Didier Stevens

Thursday 3 February 2011

TaskManager.xls

Filed under: My Software — Didier Stevens @ 9:45

TaskManager.xls is a simple taskmanager implemented in Excel/VBA. It can list the running processes; and terminate, suspend or resume selected processes.

I wrote this script because I was in a restricted environment where I could not use Task Manager or Process Explorer. It will also come in handy when fixing an infected machine, where the malware prevents one from launching Task Manager or Process Explorer.

Push  button “List processes” to list all processes:

Here’s how you would use it to disable malware. List processes, identify malicious processes, type command s (suspend) in column Command for the malicious processes you want to disable. Push button “Execute commands”, this will suspend the selected processes.

Now terminate them with the t command:

Doing this in 2 steps (suspend and terminate) in stead of just terminating, is more suited for multi-process malware that monitors itself.

Download:

TaskManager_V0_0_1.zip (https)

MD5: A0A7584C83F4DD85F57F8511E332893B

SHA256: A0A128DA6297968CB2F434628AD4F045E14EBDC8AE3B05DD3D0F21CC954C13CE

64 Comments »

  1. Wow, very useful.

    Comment by CypherBit — Thursday 3 February 2011 @ 9:49

  2. Great stuff !
    Thanks Didier

    Comment by Vincent — Thursday 3 February 2011 @ 13:02

  3. Doesn’t work on my mac ;-)

    Thx Didier.

    Comment by Steve — Thursday 3 February 2011 @ 13:36

  4. Fun stuff! :)

    Comment by Elias Bachaalany — Thursday 3 February 2011 @ 13:49

  5. Is it also possible to start tasks? Could an evil xls be used to install malware using this approach?

    Comment by Hero — Thursday 3 February 2011 @ 13:55

  6. Long live VBA!!

    I can’t figure out why, but this code runs/compiles just fine in Excel 2010, even though the API functions aren’t declared with PtrSafe.

    Comment by Jonathon — Thursday 3 February 2011 @ 14:01

  7. Aw, the microsoft web excel thing won’t open it.

    Comment by c — Thursday 3 February 2011 @ 16:37

  8. Will future versions run on x64 Windows?

    Comment by David — Friday 4 February 2011 @ 3:33

  9. @Hero ‘That’s possible, search for my Frisky Solitaire post.

    Comment by Didier Stevens — Friday 4 February 2011 @ 7:09

  10. @David It runs on x64 Windows with 32-bit Excel. You are probably asking about 64-bit Excel?

    Comment by Didier Stevens — Friday 4 February 2011 @ 7:14

  11. @Jonathon Maybe you are using 32-bit Excel 2010?

    Comment by Didier Stevens — Friday 4 February 2011 @ 7:18

  12. Shame this doesn’t work in OpenOffice

    Comment by Jari — Friday 4 February 2011 @ 8:54

  13. God I remember this kind of stuff. Back when I was at school we had a locked down Win95 environment restricted with Poledit. I wrote an excel form + vbScript to change the relevant registry keys to give me back the access I wanted. Everything from right-click context menus to removing restricted applications.

    Comment by Dave — Friday 4 February 2011 @ 13:46

  14. can it be used to get the list from remote machine?

    Comment by shreekanrh — Friday 4 February 2011 @ 16:39

  15. @shreekanrh No, the WIN32 API I use doesn’t have that feature.

    Comment by Didier Stevens — Friday 4 February 2011 @ 18:55

  16. […] TaskManager.xls TaskManager.xls is a simple taskmanager implemented in Excel/VBA. It can list the running processes; and terminate, […] […]

    Pingback by Top Posts — WordPress.com — Saturday 5 February 2011 @ 0:12

  17. Nice tool. Nice idea.

    Comment by Daniel Baerthel — Tuesday 8 February 2011 @ 11:10

  18. greate stuff….:-)

    Comment by Mr. Floppy — Tuesday 8 February 2011 @ 11:23

  19. it is rocking..

    Comment by palaniyappan — Tuesday 8 February 2011 @ 11:23

  20. Well done – very useful!

    Comment by Danny — Tuesday 8 February 2011 @ 11:57

  21. […] 41KB kleine TaskManager.xls könnt ihr im Blog von Didier Stevens […]

    Pingback by Excel Task Manager für Windows | Dannys Blog — Tuesday 8 February 2011 @ 12:21

  22. […] man mal drauf kommen: Didier hat aus Excel und VBA ein kleines Script gebaut, welches die laufenden Prozesse eines […]

    Pingback by Taskmanager als Excel-Tabelle — Wednesday 9 February 2011 @ 7:24

  23. great, absolut amazing

    Comment by Thomas G — Wednesday 9 February 2011 @ 8:03

  24. […] Didier Stevens hat einen Taskmanager in Excel Form publiziert. Damit kann man alle Funktionalitäten des Windows Task Manager über ein Excel VBA Makro verwenden. Aus Sicherheitssicht besonders geeignet, um z.B. Restriktionen zu umgehen, wenn der Task Manager auf einem System gesperrt ist. Golem.de berichtet ebenfalls über den Excel Task Manager und ich muss ein wenig schmunzeln, wenn ich die sachkompetenten Kommentare zu dem Artikel lese. Da meint ein Benutzer, dass das ohne Sinn und Zweck wäre. […]

    Pingback by Taskmanager über Excel VBA | Schwaberow.de — Wednesday 9 February 2011 @ 8:10

  25. Great Tool.

    Very special thanks.

    Bytedieb

    Comment by Btedieb — Wednesday 9 February 2011 @ 8:14

  26. […] resume the processes from within the Excel workbook.You can download Excel Task Manager from the author’s site. It is in the form of a zip file. Extract Taskmanager.xls from the zip file and open it. By […]

    Pingback by Open Windows Task Manager In Microsoft Excel — Thursday 10 February 2011 @ 8:52

  27. It’s great, but is this able to run programs? (exe bat com …)

    Comment by Adam — Thursday 10 February 2011 @ 14:16

  28. This is a seriously cool idea, and something I may add to my thumbdrives for when I’m helping people on the road. Would definitely come in handy, and I’m sure at some point might need to use it, although I would probably go to a cmd line to run tasklist/taskkill first, then wmic if the other two fail.

    “wmic process list brief /every:3″ or “wmic process list brief /FORMAT:htable > process.html” and then “wmic process where name=’cmd.exe’ delete” or “wmic process processid delete” (where processid = the programs processID # or pid). I don’t think you can disable wmic on a system or you cripple other services in the process. Even if “Windows Management Instrumentation” services is disabled, wmic still works through the command line.

    Comment by DigiP — Friday 11 February 2011 @ 3:33

  29. @Adam You don’t need a VBA script to run programs from Excel, you can do it from the Open dialog.

    Comment by Didier Stevens — Friday 11 February 2011 @ 10:26

  30. Cher Didier, un outil tres utile, je t’en remercie beaucoup!

    Comment by Achim — Monday 14 February 2011 @ 9:08

  31. A must have tool for everyone

    Comment by Ib_Mumbai — Thursday 24 February 2011 @ 13:48

  32. thanks for this offer i havent try out yet but i will try it out and we will see.

    Comment by Tenekeci Celalettin — Thursday 24 February 2011 @ 13:54

  33. Can’t figure out how to enable.
    Sorry, I’m not a techie.
    Any one have exact step by step instructions?

    Comment by Bob — Thursday 24 February 2011 @ 14:38

  34. @Bob You mean enable macros on Excel? What version of MS Office do you use?

    Comment by Didier Stevens — Thursday 24 February 2011 @ 14:41

  35. too bad it is not working on x64 version of Office 2010.

    Comment by marius — Thursday 24 February 2011 @ 23:21

  36. It would be nice to list out other user name like LOCAL SERVICE, NETWORK SERVICE and SYSTEM. :)

    Comment by ahsiang — Friday 25 February 2011 @ 0:49

  37. […] Excel. I am listing TaskManager.xls as one of the must have tool for computer technicians.[ Download TaskManager.xls ] google_ad_client = "pub-8102232298595506"; /* 234×60, created 1/4/08 */ google_ad_slot = […]

    Pingback by Run Task Manager from Excel with Useful Suspend Process Command | Raymond.CC Blog — Friday 25 February 2011 @ 8:01

  38. @marius I’m planning to make an VBA64 version.

    Comment by Didier Stevens — Friday 25 February 2011 @ 8:29

  39. @ahsiang I’ve a new version that does that (provided you run as admin and elevated), will be released soon.

    Comment by Didier Stevens — Friday 25 February 2011 @ 8:30

  40. […] TaskManager.xls is a simple taskmanager implemented in Excel/VBA. It can list the running processes; and terminate, suspend or resume selected processes. […]

    Pingback by SoftwareBuzz – Tech Blog (updates) | Copiers of the World — Saturday 26 February 2011 @ 0:40

  41. […] TaskManager.xls spreadsheet is very popular, so here’s a new […]

    Pingback by Update: TaskManager.xls Version 0.0.3 « Didier Stevens — Tuesday 1 March 2011 @ 11:47

  42. […] Infine va premuto il pulsante Execute Commands, che esegue in base a ciò che si è scelto. Questo applicativo non è in grado di terminare i processi protetti. Potrete trovare il file Taskmanager.xls, creato da Didier Stevens, qui. […]

    Pingback by Il Task Manager Da Excel - ZioGeeK — Monday 28 March 2011 @ 10:02

  43. […] daha yakindan incelemek istiyorsaniz Buradaki excel sayfasi ile bunu gerceklestirebilirsiniz , Anasyfasi (macrolari enable […]

    Pingback by Görev yöneticisindeki işlemleri excel e dökün (vba) « « Sordum.com Sordum.com — Friday 29 April 2011 @ 21:11

  44. really beautiful tool

    Comment by sainikbiswas — Monday 15 August 2011 @ 23:56

  45. […] und – als etwas abgefahrene und vielleicht genau deswegen funktionierende Methode – ein Excel Sheet als Taskmanager.Abschließend sie natürlich erwähnt, dass man ein infiziertes System immer komplett platt machen […]

    Pingback by Windows XP – deaktivierten Taskmanager reaktivieren » Admins Werk — Saturday 24 September 2011 @ 9:50

  46. Very Impressed Didier. Was looking for a a way to get a list of all the active processes in Excel. The Command feature is a big plus! Thanks a lot.

    Comment by Scott — Wednesday 12 October 2011 @ 11:17

  47. […] releasing a new version of TaskManager.xls that runs on Excel 2010 64-bit too. The previous version ran on 64-bit Windows, provided you used […]

    Pingback by TaskManager Runs on 64-bit Excel « Didier Stevens — Saturday 15 October 2011 @ 11:21

  48. […] Download TaskManager.xls […]

    Pingback by SoQ » Blog Archive » Run Task Manager from Excel with Useful Suspend Process Command — Sunday 15 January 2012 @ 19:05

  49. Thanks for this. I need to see if a process is running, so I modified your code to do so.

    Comment by Jim Colleran — Saturday 11 February 2012 @ 3:38

  50. Very Nice Stuff..

    i have added some memory functionality to this excel file for examining the process memory usage..

    http://www.mediafire.com/?9clw2wcd6u7h67o

    Comment by sciomathman — Friday 24 February 2012 @ 5:19

  51. Very well done. I’m hoping I can incorporate some of this into my own project.

    I found your spreadsheet while searching for something similar. I would like to be able to produce a list of tasks like those that appear on the Applications tab of Task Manager instead of a list of processes like those that appear on the Processes tab, as your spreadsheet does.

    What I am trying to accomplish is to create a list of tasks and their associated process IDs for use as parameters for the AppActivate and SendKeys commands. The user could then select which application they wish to send the keys to from the list. If the task name is unique, I can pass the task name (the same as the window title) to AppActivate. If the task name is not unique, then I would pass the PID to AppActivate to ensure that the correct instance is activated (or just always pass the PID).

    I have done a fair amount of coding but these API calls are going to take some time (which I don’t have) to wrap my head around. Any assistance would be greatly appreciated.

    Comment by Howard Parr — Friday 24 February 2012 @ 21:39

  52. @sciomathman Thanks

    Comment by Didier Stevens — Saturday 25 February 2012 @ 21:58

  53. @Howard You’ve to enumerate the top windows to get a list of the applications like in Task Manager.

    Comment by Didier Stevens — Saturday 25 February 2012 @ 21:58

  54. […] is a new version of TaskManager.xls with memory usage statistics, with code given to me by […]

    Pingback by Update: TaskManager.xls V0.1.2 « Didier Stevens — Monday 5 March 2012 @ 12:03

  55. […] TaskManager.xls […]

    Pingback by Mike Tech Show #399 | Mike Tech Show — Saturday 17 March 2012 @ 5:41

  56. […] Download TaskManager_V0_0_1.zip from here – http://blog.didierstevens.com/2011/02/03/taskmanager-xls/ […]

    Pingback by Excel version of Windows Task Manager | IT Info Magazine — Thursday 22 March 2012 @ 22:47

  57. […] VBA 작업관리자 VBA로 만든 작업관리자다. 64비트에서는 잘 동작하지 않는다. […]

    Pingback by 2012년 03월 디지털포렌식 뉴스레터 | FORENSIC INSIGHT — Wednesday 4 April 2012 @ 6:17

  58. Hi, 5 stars for your :P

    Comment by christian — Friday 6 April 2012 @ 18:25

  59. […] TaskManager spreadsheet provides you with a couple of commands to terminate (malicious) programs. But sometimes these […]

    Pingback by Update: TaskManager.xls V0.1.3 Killer Shellcode « Didier Stevens — Tuesday 1 May 2012 @ 10:49

  60. […] sans-serif] [/FONT] [FONT='trebuchet ms', sans-serif] [FONT='trebuchet ms', sans-serif] [/FONT] TaskManager.xls: a simple task manager implemented in Excel/VBA. It can list the running processes and terminate, […]

    Pingback by Spyware/Malware Removal Guide — Sunday 6 May 2012 @ 20:18

  61. I am trying to achived what Howard mentioned in above.

    “I would like to be able to produce a list of tasks like those that appear on the Applications tab of Task Manager instead of a list of processes like those that appear on the Processes tab, as your spreadsheet does.”

    I hope lot of user can use that for routine work. Would you be able to create that one?
    Thanks

    Comment by Shiva — Tuesday 17 July 2012 @ 10:20

  62. @Shiva I think that is a list of processes of the current user with a main window.

    Comment by Didier Stevens — Wednesday 18 July 2012 @ 21:46


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 244 other followers

%d bloggers like this: