SCCM – Using SC.exe and PsTools to Check Processes

SC.exe and PsTools

If you are interested in using Configuration Manager 2012 to push out updates for programs like Flash, Adobe Reader, Java or IE in a live environment its useful to find out what processes are being used by the client at the time of deployment. You can check processes on client computers remotely by using a combination of the SC command and PsTools using the PsList command.

If you don’t have remote registry service enabled on your network, you can enable it remotely on a computer by using the following commands:

sc \\computername config remoteregistry start= auto (This configures the Remote Registry service to start automatically)

sc \\computername start remoteregistry (This starts the Remote Registry service remotely since it wasn’t configured during the last startup)

So now that the remote registry service has been started remotely you can use the “pslist” command (comes with PsTools) to see what services are running on a computer named “computer1234”

pslist \\computer1234 -s

As you can see in the process list for computer1234, Adobe Reader, Internet Explorer and Flash are running. This is good information to have if you are planning on pushing out an update related to any of these products. Ideally you would use a maintenance window for updates, but for testing and deployments that can’t wait you can use these tools to determine if a client is using the program you are trying to update or replace.

Using Taskkill to Kill Running Processes

After you find out which processes are running on a client PC it’s a fairly simple process to “Kill” that process. One way is by using the Process ID (PID) ( See other examples below).

taskkill /pid 4088 /s \\computer1234

That would kill the Adobe Reader process running (PID = 4088) in the example above. For more information on the TASKKILL command please see below.

C:\PSTools>taskkill /?

TASKKILL [/S system [/U username [/P [password]]]]
{ [/FI filter] [/PID processid | /IM imagename] } [/T] [/F]

This tool is used to terminate tasks by process id (PID) or image name.

Parameter List:


System Specifies the remote system to connect to.


[domain\]user Specifies the user context under which the
command should execute.


[password] Specifies the password for the given user
context. Prompts for input if omitted.


filter Applies a filter to select a set of tasks.
Allows “*” to be used. ex. imagename eq acme*


processid Specifies the PID of the process to be terminated.
Use TaskList to get the PID.


imagename Specifies the image name of the process
to be terminated. Wildcard ‘*’ can be used
to specify all tasks or image names.

/T Terminates the specified process and any
child processes which were started by it.


Specifies to forcefully terminate the process(es).


Displays this help message.


Filter Name Valid Operators Valid Value(s)
———– ————— ————————-
IMAGENAME eq, ne Image name
PID eq, ne, gt, lt, ge, le PID value
SESSION eq, ne, gt, lt, ge, le Session number.
CPUTIME eq, ne, gt, lt, ge, le CPU time in the format
of hh:mm:ss.
hh – hours,
mm – minutes, ss – seconds
MEMUSAGE eq, ne, gt, lt, ge, le Memory usage in KB
USERNAME eq, ne User name in [domain\]user
MODULES eq, ne DLL name
SERVICES eq, ne Service name
WINDOWTITLE eq, ne Window title

1) Wildcard ‘*’ for /IM switch is accepted only when a filter is applied.
2) Termination of remote processes will always be done forcefully (/F).
3) “WINDOWTITLE” and “STATUS” filters are not considered when a remote
machine is specified.


TASKKILL /IM notepad.exe
TASKKILL /PID 1230 /PID 1241 /PID 1253 /T
TASKKILL /F /IM cmd.exe /T
TASKKILL /F /FI “PID ge 1000” /FI “WINDOWTITLE ne untitle*”
TASKKILL /S system /U domain\username /FI “USERNAME ne NT*” /IM *
TASKKILL /S system /U username /P password /FI “IMAGENAME eq note*”