1

I want to kill a process using Task Scheduler and PowerShell script. When a specific process starts, task scheduler triggers the PS script. The script gets the process Id and tries to stop it. My issue is, the script can't kill the process until the process finishes its job. However, I want to kill the process as soon as the script triggers, without waitingfor anything. As a note, the process I want to kill also runs with Admin privileges, and runs in window mode(not in background)

Scheduled Task settings: running as SYSTEM with highest privileges. I also used executionPloicyBypass parameter as below: powershell -ExecutionPolicy Bypass -File C:\Scripts\KillProcess.ps1.

In the script, I have the following code basically

$process = Get-Process -Id $pid
$process.PriorityClass = 'High'
$events=Get-WinEvent -FilterHashtable @{LogName="Security"; Id = <eventId>; StartTime = [datetime]::Now.AddMinutes(-5)} |Where-Object -Property Message -Match '<string to search for>' | Where-Object -Property Message -Match ('<string to search for>') -ErrorAction Stop 

if (!$events[0].message) {  

    Exit
   
}

else {
    
    $processes = @()

    #for each event, get process Id and kill it. 
    #this is because the process can spawn multiple process.

    foreach ($event in $events) {

    #parse the process Id.-*
    $processId=[int][regex]::Match($event.message,'Process\sID\:\s+(0x.+)\s').captures.groups[1].Value
        
    $processes += $processId
    }
    
    $processes = $processes | Select -Unique
    
    foreach ($proc in $processes) {
    Stop-Process -Id $proc -Force -ErrorAction SilentlyContinue
}
}

When I run PowerShell ISE as Admin and run the script there manually, it immediately kills the process. However, it waits for the process to finish its job when task scheduler triggers the script. Am i doing something wrong with the Task scheduler?

Improve this question
7
  • How is the task getting triggered? Commented Jul 23, 2020 at 13:18
  • On an event having a specific EventID. the script then reads the same events and gets the process Id and tries to kill it. Commented Jul 23, 2020 at 13:39
  • So the "snipped code" section above has some code to pull out the process ID. Seems like a timing issue, are you sure the event is logged at the start of the process you are trying to kill? Without the additional code, I'm also concerned about isolating the correct event etc... there's a lot of room for complications here, is there any way you can post the snippet? A sanitized version? Commented Jul 23, 2020 at 15:16
  • I edited the original message and put the sanitized code. In the task history, I see the process starts to run. EventID is the same for the task trigger. so I'm sure the script finds the correct events and gets the process IDs. Somehow, it can't kill them. the process that is to be killed runs for about 60 seconds or more. there is enough time for script to kill it. I also tried running a parallel instance of the task as it triggers more than once for the same process. it didn't work either. Commented Jul 23, 2020 at 15:47
  • It'd be much easier to pull the process ID from the properties collection on the event. Just identify which index it's at. You can see an example of that here . As for the delayed process kill, I'm not sure. But, if I were troubleshooting this I'd either start a transcript or just write a bunch of debug text including time stamps to a file. At a minimum that would tell you where in the delay is occurring, then take it from there... Commented Jul 23, 2020 at 16:03

1 Answer 1

Reset to default
0

I don't know what was the issue with Stop-Process but I changed it to process.Kill() method by getting the process object using Get-Process -Id $proc first. Now it works without issue.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.