taskkill.exe

taskkill.exe terminates processes. It selects them by image name with /im (for example /im notepad.exe) or by process ID with /pid, /f forces termination, and /t ends the whole process tree including children. With /s <host> and credentials it can kill processes on a remote machine. The genuine binary lives at C:\Windows\System32\taskkill.exe.

Legitimately, taskkill is run by administrators, scripts, and installers to close or restart programs. The process it targets, and whether the kill is forced or sweeping, are what give an instance meaning. Ending a single hung app is routine. Killing security software, or a long list of processes at once, is not.

taskkill.exe is a straightforward way to blind defenses (T1685). taskkill /f /im <security tool>.exe terminates antivirus, EDR, or logging agents so monitoring goes dark before the next stage. A taskkill aimed at known security-product process names, especially several in quick succession, is high-signal. It only works where the target is not a protected process, which is exactly why many EDRs now run as protected (PPL) to resist being killed this way.

It is also part of ransomware preparation (T1489). Before encrypting, an operator kills the processes and database or backup agents that hold files open or could interfere, so the encryptor can reach every file. A burst of taskkill against database engines (sqlservr.exe, Oracle), backup agents, and Office applications just before mass file changes is a recognizable pre-encryption pattern. Because taskkill is a normal admin tool, the targeted process names, the breadth of the kill, and the parent are what separate maintenance from sabotage.