Difference between "delete" and "call terminate" for WMIC

To kill a running process on Windows using its executable path, I could use either of:

wmic process where ExecutablePath='C:\\path\\to\\my.exe' delete

Or:

wmic process where ExecutablePath='C:\\path\\to\\my.exe' call terminate

What, if any, is the practical difference between these two approaches?


Solution 1:

With call terminate, we can pass an exit status, such as call terminate '-1073741510'. The 32-bit status value has to be signed, and a negative value needs to be quoted. The latter value is STATUS_CONTROL_C_EXIT (0xC000013A) as a signed, decimal value. The default exit status is 0, which is the same value that's used for the delete verb.

In terms of implementation, the WMI service starts an instance of the WMI Provider Host (wmiprvse.exe) to process the request. It's relatively easy to attach a debugger to inspect this since the provider host process is reused for a few minutes. The Win32_Process class is implemented in the WMI Win32 Provider module (cimwin32.dll), which contains a Process class with DeleteInstance and ExecTerminate methods, called respectively for delete and call terminate. Both methods ultimately call WINAPI TerminateProcess.