You are not logged in.
My dilemma starts with the output of WMIC command.
I am trying to get the whole command line of a PID with this command :
wmic process where processID=12345 get commandLine > command.txt
and the output I get looks something like this:
_C o m m a n d L i n e
n o t e p a d q . b a t
everything that shows like white-space is actually a null character (0x00) in the file, when I examine the file with a hex editor.
Purpose of the batch file I want to write is to kill PIDs which are of notepad and the file opened by it matches a certain pattern. Say I am running 20 notepad sessions and 8 of them are like this :
notepad JOHNoutput0123
...
notepad MARYoutput2385453
so I want to kill any notepad session with the string "output" in it.
If I can collapse the command.txt file, with no spaces between characters, I can make a string comparison and if it isnotepad editing something with output in its name, I can kill the session.
I am all ears for a better solution I am not aware of it yet as well.
Thanks
Offline
Notepad is nice enough to put the filename in the window title, and taskkill accepts wildcards, so you can just do
taskkill /fi "imagename eq notepad.exe" /fi "windowtitle eq *output*"
Offline
Notepad is nice enough to put the filename in the window title, and taskkill accepts wildcards, so you can just do
taskkill /fi "imagename eq notepad.exe" /fi "windowtitle eq *output*"
Notepad was an example. The command I am dealing with is very esoteric. It is something I have to do for work. Every job runs under a command prompt and unless the process gets killed, the command window stays open. With 25+ cmd windows on the desktop, it is hard to find which one was running what. So, my only option is to get this command line arguments is from WMIC, as I do not want to venture into PowerShell at this time.
Offline
Since you've already got the PIDs, just pass them to taskkill.
taskkill /PID 12345 /T
or whatever the PID is instead of 12345
Last edited by Shadow Thief (21 Feb 2021 06:37)
Offline
Since you've already got the PIDs, just pass them to taskkill.
taskkill /PID 12345 /T
or whatever the PID is instead of 12345
Wish it would be that simple.
Going with the notepad example, say I have 25 different notepad sessions open but only 8 of them are editing documents that I do not care about and want them gone. I want the remaining 17 notepad sessions to stay running. 25 sessions count here is a hypothetical number. My application can launch less or more number of instances.
I could not find a better way to determine the command line arguments other than WMIC command I mentioned in my original question, output of which is not optimal.
Going back to my original question, is there a way to remove nul (0x00) characters from a file or from a string value assigned to a variable ?
Offline
They aren't null characters but HIBYTEs of UTF-16LE. So it seems you're looking for a way to either a) make wmic output ANSI text or b) convert UTF-16LE text to ANSI text.
a) would be using pipe:
C:\>wmic process where processID=16352 get commandLine | findstr /r /c:"[A-Z]output[0-9]"
notepad JOHNoutput0123
b) would be type'ing and redirecting:
Z:\>wmic process where processID=16352 get commandLine > command.txt
Z:\>type command.txt > command-ansi.txt
Z:\>findstr /r /c:"[A-Z]output[0-9]" command.txt
Z:\>findstr /r /c:"[A-Z]output[0-9]" command-ansi.txt
notepad JOHNoutput0123
Both may have a risk of losing some extended characters.
Offline
They aren't null characters but HIBYTEs of UTF-16LE. So it seems you're looking for a way to either a) make wmic output ANSI text or b) convert UTF-16LE text to ANSI text.
a) would be using pipe:C:\>wmic process where processID=16352 get commandLine | findstr /r /c:"[A-Z]output[0-9]" notepad JOHNoutput0123
b) would be type'ing and redirecting:
Z:\>wmic process where processID=16352 get commandLine > command.txt Z:\>type command.txt > command-ansi.txt Z:\>findstr /r /c:"[A-Z]output[0-9]" command.txt Z:\>findstr /r /c:"[A-Z]output[0-9]" command-ansi.txt notepad JOHNoutput0123
Both may have a risk of losing some extended characters.
Unfortunately it still is not working. The pattern your commands include as
[A-Z]output[0-9]"
actually comes as
[A-Z]o u t p u t[0-9]"
and I am willing to go with that but
a. the string output is not fixed an all runs. Today it might be "output", tomorrow I could be looking into something like "progress" or any random word.
b. The characters between the letters of "output" are not actually blanks as I typed here. They show as hex 00 on the hex editor, whereas space is 0x20 in ANSI notation.
Offline
a. the string output is not fixed an all runs. Today it might be "output", tomorrow I could be looking into something like "progress" or any random word.
Then why don't you search for whatever ANSI text you want?
C:\test>notepad whatever
C:\test>tasklist /fi "imagename eq notepad.exe"
Image Name PID Session Name Session# Mem Usage
========================= ======== ================ =========== ============
notepad.exe 3364 31C5CE94259D4006 2 16,972 K
C:\test>rem Using pipe makes wmic output ANSI text
C:\test>wmic process where processID=3364 get commandLine | findstr /l /c:"whatever"
notepad whatever
C:\test>rem Redirecting to a file makes wmic output UTF-16LE text
C:\test>wmic process where processID=3364 get commandLine > command.txt
C:\test>rem but then type'ing and redirecting it can convert it to ANSI text
C:\test>type command.txt > command-ansi.txt
C:\test>findstr /l /c:"whatever" command-ansi.txt
notepad whatever
b. The characters between the letters of "output" are not actually blanks as I typed here. They show as hex 00 on the hex editor, whereas space is 0x20 in ANSI notation.
0x00 in your case is not a null character but a high byte of some UTF-16LE characters. 0x20 in ANSI is "0x20 followed by 0x00" in UTF-16LE. The true null character in UTF-16LE is "0x00 followed by 0x00".
Last edited by ArtMouse (23 Feb 2021 06:30)
Offline