Old 14th November 2005, 18:31   #1
Instructor
Major Dude
 
Join Date: Jul 2004
Posts: 671
nsProcess plugin

Features:
- Find/kill a process by name
- Kill all processes with specified name (not only one)
- The process name is case-insensitive
- Win95/98/ME/NT/2000/XP support
- Small plugin size (4,5 Kb)

Source function FIND_PROC_BY_NAME based upon the Ravi Kochhar code
Thanks iceman_k (FindProcDLL plugin) and
DITMan (KillProcDLL plugin) for direct me


"nsProcess" plugin v1.0
Attached Files
File Type: zip nsprocess.zip (9.3 KB, 2493 views)
Instructor is offline   Reply With Quote
Old 14th November 2005, 23:46   #2
JasonFriday13
Major Dude
 
JasonFriday13's Avatar
 
Join Date: May 2005
Location: New Zealand
Posts: 853
You just keep churning out the plugins. Good one.

"Only a MouseHelmet will save you from a MouseTrap" -Jason Ross (Me)
NSIS 3 POSIX Ninja
Wiki Profile
JasonFriday13 is offline   Reply With Quote
Old 15th November 2005, 15:50   #3
Comm@nder21
Major Dude
 
Join Date: Jul 2003
Location: germany, b-w
Posts: 734
Send a message via ICQ to Comm@nder21
you just rock, man.
this will revolutionize my installers

maybe i should collect all the good plugins into a package on day, so everyone may download and setup them easily ...
Comm@nder21 is offline   Reply With Quote
Old 15th November 2005, 16:22   #4
Instructor
Major Dude
 
Join Date: Jul 2004
Posts: 671
Thanks
Instructor is offline   Reply With Quote
Old 16th November 2005, 14:14   #5
onad
Senior Member
 
onad's Avatar
 
Join Date: Dec 2004
Location: Turkey
Posts: 447
Good to see "Win95/98/ME" support, thanks man!

"Just do it"
onad is offline   Reply With Quote
Old 20th November 2005, 13:55   #6
deguix
Major Dude
 
deguix's Avatar
 
Join Date: Dec 2002
Location: Everett - MA, USA
Posts: 1,354
Send a message via ICQ to deguix
Quote:
you just rock, man.
this will revolutionize my installers

maybe i should collect all the good plugins into a package on day, so everyone may download and setup them easily ...
Another good idea would be making function standards and to include those in a global header for easier and pratical use.

My Wiki Pages

Working now on:
New projects. (language: any)
deguix is offline   Reply With Quote
Old 21st November 2005, 16:44   #7
Comm@nder21
Major Dude
 
Join Date: Jul 2003
Location: germany, b-w
Posts: 734
Send a message via ICQ to Comm@nder21
... and include this header file together with the plugins into the package ...
Comm@nder21 is offline   Reply With Quote
Old 4th January 2006, 15:14   #8
Instructor
Major Dude
 
Join Date: Jul 2004
Posts: 671
Fixed: removed CRT dependency (Windows 95 by default does not have msvcrt.dll)


"nsProcess" plugin v1.1
Attached Files
File Type: zip nsprocess.zip (12.1 KB, 1419 views)
Instructor is offline   Reply With Quote
Old 11th March 2006, 06:38   #9
Instructor
Major Dude
 
Join Date: Jul 2004
Posts: 671
Changed: Now plugin used header "nsProcess.nsh" for custom user variables and
              better compile errors check.

Update from previous versions:
         - Insert line in script:
            !include "nsProcess.nsh"
         - Replace:
            nsProcess::FindProcess -> ${nsProcess::FindProcess} ...
         - Replace:
            .r0 -> $0, .r1 -> $1 ... .R0 -> $R0, .R1 -> $R1 ...

"nsProcess" plugin v1.2
Attached Files
File Type: zip nsprocess.zip (23.2 KB, 1242 views)
Instructor is offline   Reply With Quote
Old 21st April 2006, 13:38   #10
{_trueparuex^}
Senior Member
 
{_trueparuex^}'s Avatar
 
Join Date: Dec 2005
Location: Glow
Posts: 285
About the code

What is the benefit of using PSAPI for WinNT/2000/XP? Shouldn't the Win95/98/ME method work just as fine in this case?

Edit: Never mind. It's the Toolhelp32.dll what Windows NT does not have.
{_trueparuex^} is offline   Reply With Quote
Old 21st April 2006, 14:48   #11
{_trueparuex^}
Senior Member
 
{_trueparuex^}'s Avatar
 
Join Date: Dec 2005
Location: Glow
Posts: 285
Hmm in Win95/98/ME method the hSnapShot HANDLE leaves open if the process was found and bTerminate is FALSE.
{_trueparuex^} is offline   Reply With Quote
Old 21st April 2006, 15:27   #12
Instructor
Major Dude
 
Join Date: Jul 2004
Posts: 671
Quote:
Hmm in Win95/98/ME method the hSnapShot HANDLE leaves open if the process was found and bTerminate is FALSE.
You are right, fixed.
Instructor is offline   Reply With Quote
Old 21st April 2006, 15:49   #13
Instructor
Major Dude
 
Join Date: Jul 2004
Posts: 671
Fixed: removed memory leak.


"nsProcess" plugin v1.3
Attached Files
File Type: zip nsprocess.zip (23.3 KB, 1232 views)
Instructor is offline   Reply With Quote
Old 21st April 2006, 16:10   #14
rxs2k5
Member
 
Join Date: Apr 2006
Posts: 66
hmm I do not understand, can this plugin kill current open notepad ???

Is this able to find notepad that is currently running and kill it immediately ???
rxs2k5 is offline   Reply With Quote
Old 22nd April 2006, 10:55   #15
{_trueparuex^}
Senior Member
 
{_trueparuex^}'s Avatar
 
Join Date: Dec 2005
Location: Glow
Posts: 285
Quote:
Originally posted by rxs2k5
hmm I do not understand, can this plugin kill current open notepad ???

Is this able to find notepad that is currently running and kill it immediately ???
Yes and yes.

The guy with the ridiculous username. Thou shall call him PaR instead.
Visit My Website
{_trueparuex^} is offline   Reply With Quote
Old 23rd April 2006, 17:53   #16
rxs2k5
Member
 
Join Date: Apr 2006
Posts: 66
How do I create the following thing
1. remove the loop
2. find the processes to find notepad , wordpad means in mutiple form and single finding
3. kill all the following process after finding it existence
Quote:
Section /o "Kill process" KillProcess
loop:
${nsProcess::FindProcess} "NoTePad.exe" $R0
StrCmp $R0 0 0 +2
MessageBox MB_OKCANCEL|MB_ICONEXCLAMATION 'Close "notepad" before continue' IDOK loop IDCANCEL end

${nsProcess::KillProcess} "NoTePad.exe" $R0
MessageBox MB_OK "nsProcess::KillProcess$\n$\n\
Errorlevel: [$R0]"
Exec "notepad.exe"
Exec "notepad.exe"
Exec "notepad.exe"
BringToFront
MessageBox MB_OK "Press OK and 3 notepad's windows will be closed"

${nsProcess::KillProcess} "NoTePad.exe" $R0
MessageBox MB_OK "nsProcess::KillProcess$\n$\n\
Errorlevel: [$R0]"

end:
${nsProcess::Unload}
SectionEnd
rxs2k5 is offline   Reply With Quote
Old 14th July 2006, 14:47   #17
oleksa
Junior Member
 
Join Date: Jul 2006
Posts: 6
error code 603

I'd downloaded this plugin and had tested it. Test install script always returns Error level 603. If I run script single or with calc.exe

Help me please! What does this error mean? Where I can find error code list?

Thank you.
I have Windows XP prof x64.
oleksa is offline   Reply With Quote
Old 14th July 2006, 16:03   #18
Instructor
Major Dude
 
Join Date: Jul 2004
Posts: 671
Quote:
Help me please! What does this error mean? Where I can find error code list?
In the Readme.txt Unfortunatelly I can't test it on WinXP x64.
Instructor is offline   Reply With Quote
Old 17th July 2006, 13:13   #19
oleksa
Junior Member
 
Join Date: Jul 2006
Posts: 6
I've found that EnumProcessModules fails when is called for 64 bit applications (calc.exe is 64-bit application) on 64 bit OS with error

299
ERROR_PARTIAL_COPY
Only part of a ReadProcessMemory or WriteProcessMemory request was completed.

I will try to find solution for this problem.
oleksa is offline   Reply With Quote
Old 17th July 2006, 14:40   #20
oleksa
Junior Member
 
Join Date: Jul 2006
Posts: 6
Hello Instructor.
It's me again.

Have you tried CreateToolhelp32Snapshot, Process32First, Process32Next functions on NT platforms? It works fine at my comp (I'm administrator). This functions are located in kernel32.dll as MSDN says - no psapi is required and should work on Win95/98, WinNT, Win2000 and Windows XP.

Why OpenProcess and EnumProcessModules are used for NT like OS now (Windows 2000, XP, 2003)? Only for Windows NT 4.0 support?
oleksa is offline   Reply With Quote
Old 17th July 2006, 17:29   #21
{_trueparuex^}
Senior Member
 
{_trueparuex^}'s Avatar
 
Join Date: Dec 2005
Location: Glow
Posts: 285
@oleksa
Could you try this. I removed the PSAPI and OS check and now it's using only the "Win95/98" method.
Attached Files
File Type: zip nsprocess_no_psapi_test_only.zip (23.9 KB, 995 views)

The guy with the ridiculous username. Thou shall call him PaR instead.
Visit My Website
{_trueparuex^} is offline   Reply With Quote
Old 18th July 2006, 06:49   #22
oleksa
Junior Member
 
Join Date: Jul 2006
Posts: 6
Hello {_trueparuex^}

Yes - that sample code (based on CreateToolhelp32Snapshot, Process32First, Process32Next functions) works fine on my comp. To save Windows NT 4.0 compatibility I suggest rewrite OS check from
code:
if (osvi.dwPlatformId == VER_PLATFORM_WIN32_NT)

to
code:
if (osvi.dwPlatformId == VER_PLATFORM_WIN32_NT && osvi.dwMajorVersion <= 4)

This check should be true only on Windows NT (as MSDN says). So on NT will work code that gets processes name with PSAPI.
Windows 95, 98, Me, 2000, 2003 and XP should support Tool help functions.

Last edited by oleksa; 18th July 2006 at 07:42.
oleksa is offline   Reply With Quote
Old 18th July 2006, 10:30   #23
{_trueparuex^}
Senior Member
 
{_trueparuex^}'s Avatar
 
Join Date: Dec 2005
Location: Glow
Posts: 285
Good. I have my own NSIS unrelated stuff based on the same code... But there is one major disadvantage in CreateToolhelp32Snapshot method. It doesn't work with file names longer than 15 characters. So trying to kill process with name like this "ThisIsPrettyLongName.exe" won't work. One solution would be simply to limit the file names to 15 characters, but that could cause kill of unintentional processes.

So let's see what Instructor gets up to with.

The guy with the ridiculous username. Thou shall call him PaR instead.
Visit My Website
{_trueparuex^} is offline   Reply With Quote
Old 19th July 2006, 13:36   #24
Instructor
Major Dude
 
Join Date: Jul 2004
Posts: 671
oleksa can you test it on the x64

Fixed: WinNT 4.0 by default doesn't have PSAPI.DLL. Code for WinNT/2000/XP has
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;been rewritten (using NTDLL.DLL). Note: on WinNT 4.0 process name limited
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;to 15 characters.
Changed: error codes.


"nsProcess" plugin v1.4
Attached Files
File Type: zip nsprocess.zip (26.3 KB, 991 views)
Instructor is offline   Reply With Quote
Old 19th July 2006, 13:56   #25
oleksa
Junior Member
 
Join Date: Jul 2006
Posts: 6
Instructor works fine, thank you.
looks for calc.exe (603 if process hasn't been started and 0 if process has been started)
checks does notepad.exe running and closes all three notepads succesfully.

Thank you.
oleksa is offline   Reply With Quote
Old 24th July 2006, 06:58   #26
oleksa
Junior Member
 
Join Date: Jul 2006
Posts: 6
Quote:
But there is one major disadvantage in CreateToolhelp32Snapshot method. It doesn't work with file names longer than 15 characters. So trying to kill process with name like this "ThisIsPrettyLongName.exe" won't work.
2 {_trueparuex^}
How could wou know that CreateToolhelp32Snapshot method won't work?

I have test it and all works fine:
code:
PROCESS NAME: AcroRd32.exe
PROCESS NAME: devenv.exe
PROCESS NAME: mspdbsrv.exe
PROCESS NAME: ThisIsPrettyLongName.exe


I could post test code (from MSDN) here or send you e-mail as you wish.

Good bye.
oleksa is offline   Reply With Quote
Old 24th July 2006, 14:18   #27
{_trueparuex^}
Senior Member
 
{_trueparuex^}'s Avatar
 
Join Date: Dec 2005
Location: Glow
Posts: 285
Quote:
Originally posted by oleksa
2 {_trueparuex^}
How could wou know that CreateToolhelp32Snapshot method won't work?

I have test it and all works fine:
code:
PROCESS NAME: AcroRd32.exe
PROCESS NAME: devenv.exe
PROCESS NAME: mspdbsrv.exe
PROCESS NAME: ThisIsPrettyLongName.exe


I could post test code (from MSDN) here or send you e-mail as you wish.

Good bye.
I wasn't aware of this before, but that 15 characters name limitation is only in win2k or older.


@Instructor
That 15 characters name limitation is also in Windows 2000 when using NTDLL.DLL PSAPI didn't have that limitation.

The guy with the ridiculous username. Thou shall call him PaR instead.
Visit My Website
{_trueparuex^} is offline   Reply With Quote
Old 2nd August 2006, 03:11   #28
dienjd
Senior Member
 
Join Date: Oct 2005
Posts: 189
Instructor,
There is a spyware app with a DLL that has the same name as this plug-in:
http://www3.ca.com/securityadvisor/p...x?id=453097507

This is too bad...I don't know of a way around having your plug-in associated with adware other than renaming it.

Those of you who are already using it may want to rename it to avoid having your installer raise anti-virus/spy flags when running.
dienjd is offline   Reply With Quote
Old 31st August 2006, 08:50   #29
Instructor
Major Dude
 
Join Date: Jul 2004
Posts: 671
Fixed: removed memory leak in WinNT/2000/XP method.


"nsProcess" plugin v1.5
Attached Files
File Type: zip nsprocess.zip (25.2 KB, 1045 views)
Instructor is offline   Reply With Quote
Old 3rd October 2006, 13:16   #30
CharlesB2
Junior Member
 
Join Date: Feb 2005
Location: Orsay, France
Posts: 10
Quote:
Originally posted by Instructor
Fixed: removed memory leak in WinNT/2000/XP method.


"nsProcess" plugin v1.5
Hey,

Since recent update of McAfee VirusScan, the use of a previous nsProcess version was detected as a Trojan (generic prockill.a)!! The last version (1.5) does not cause the problem. Thanks a lot!

Cheers
CharlesB2 is offline   Reply With Quote
Old 27th October 2006, 00:02   #31
jpodtbc
Junior Member
 
Join Date: Oct 2006
Posts: 13
problem trying to kill a service process. i can find the process but when i try to kill it i get return code 601 (no permission to kill process). i am running the installer as an administrator and can kill the process manually.

please help.
jpodtbc is offline   Reply With Quote
Old 27th October 2006, 09:43   #32
{_trueparuex^}
Senior Member
 
{_trueparuex^}'s Avatar
 
Join Date: Dec 2005
Location: Glow
Posts: 285
Killing service like that is really not very smart. Rather try to stop it with some of these methods.
http://nsis.sourceforge.net/How_do_I...heck_a_service

The guy with the ridiculous username. Thou shall call him PaR instead.
Visit My Website
{_trueparuex^} is offline   Reply With Quote
Old 27th October 2006, 16:21   #33
jpodtbc
Junior Member
 
Join Date: Oct 2006
Posts: 13
thanks but i already have service control implemented in the installer. the problem is when the service is unresponsive and cannot be shut down any other way. i think we can all agree that it is bad to have the installer hang indefinitely.
jpodtbc is offline   Reply With Quote
Old 27th October 2006, 16:57   #34
jpodtbc
Junior Member
 
Join Date: Oct 2006
Posts: 13
i found a solution by modifying the nsProcess source code and using code provided here:
http://www.alexfedotov.com/articles/killproc.asp?pane=0
jpodtbc is offline   Reply With Quote
Old 20th November 2006, 17:42   #35
hbatista
Junior Member
 
Join Date: Oct 2006
Posts: 15
Hi jpodtbc, I'm having the exact same problem as you.
Could you be so kind to post your solution here?
Thanks a lot
hbatista is offline   Reply With Quote
Old 21st November 2006, 11:00   #36
hbatista
Junior Member
 
Join Date: Oct 2006
Posts: 15
I ended up changing it myself. Here is the source code and dll if someone wants to use it.
Attached Files
File Type: zip nsprocess_modified.zip (6.5 KB, 936 views)
hbatista is offline   Reply With Quote
Old 22nd November 2006, 16:28   #37
jpodtbc
Junior Member
 
Join Date: Oct 2006
Posts: 13
thanks man...i was about to put up my modified source but you beat me to it.
jpodtbc is offline   Reply With Quote
Old 27th November 2006, 14:42   #38
hbatista
Junior Member
 
Join Date: Oct 2006
Posts: 15
No problem, I was facing a really tight deadline so I had to go for it.
hbatista is offline   Reply With Quote
Old 4th February 2007, 11:02   #39
Whizz
Junior Member
 
Join Date: Feb 2007
Posts: 5
Unhappy Trojan AV Trigger

Quote:
Originally posted by CharlesB2
Hey,

Since recent update of McAfee VirusScan, the use of a previous nsProcess version was detected as a Trojan (generic prockill.a)!! The last version (1.5) does not cause the problem. Thanks a lot!

Cheers
This is still happening, even with 1.5 of nsProcess. It is being detected as HackTool.ProcKill.A by several AV packages.

Is there any chance of a major change with this DLL to prevent this detection? The DLL itself is really useful, but it looks like someone has used it for less than honest purposes .

I have had to take it out of several of my installers for until this can be fixed.
Whizz is offline   Reply With Quote
Old 4th February 2007, 22:20   #40
CharlesB2
Junior Member
 
Join Date: Feb 2005
Location: Orsay, France
Posts: 10
Re: Trojan AV Trigger

Quote:
Originally posted by Whizz
This is still happening, even with 1.5 of nsProcess. It is being detected as HackTool.ProcKill.A by several AV packages.

Is there any chance of a major change with this DLL to prevent this detection? The DLL itself is really useful, but it looks like someone has used it for less than honest purposes .
The best way to handle the problem is to recompile the DLL by removing the function that kills a process, since I believe it is the one that is used by trojans. I have done it myself, if you're interested I can put it on the wiki...

Cheers
CharlesB2 is offline   Reply With Quote
Reply
Go Back   Winamp & SHOUTcast Forums > Developer Center > NSIS Discussion

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump