Kill Remote Desktop session PowerShell

Perhaps youre working happily on a remote Windows server, then find a process that runs awry using up valuable CPU cycles. What do you do? Kill it!

In this tutorial, you will learn how to kill a Windows process using native utilities, third-party utilities, and PowerShell. You will first learn how to examine the running processes in Windows and then kill running processes.

Prerequisites

If youd like to follow along with the steps in this tutorial, be sure you have the following ahead of time:

• A Windows PC All demos in this tutorial will use Windows 10, but Windows 7+ will work also.
• A Windows Server or another Windows desktop to use as your target for killing the remote tasks. This tutorial uses a standalone Windows Server 2016 as the remote server.
• The Sysinternals Suite from Microsoft.
• Windows PowerShell 5 or greater. This tutorial uses PowerShell v7.1.3

Querying Remote Windows Process with Tasklist

Since Windows XP, there has been a helpful tool called tasklist. Tasklist is a handy tool that queries processes on remote computers. Before you can kill a process, you must first discover them!

Open a PowerShell session or command prompt on your desktop and type in the following command to display all the running processes on your remote computer.

The command below queries a remote computer (/S) authenticating the connection with the administrator username (/U) and password (/P).

Youll notice below that the Session Name does not appear. Since youre running tasklist on a remote computer, tasklist does not provide the Session Name.

list of processes on a remote server

Perhaps you prefer only to list a single process. Not a problem. To do that, specify the /FI parameter. The /FI parameter accepts a query that is passed to the tasklist to filter out specific processes.

The output of tasklist showing a specific process

Querying Remote Windows Process with PSList

Another tool to view running processes is PSList, and this utility is part of the Sysinternals Suite. This suite of tools has been around for many years and was created by Mark Russinovich, CTO of Azure!

Lets get started on how you can view running processes on a remote computer.

1. Open a PowerShell session or command prompt on your desktop and change the directory to where you extracted the Sysinternal Suite.

2. In your PowerShell session, run the following command to display the running processes on the remote computer and associated CPU usage in real-time.

The command below runs pslist to query all remote Windows processes on the WIN-BANGJIEFNOC computer authenticating the Administrator username (-u) and password (-p).

The command uses the -s switch turns pslist into task manager mode that repeatedly updates the list.

If its the first time you have used a Sysinternals tool, a banner may appear that asks you to accept the EULA; click on OK.

You now see the following output from running that command; for this article, you are concerned with 3 of these values. As shown below.

• Name: The name of the process.
• Pid: Process Identifier, a critical value used in this tutorial, the PID number can be used to kill a remote process. Its the numerical id assigned to a process.
• CPU: This shows in near real-time the utilization of your overall available CPU.

The other values are memory-related and beyond the scope of this article.

Output in real-time of pslist

3. Since step two used the -s switch, hit Ctrl-C to quit pslist to get back to the console.

Narrow down the list of processes returned by using the -e switch followed by the process name, e.g., -e Winlogon.

Killing Processes By Process Name with PSKill

Once you know how to find remote processes, lets now dive into how to kill them. To start, lets cover the pskill utility. First, learn how to kill processes by process name.

1. Ensure you have a process you can kill on your remote server. This tutorial will use the notepad process.

2. Open a PowerShell session or command prompt on your local desktop and change the directory to where you extracted the Sysinternal Suite and run the following command. You can see the syntax for pskill is similar to pslist.

Output of pskill

3. Now, run pslist, as explained in the previous section, to confirm the process is indeed stopped.

Output of pslist

Killing Processes By Process ID with PSKill

Killing the process by name might be good enough for your needs if only a single instance of that process is running or you want to kill all processes with that name. What if youre going to kill a particular instance of a running process? The following steps will demonstrate this.

1. On your remote server, open Notepad twice; you will kill one of these processes in this demonstration; you can of course, substitute other processes.

2. Run the following command taking note of one of the Pids as shown below; you need that for the next step.

Using pslist to list PIDs of Notepad

3. Using the PID, now run pskill, providing the PID as the last argument.

The output of pskill for a particular PID

4. Finally, check that you still have one instance of Notepad running by rerunning pslist. You should now only see a single instance of Notepad running.

Output of pslist

Killing Remote Windows Processes with TaskKill by Name

The taskkill utility is native to Windows and includes further command-line options for restarting processes by username and application name. Lets get started and kill Notepad again!

Kill Process by Name

1. On your remote server, open Notepad; Notepad is the process you will kill in this demonstration; you can, of course, substitute another process.

2. Open a PowerShell session or command prompt on your desktop. Typing the following command will kill notepad.exe

The output is shown below:

/IM is the parameter for Image; in this case, it is notepad.exe

The output of taskkill command

3. To confirm the process is stopped, run tasklist. You should now see no tasks are matching that filter.

Output of tasklist using imagename

Killing Remote Windows Processes with TaskKill by PID

Killing a process with taskkill using a PID isnt much different than using the process name. But, since you cant use the name, youll first need to find the PID and then pass that to taskkill.

Assuming you Notepad running on your remote Windows host:

1. Run tasklist as shown below to find the PID of the Notepad process. Take note of one of the PIDs as shown below; you need that for the next step.

the output of tasklist to view PIDS

2. Now, run taskkill providing the PID as the last argument.

The output of taskkill specifying a particular PID

3. Finally, run tasklist to confirm the process is stopped.

Output of tasklist

Killing a Remote Windows Process with PowerShell

PowerShell gives you a couple of options for killing remote processes; the first cmdlet Stop-Process cannot natively kill a remote process, as it does not have an option to specify a computer name. But, you can get around this issue by running Stop-Process remotely via PowerShell Remoting.

Related:PowerShell Remoting: The Ultimate Guide

1. If your host and remote server are not in an Active Directory domain, first provide a username and password, creating a PSCredential object.

Related:Using the PowerShell Get-Credential Cmdlet and all things credentials

Setting up credentials

2. Next, since the tutorial will use SSL to connect to the remote computer and use a self-signed certificate, create a PSSessionOption that will skip the certificate check for a trusted certificate authority.

3. Now, connect to the server with the Enter-PSSession command, which establishes an interactive session to the remote server.

The command below is connecting to the WIN-BANGJIEFNOC.local.net computer using the username and password provided above (Credential), skipping the certification authority check (SessionOption), and connecting via SSL (UseSSL).

Using Enter-PsSession for an interactive session

4. Once youre connected to the remote host, check the process you want to kill by running Get-Process. In this case, youll see the notepad process.

Output of Get-Process

5. To kill this process, run Stop-Process, as shown below.

6. Finally, confirm youve killed the process by rerunning Get-Process, and you should receive an error message.

Checking for Notepad as a running process

If youd like to stop a remote Windows process non-interactively, use the Invoke-Command command using the following parameters: Invoke-Command -ComputerName WIN-BANGJIEFNOC.local.net -Credential $credentials -ScriptBlock {Stop-Process -ProcessName notepad} -UseSSL. Encapsulating the Stop-Proces command in the ScriptBlock parameter sends the command to the remote host.

Conclusion

You have learned about different methods of killing remote processes and how to overcome situations where network firewall rules might stop utilities from working correctly; this tutorial might have also helped you fix Windows.

The utilities you learned about are potent tools; use with care!

More from Adam The Automator & Friends

• 

  Get this interactive comic book to learn how Veeam and AWS can help you fight ransomware, data sprawl, rising cloud costs, unforeseen data loss and make you a hero!

• 

  ATA is known for its high-quality written tutorials in the form of blog posts. Support ATA with ATA Guidebook PDF eBooks available offline and with no ads!

• 

  Check out all of the ATA recommended resources!

Related

Meet Our Sponsors

PluralSight Courses

• Microsoft Cognitive Services: Azure Custom Text to Speech
• Building PowerShell Security Tools in a Windows Environment
• Infrastructure Testing with Pester
• Building a Client Troubleshooting Tool in PowerShell
• Building Advanced PowerShell Functions and Modules
• PowerShell Toolmaking Fundamentals
• Client-Side PowerShell Scripting for Reliable SCCM Deployments
• Planning & Creating Applications in System Center ConfigMgr 2012
• PowerShell DevOps Playbook