Announcement

Collapse
No announcement yet.

View Windows Memory

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • View Windows Memory

    Good day all. Would anyone know how to kill non-windows programs running in memory? Using the Windows utility mem such as mem /p displays the programs running in memory, but how do we kill one and also how do we prevent these from loading in w2k? By "non-windows" programs I am referring to TSRs and such.

    Thanks for any feedback.
    Last edited by Dansk; 23rd January 2008, 06:47.

  • #2
    Re: View Windows Memory

    Would be nice if we could know what OS are you talking about and what exactly are you hunting...

    Sorin Solomon


    In order to succeed, your desire for success should be greater than your fear of failure.
    -

    Comment


    • #3
      Re: View Windows Memory

      Sorin it looks like its w2k.

      Can't you just use taks manager and end the task you don't want running??? Process Explorer is another you could use.

      As for stopping things starting up you would need to go through your startup folders, registry, services and either remove or stop them loading.

      BTW I hope this isn't on a server.

      Comment


      • #4
        Re: View Windows Memory

        wullieb1, you are correct, it is w2k. Unfortunately, task manager and similar programs only show windows processes. TSRs (which is what I am hunting) are non-windows, which is why I can't kill them with tm.

        Process Explorer does show DOS programs, as I just verified. But not all machines have this installed. There must be a command line way to do it, it would seem.

        Comment


        • #5
          Re: View Windows Memory

          I would go for PSTools then ...
          BTW, Process Explorer does not need installation, it's just a plain EXE ...
          Last edited by biggles77; 23rd January 2008, 09:06. Reason: Made link more visible for Dansk. :-)

          Sorin Solomon


          In order to succeed, your desire for success should be greater than your fear of failure.
          -

          Comment


          • #6
            Re: View Windows Memory

            I appreciate the feedback, but none of this shows the full picture. To see for your self run Process Explorer and then mem /p. You will get different results ... or at least I do. There are programs running that I can see using mem that simply don't show using pe.

            Comment


            • #7
              Re: View Windows Memory

              You asked for a command line utility, so I suggested PSTools (once Sysinternals, now Microsoft). Have you seen the link?

              Sorin Solomon


              In order to succeed, your desire for success should be greater than your fear of failure.
              -

              Comment


              • #8
                Re: View Windows Memory

                Yes, and have been using this for many years. I went to the link and there are a few new tools there. Which one in particular were you thinking of?

                My thoughts on this though are how can we use windows tools to kill a non-windows process, such as a TSR?

                Another thought is not so many years ago we used to load TSRs though config.nt or config.sys. I am certain that this is likely done now through the registry, but how and where to look? If I knew I could prevent this from loading.

                Where is Mark Russinovich when you need him

                Comment


                • #9
                  Re: View Windows Memory

                  I don't get it...
                  What exactly are you looking for here?
                  You say it is Windows 2000 we're talking about ... There's no TSR in Windows 2000. There is no DOS prompt that you can run DOS programs from before the kernel kicks in... This said, the program you are running has to start from somewhere in the Win2000 system.
                  Process Explorer should give you a list of processes running on your computer, including their full tree. Any old (DOS/16bit) applications should show under an instance of NTVDM.
                  There are quite few places a program can kick in from. Doing the search manually it's not efficient at all.
                  I would suggest you take a look at AutoRuns from the same good ol' Mark Russinovich.

                  Sorin Solomon


                  In order to succeed, your desire for success should be greater than your fear of failure.
                  -

                  Comment


                  • #10
                    Re: View Windows Memory

                    Originally posted by sorinso View Post
                    I don't get it...
                    What exactly are you looking for here?
                    TSRs loaded by certain programs installed on the system.

                    You say it is Windows 2000 we're talking about ... There's no TSR in Windows 2000. There is no DOS prompt that you can run DOS programs from before the kernel kicks in... This said, the program you are running has to start from somewhere in the Win2000 system.
                    You're partially right. Actaully, you can load almost any program to run as a TSR provided you have sufficient memory. Windows does load some programs into memory on boot that run as TSRs. To view these from the command line type "mem /p" to see what's loaded into memory and the memory address. In the '70's, due to the very limited amount of space on HDD's then, running programs as TSRs from memory and creating virtual disks in reserved memory space was a common practice. Thank God we don't have to do this anymore, because it was certainly a pain to set up.

                    Process Explorer should give you a list of processes running on your computer, including their full tree. Any old (DOS/16bit) applications should show under an instance of NTVDM.
                    It doesn't and they don't. At least not all of them.

                    There are quite few places a program can kick in from. Doing the search manually it's not efficient at all.
                    Agreed.

                    I would suggest you take a look at AutoRuns from the same good ol' Mark Russinovich.
                    This is the best suggestion yet. I haven't tried it, but I did read the synopsis before downloading it and this is probably one of the best investigative tools that I could find. Thanks much for a point in the right direction.

                    Comment


                    • #11
                      Re: View Windows Memory

                      Well, I still cannot say that I have a clear picture, but I am glad to hear you found something useful in my posts.
                      Good luck and keep the forum posted, please.

                      Sorin Solomon


                      In order to succeed, your desire for success should be greater than your fear of failure.
                      -

                      Comment


                      • #12
                        Re: View Windows Memory

                        Perhaps you could give us a name or two of the non Windows TSRs you seem to be looking for as this thread seems to be going round in circles. Perhaps it too should become a TSR.
                        1 1 was a racehorse.
                        2 2 was 1 2.
                        1 1 1 1 race 1 day,
                        2 2 1 1 2

                        Comment


                        • #13
                          Re: View Windows Memory

                          Originally posted by sorinso View Post
                          Well, I still cannot say that I have a clear picture, but I am glad to hear you found something useful in my posts.
                          Good luck and keep the forum posted, please.
                          I will. The AutoRun seems to be the investigative tool that I need to at least track down the source.

                          Biggles77, DOS typically runs as a TSR as does your entire com spec and system I/O drivers. Don't get hung up on names rather than the problem. This is all that is relevant here.

                          Comment


                          • #14
                            Re: View Windows Memory

                            I'm sorry to say that, but I feel I cannot assist here anymore. Every new post of yours is more ambigous than the previous.
                            Good luck.

                            Sorin Solomon


                            In order to succeed, your desire for success should be greater than your fear of failure.
                            -

                            Comment

                            Working...
                            X