Usage: ntsuspend [options] Options: -h [ --help ] : Display this information -x [ --xml ] : Output XML -i [ --pid ] arg : Specify process id -n [ --name ] arg : Specify process name -s [ --substr ] : Process name is a substring match -r [ --resume ] : Resume instead of suspend -t [ --test ] : Test process(es) for suspension -c [ --computer ] arg : Execute on remote computer -u [ --username ] arg : Username for remote computer -p [ --password ] [arg] : Password for remote computer
The --help option displays usage information (see Usage Standards). The --xml option specifies that the output should be in XML (see Usage Standards). The --pid, --name, and --substr options are used to select processes on which to operate; see Usage Standards for the semantics. The --computer, --username, and --password options are used in remote administration.
ntsuspend supports three different actions: suspend processes (default), resume processes (--resume), or test processes (--test).
Suspending a process will cause that process to no longer be scheduled for work by the OS. This is useful if some process is taking up CPU time or thrashing the disk, but you don't want to actually kill the process. Note that leaving a processes suspended will cause the OS to think that the process is not responding. For this reason, it is not recommended to suspend services. Also, suspending system processes is possible but not recommended.
Suspending a process will fail if the process is already suspended or if the user does not have adequate privileges.
Resuming a process will allow a process to be scheduled again. Resuming a process will fail if the process is not suspended or if the user does not have adequate privileges.
Testing a process will determine if a process is already suspended or if it is running. You can get a list of all process names, ids, and their suspended state by running ntsuspend -t.
Suspending a process is done by suspending all the threads in that process. This is done in a loop so that if more threads are created during the suspension action, they will be caught as well.
Resuming a process is done by resuming all threads in that process.
Testing a process is done by suspending and resuming all its threads, and checking the previous suspend counts of those threads. This is the only portable way to test for suspension.
This program conforms to the NTUtils Common Version 1.0.
The possible values for the action attribute of an info node are: suspend, resume, and test.
The possible values for the value attribute of a result node are: suspended (if a process was suspended or if it was tested and found to be suspended), running (if a process was tested and found to be running), or resumed (if a process was resumed).
ntsuspend may fail if the process it is acting on has one of its threads exit at just the wrong time.
There is also the possibility of catastrophic failure; that is, where some threads in a process are properly suspended but the rest are not. The only likely cause of this is if the process exited while it was being suspended. In the case of this happening, a special error is reported: Process is now in an invalid state due to ...
In the case of a process that regularly suspends and resumes its threads, and already has one thread at its maximum suspend count, ntsuspend will be unable to suspend that process, or even test it for suspension. A similar problem may occur if such a process has a thread at one below the maximum suspend count, in which case ntsuspend will be able to suspend the process but will not be able to resume it.
When operating remotely, the maximum size of the output is 8196 characters.