Difference between "delete" and "call terminate" for WMIC
To kill a running process on Windows using its executable path, I could use either of:
wmic process where ExecutablePath='C:\\path\\to\\my.exe' delete
Or:
wmic process where ExecutablePath='C:\\path\\to\\my.exe' call terminate
What, if any, is the practical difference between these two approaches?
Solution 1:
With call terminate
, we can pass an exit status, such as call terminate '-1073741510'
. The 32-bit status value has to be signed, and a negative value needs to be quoted. The latter value is STATUS_CONTROL_C_EXIT
(0xC000013A) as a signed, decimal value. The default exit status is 0, which is the same value that's used for the delete
verb.
In terms of implementation, the WMI service starts an instance of the WMI Provider Host (wmiprvse.exe) to process the request. It's relatively easy to attach a debugger to inspect this since the provider host process is reused for a few minutes. The Win32_Process
class is implemented in the WMI Win32 Provider module (cimwin32.dll), which contains a Process
class with DeleteInstance
and ExecTerminate
methods, called respectively for delete
and call terminate
. Both methods ultimately call WINAPI TerminateProcess
.