Difference between "delete" and "call terminate" for WMIC

windows wmic

To kill a running process on Windows using its executable path, I could use either of:

wmic process where ExecutablePath='C:\\path\\to\\my.exe' delete

Or:

wmic process where ExecutablePath='C:\\path\\to\\my.exe' call terminate

What, if any, is the practical difference between these two approaches?


Solution 1:

With call terminate, we can pass an exit status, such as call terminate '-1073741510'. The 32-bit status value has to be signed, and a negative value needs to be quoted. The latter value is STATUS_CONTROL_C_EXIT (0xC000013A) as a signed, decimal value. The default exit status is 0, which is the same value that's used for the delete verb.

In terms of implementation, the WMI service starts an instance of the WMI Provider Host (wmiprvse.exe) to process the request. It's relatively easy to attach a debugger to inspect this since the provider host process is reused for a few minutes. The Win32_Process class is implemented in the WMI Win32 Provider module (cimwin32.dll), which contains a Process class with DeleteInstance and ExecTerminate methods, called respectively for delete and call terminate. Both methods ultimately call WINAPI TerminateProcess.

Related

How I resolve "Downloading VS Code Server failed" while using vs code on MacOs
Trying to make SSD boot drive with Windows 7 and old drive is not accessible
Turn off Search History Popdown on Address Bar in Google Chrome
Hide Volume OSD in Windows
Excel - matching values in columns in different tabs and then pasting into another column if there's a match
Am I a person eater?
Can you combine runes?
What are Ice Towers useful for?
What is a Dwarven Key used for?
How does the "Double damage in combat" trait work for the Mantis crew in FTL
How do I Feed all Prisoners?
Making mutations on "Mighty Morphin'" mission