\windows\System32
for /f "skip=3 tokens=1" %%i in ('TASKLIST /FI "USERNAME eq %userdomain%\%username%" /FI "STATUS eq running"') do (
if not "%%i"=="svchost.exe" (
if not "%%i"=="explorer.exe" (
if not "%%i"=="cmd.exe" (
if not "%%i"=="tasklist.exe" (
if not "%%i"=="mbam.exe" (
if not "%%i"=="program.com" (
if not "%%i"=="program64.com" (
if not "%%i"=="teamviewer.exe" (
if not "%%i"=="Elsinore.ScreenConnect.GuestService.exe" (
if not "%%i"=="Elsinore.ScreenConnect.GuestClient.exe " (
echo.
taskkill /f /im "%%i"
echo.
)
)
)
)
)
)
)
)
)
)
)
PAUSE
 
I don't know why the space is still showing up in the .exe towards the bottom, but that cannot be there so make sure to check it in your batch file.
 
adam_chevyss said:
I don't know why the space is still showing up in the .exe towards the bottom, but that cannot be there so make sure to check it in your batch file.
Click to expand...

Awesome! worked perfectly! What do I need to change to get it to work with XP?
 
This line: taskkill /f /im "%%i" needs to be tskill "%%i"

Note: as far as I know XP Home doesn't have tskill, only Pro does. You could always copy tskill.exe from a Pro version and move it to Home, but might not be so easy since it is an exe file in some cases.

edit: if you copy tskill you would have to put it in C:\Windows\System32 because that is where the batch file is looking for it. Or you could put it anywhere you want, but you have to modify this line to reflect it: cd c:\windows\System32
 
Last edited:
adam_chevyss said:
This line: taskkill /f /im "%%i" needs to be tskill "%%i"

Note: as far as I know XP Home doesn't have tskill, only Pro does. You could always copy tskill.exe from a Pro version and move it to Home, but might not be so easy since it is an exe file in some cases.

edit: if you copy tskill you would have to put it in C:\Windows\System32 because that is where the batch file is looking for it. Or you could put it anywhere you want, but you have to modify this line to reflect it: cd c:\windows\System32
Click to expand...

yeah, I tried that already on xp media ctr, fail, would like to see it some day, still working on ol' XP! thanks, :D
 
You must log in or register to reply here.
Back
Top