.kill (Kill Process)
In user mode, the .kill command ends a process that is being debugged.
In kernel mode, the .kill command ends a process on the target computer.
.kill [ /h | /n ]
(User mode only) Any outstanding debug event will be continued and marked as handled. This is the default.
(User mode only) Any outstanding debug event will be continued without being marked as handled.
Specifies the address of the process to be terminated. If Process is omitted or zero, the default process for the current system state will be terminated.
In kernel mode, this command is supported on Microsoft Windows Server 2003 and later versions of Windows.
user mode, kernel mode
live debugging only
In user mode, this command ends a process that is being debugged. If the debugger is attached to a child process, you can use .kill to end the child process without ending the parent process. For more information, see Examples.
In kernel mode, this command schedules the selected process on the target computer for termination. The next time that the target can run (for example, by using a g (Go) command), the specified process is ended.
You cannot use this command during local kernel debugging.
Suppose you attach a debugger to parent process (Parent.exe) before it creates a child process. You can enter the command .childdbg 1 to tell the debugger to attach to any child process that the parent creates.
1:001> .childdbg 1 Processes created by the current process will be debugged
Now let the parent process run, and break in after it has created the child process. Use the | (Process Status) command to see the process numbers for the parent and child processes.
0:002> |* . 0 id: 7f8 attach name: C:\Parent\x64\Debug\Parent.exe 1 id: 2d4 child name: notepad.exe
In the preceding output, the number of the child process (notepad.exe) is 1. The dot (.) at the beginning of the first line tells us that the parent process is the current process. To make the child process the current process, enter |1s.
0:002> |1s ... 1:001> |* # 0 id: 7f8 attach name: C:\Parent\x64\Debug\Parent.exe . 1 id: 2d4 child name: notepad.exe
To kill the child process, enter the command .kill. The parent process continues to run.
1:001> .kill Terminated. Exit thread and process events will occur. 1:001> g
Using the -o parameter
When you start WinDbg or CDB, you can use the -o parameter to tell the debugger that it should attach to child processes. For example, the following command starts WinDbg, which starts and attaches to Parent.exe. When Parent.exe creates a child process, WinDbg attaches to the child process.
windbg -g -G -o Parent.exe
|Versions:(Kernel mode) Supported in Windows Server 2003 and later.|