0

I need your help to make a script to be used to alleviate symptoms of an issue while we dig into it and find the cause.

Description of issue: We have a problem where a dll gets locked and this stops IIS from handling requests. There are a couple of dll's that could be the issue. We mapped them as exceptions for Windows Defender but still the issue occurs.

We can detect the issue by writing a script to periodically access the website which will stall if the issue is happening.

This is on Windows 2016 Server.

Requirement: Clearly a long term fix is needed and we are working on this. Whilst we find that fix, we are seeking a way to find the process that is using a dll and kill that process.

SysInternals ProcessExplorer can identify the process that is accessing a dll file (this is the binoculars feature). And once we know which process then we can also kill that process in ProcessExplorer.

The ideal solution would be a script that searches for processes using a specified dll name and then kills them. I guess we can use command line utilities of sysinternals but don't know where to start.

Notes: Ideally we will fix the issue but it is ongoing so we want to alleviate the symptoms. Some of you are going to maybe suggest fixing the issue and if you have a solution then send it in. In the mean time here are some questions that may get asked... What causes the issue - if we knew that...! The issue seems to occur after the Windows Defender signature update runs. It 'feels' like when Windows Defender restarts to load the new threat signatures, the dll that is in memory is somehow seen as a threat. Could it be a bone fide threat - no because we scanned it manually and it comes up clean.

Vanquished Wombat
  • 9,075
  • 5
  • 28
  • 67

1 Answers1

2

You could you use PowerShell. Here is a start.

Notes:

  • It does not perform any checks to see if the process has been terminated.
  • It uses the PID to issue the terminate as it would be safer than the process name.
  • It uses a full path to the module to make the detection more precise.
  • The code defaults to not killing the process, change the KillIt variable to $true once happy.

It would be useful if the general concept would identify the processes for you and the default Stop-Process works for the process(es) in question:

$ModulePathToFind = "C:\\Windows\\System32\\msxml6.dll"    
$KillIt           = $false

foreach ($p in Get-Process)
{
    foreach ($m in $p.modules)
    {
        if ( $m.FileName -match $ModulePathToFind)
        {
            write-host "Found:" $m.FileName "in" $p.Name "ID:" $p.id

            if ($KillIt)
            {
                write-host "In 'Kill' mode."
                Stop-Process -Id $p.id -Force
            }
            else
            {
                write-host "Not in 'Kill' mode."
            }
        }
    }
}
HelpingHand
  • 199
  • 1
  • 11