实时监视进程并终止该进程

5秒提示方式

On Error Resume Next
strComputer = "."
arrTargetProcs = Array("calc.exe")

set objShell = CreateObject ("Wscript.Shell")
Set SINK = WScript.CreateObject("WbemScripting.SWbemSink","SINK_")
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
objWMIService.ExecNotificationQueryAsync SINK, _
"SELECT * FROM __InstanceCreationEvent WITHIN 1 " & _
"WHERE TargetInstance ISA 'Win32_Process'"

Do
   WScript.Sleep 1000
Loop

Sub SINK_OnObjectReady(objLatestEvent, objAsyncContext)
For Each strTargetProc In arrTargetProcs
  If LCase(objLatestEvent.TargetInstance.Name) = LCase(strTargetProc) Then
    ProcessName=objLatestEvent.TargetInstance.Name
    objShell.Popup  Now & " 发现进程: " & ProcessName, 5, "提示信息"
    intReturn = objLatestEvent.TargetInstance.Terminate
    If intReturn = 0 Then
      objShell.Popup  Now & " 终止进程: " & ProcessName & " 成功", 5, "提示信息"
    Else
      objShell.Popup  Now & " 终止进程: " & ProcessName & " 失败", 5, "提示信息"
    End If
  End If
Next
End Sub

宁静日志方式(D:\kill.log)

On Error Resume Next
strComputer = "."
arrTargetProcs = Array("calc.exe")

set fso=Wscript.CreateObject("Scripting.FileSystemObject")
set file=fso.OpenTextFile("D:\kill.log",2,True)
Set SINK = WScript.CreateObject("WbemScripting.SWbemSink","SINK_")
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
objWMIService.ExecNotificationQueryAsync SINK, _
"SELECT * FROM __InstanceCreationEvent WITHIN 1 " & _
"WHERE TargetInstance ISA 'Win32_Process'"

Do
   WScript.Sleep 1000
Loop

Sub SINK_OnObjectReady(objLatestEvent, objAsyncContext)
For Each strTargetProc In arrTargetProcs
  If LCase(objLatestEvent.TargetInstance.Name) = LCase(strTargetProc) Then
    ProcessName=objLatestEvent.TargetInstance.Name
    file.Writeline  Now & " 发现进程: " & ProcessName
    intReturn = objLatestEvent.TargetInstance.Terminate
    If intReturn = 0 Then
      file.Writeline  Now & " 终止进程: " & ProcessName & " 成功"
    Else
      file.Writeline  Now & " 终止进程: " & ProcessName & " 失败"
    End If
  End If
Next
End Sub

结束监视

@echo off
for /f "tokens=1" %%i in ('tasklist.exe') do echo %%i
for /f "tokens=2" %%i in ('tasklist.exe^|find /i "wmiprvse"') do taskkill.exe /f /PID %%i
taskkill.exe /f /im wscript.exe
taskkill.exe /f /im unsecapp.exe

 

posted @ 2013-10-11 23:13  cnsealine  阅读(907)  评论(0编辑  收藏  举报