I had to forcibly terminate two Wireshark processes with the Windows Task Manager prior to that message appearing in order to proceed with the upgrade, since I had seen a message that the installation could not proceed with Wireshark running, yet those instances of Wireshark wouldn't close when I tried to close them normally; one of the two was due to my trying a second time to start Wireshark when there was a long delay before it appeared.
I ran the Windows Task Manager with administrator privileges by typing
Task Manager in the
Cortana "Ask me anything" field and then right-clicking on
Task Manager when it was returned in the search results. I saw Dumpcap,
which is a process Wireshark and TShark run to perform packet capture, listed
in the process list, so clicked on it to select it and then clicked on the
End Task button, but that didn't actually terminate the process.
At a command prompt, I checked on the process ID (PID) for the dumpcap process and found there were two such processes running.
C:\Users\Lila>tasklist /fi "imagename eq dumpcap.exe" Image Name PID Session Name Session# Mem Usage ========================= ======== ================ =========== ============ dumpcap.exe 6568 RDP-Tcp#1 1 6,784 K dumpcap.exe 9060 RDP-Tcp#1 1 6,612 K C:\Users\Lila>
But I couldn't kill the processes, even from an administrator command prompt, using the taskkill command. I saw messages stating "There is no running instance of the task, yet the processes appeared to be running.
C:\WINDOWS\system32>taskkill /f /pid 9060 ERROR: The process with PID 9060 could not be terminated. Reason: There is no running instance of the task. C:\WINDOWS\system32>taskkill /f /pid 6568 ERROR: The process with PID 6568 could not be terminated. Reason: There is no running instance of the task. C:\WINDOWS\system32>tasklist /fi "imagename eq dumpcap.exe" Image Name PID Session Name Session# Mem Usage ========================= ======== ================ =========== ============ dumpcap.exe 6568 RDP-Tcp#1 1 6,544 K dumpcap.exe 9060 RDP-Tcp#1 1 6,376 K C:\WINDOWS\system32>
I had used the /f option for the taskkill command, which
indicates taskkill should forcibly terminate processes, but that hadn't worked,
so I tried adding the /t option which terminates the specified
process and any child processes which were started by it, but that didn't help,
either.
C:\WINDOWS\system32>taskkill /f /t /pid 6568 ERROR: The process with PID 6568 (child process of PID 8120) could not be terminated. Reason: There is no running instance of the task. C:\WINDOWS\system32>taskkill /f /t /pid 9060 ERROR: The process with PID 9060 (child process of PID 10356) could not be terminated. Reason: There is no running instance of the task. C:\WINDOWS\system32>
I assumed PIDs 8120 and 10356 corresponded to the Wireshark proceses I had forcibly terminated with the Task Manager. The tasklist command didn't show them running.
C:\WINDOWS\system32>tasklist /fi "pid eq 9060" Image Name PID Session Name Session# Mem Usage ========================= ======== ================ =========== ============ dumpcap.exe 9060 RDP-Tcp#1 1 6,240 K C:\WINDOWS\system32>tasklist /fi "pid eq 10356" INFO: No tasks are running which match the specified criteria. C:\WINDOWS\system32>tasklist /fi "pid eq "8120" INFO: No tasks are running which match the specified criteria. C:\WINDOWS\system32>
I found someone commenting on Taskkill /f doesnt kill a process that he was able to address a similar problem using the PowerShell kill command from an administrator PowerShell prompt, but that didn't work for me. They were still running when I issued the tasklist command several minutes after entering the kill commands.
Windows PowerShell Copyright (C) 2016 Microsoft Corporation. All rights reserved. PS C:\WINDOWS\system32> kill -id 9060 PS C:\WINDOWS\system32> kill -id 6568 PS C:\WINDOWS\system32> tasklist /fi "imagename eq dumpcap.exe" Image Name PID Session Name Session# Mem Usage ========================= ======== ================ =========== ============ dumpcap.exe 6568 RDP-Tcp#1 1 6,264 K dumpcap.exe 9060 RDP-Tcp#1 1 6,224 K PS C:\WINDOWS\system32>
Someone else indicated he was able to resolve a similar problem using a wmic command to kill an errant process, but that didn't work in this case, either. Neither when I tried removing the processes by name nor by PID. In both cases I received "Access denied" messages.
C:\WINDOWS\system32>wmic process where name='dumpcap.exe' delete Deleting instance \\ANAHEIM\ROOT\CIMV2:Win32_Process.Handle="6568" ERROR: Description = Access denied C:\WINDOWS\system32>wmic process where "ProcessID=9060" delete Deleting instance \\ANAHEIM\ROOT\CIMV2:Win32_Process.Handle="9060" ERROR: Description = Access denied C:\WINDOWS\system32>
I checked the parent process IDs for both dumpcap.exe processes to see if they had spawned any other children that were still running. Except for the process for the attempted upgrade to Wireshark 2.2.4, which wouldn't proceed because dumpcap.exe was running, there were only the two dumpcap.exe processes.
C:\WINDOWS\system32>wmic process where "ParentProcessID=8120" get name Name dumpcap.exe Wireshark-win64-2.2.4.exe C:\WINDOWS\system32>wmic process where "ParentProcessID=10356" get name Name dumpcap.exe C:\WINDOWS\system32>
I next tried killing the processes using Microsoft's free Process Explorer utility by right-clicking on dumpcap.exe and selecting "Kill Process" or "Kill Process Tree".
Neither allowed me to kill the processes. I received "Error terminating process: Access is denied" messages. The results were the same whether I ran Process Explorer from a standard user account or by right-clicking on the executable and selecting "Run as administrator" to run it. Process Explorer showed that neither process was getting CPU cyles. When I Right-clicked on one of the entries and chose Properties and then select Disk and Network from the Properties window, I saw that both Network and Disk I/O values were all zero.
From the Properties window, I even tried selecting the Threads tab and then Kill. That didn't help, nor did selecting Suspend to suspend the process. When I tried to suspend the process, I saw "Unable to suspend thread: The system cannot find the file specified."
The Threads tab showed a Thread ID (TID) of 6296 for the process with PID of 6568. It showed a Start Address of !RtlReleaseSRWLockExclusive+0x1370.
The TID for PID 9060 was 0x0. I couldn't kill nor suspend it, either. Clicking on the Kill button didn't produce any error message, but didn't kill the process and clicking on the Suspend button produced the same error message as with the other dumpcap process. The state was shown as "Wait:Executive" for the thread in both processes.
I used Microsoft's free Handle tool to see if either process had any files open. Neither did.
C:\Windows\System32>"C:\Program Files\Utilities\Sysinternals\handle64" -p dumpcap Nthandle v4.1 - Handle viewer Copyright (C) 1997-2016 Mark Russinovich Sysinternals - www.sysinternals.com ------------------------------------------------------------------------------ dumpcap.exe pid: 6568 Midland\Lila ------------------------------------------------------------------------------ dumpcap.exe pid: 9060 Midland\Lila 34: File (RW-) C:\Program Files\Network\Monitoring\Wireshark C:\Windows\System32>
At the Stack Overflow page where people were offering suggestions as to ways to kill processes that refused to terminate, seansilver noted that he had been able to resolve a similar issue by killing the Windows File Explorer, i.e., explorer.exe. I tried restarting the Windows File Explorer through the Task Manager by right-clicking on Windows Explorer and choosing "Restart", but that made no difference to the problem.
Mark Ruusinovich, who created the Windows Sysinternals tools such as Process Explorer and the handle utility I used that were acquired by Microsoft, discusses reasons why some processes are unkillable in his August 17, 2005 blog article Unkillable Processes.
For this particular unkillable process, dumpcap.exe, I did find a reference to to the dumpcap process persisting after Wireshark crashes the Wireshark 2.4.4 Release Notes under Known Problems:
Dumpcap might not quit if Wireshark or TShark crashes. (Bug 1419)
Bug 1419 - dumpcap keeps running after Wireshark crashes was reported on 2007-03-05, but still remains open.
