How to Identify which Windows Process is Locking a File or Folder

While attempting to delete, move, or rename a file or folder you get a Windows warning message; the Operating System refuses to complete the operation.

This article helps identifying the process that currently has a handle on the file or folder you are attempting a maintenance operation on.

Symptoms

When trying to delete, move, or rename a file you get a Windows system warning message:

• «Cannot delete file: Access is denied».
• «There has been a sharing violation».
• «The source or destination file may be in use».
• «The file is in use by another program or user».
• «Make sure the disk is not full or write-protected and that the file is not currently in use».

How to Solve the Issue

One of the easiest ways to handle locked files or folders is to use Microsoft Sysinternals Process Explorer.

Identify what program is using a file

Using Process Explorer there is a simple way to find the program:

1. Open Process Explorer
   • Running as administrator.
2. On the toolbar, find the gunsight icon on the right.
3. Drag the icon and drop it on the open file or folder that is locked.
4. The executable that is using the file will be highlighted in the Process Explorer main display list.

Identify which handle or DLL is using a file

1. Open Process Explorer
   • Running as administrator.
2. Enter the keyboard shortcut Ctrl+F.
   • Alternatively, click the “Find” menu and select “Find a Handle or DLL”.
3. A search dialog box will open.
4. Type in the name of the locked file or other file of interest.
   • Partial names are usually sufficient.
5. Click the button “Search”.
6. A list will be generated.
   • There may be a number of entries.

Release the lock on the file or folder

To release the lock on the file you are attempting the maintenance operation on, you will need to kill the appropriate process. An individual program or handle in the list provided by Process Explorer can be killed by:

1. Selecting the process/handle/program entry.
   
2. Pressing the delete key.

Proceed with care when deleting handles as this may generate erratic behavior and instabilities may occur.

How To Know Which Process is Using a File or Folder in Windows

Ever wondered which program has a particular file or directory open? Quite often, when trying to delete a folder, Windows reports this:

This error also happens with a file, when we tried to move a file, or delete those file. How we can find out which program or application is currently using it and preventing us to delete/move it? To get the process holding those folder or file, we can use these two utilities:

Resource Monitor

For Windows 7 and above, you can use the built-in Resource Monitor.

Open Resource Monitor, which can be found

• By searching for resmon.exe in the start menu, or
• As a button on the Performance tab in your Task Manager

Resource Monitor from Task Manager’s Performance Tab

From CPU tab, use the search field in the Associated Handles section

When you’ve found the handle, you can identify the process by looking at the Image and/or PID column. You can then close the application if you are able to do that, or just right-click the row and you’ll get the option of killing the process (End Process) right there.

Process Explorer

Process Explorer shows you information about which handles and DLLs processes have opened or loaded.

• Open Process Explorer (running as «administrator») by running procexp.exe or procexp64.exe.
• Enter the keyboard shortcut Ctrl+F. Alternatively, click the “Find” menu and select “Find a Handle or DLL”.

Process Explorer — Find Handle or DLL

• Type in the name of the locked file or other file of interest in the Search dialog box, then click «Search». Partial names are usually sufficient.
• A list will be generated. There may be a number of entries. Click one of the entry, it’ll «Refreshing handles».

Process Explorer — Search

Same as Resource Monitor, an individual handle in the list can be killed by selecting it and pressing the delete key (or Close Handle). However, please be careful when deleting handles, as system instabilities may occur. Rebooting your system maybe will free the locked file/folder.

Process Explorer — Close Handle

Handle is a command line version of Process Explorer.

My Take

I prefer to use Resource Monitor compare to Process Explorer since Process Explorer is slower (especially during «Refreshing handles» process). If I can’t find the handle in Resource Monitor, then I use Process Explorer.

Liked this Tutorial? Share it on Social media!

Detect what file a process is changing a on Windows

Is there a way to detect what file a process is changing in Windows?

I created a process — my_python_script.exe (python script I have compiled), and I would like to know what files the process changes using Windows tools such as procmon.exe or process explorer.

In this post: Detect what process is changing a file on Windows I found the exact opposite (what processes change a specific file).

But I would like to know how to find all the files a specific process is changing.

2 Answers 2

I would like to know how to find all the files a specific process is changing.

You can use procmon for this.

Deselect (uncheck) «File > Capture Events».

Clear the currently displayed events Edit > Clear Display

Filter > Filter. menu item. This will display the «Process Monitor Filter» dialog.

Set a new filter by setting the «Display entries matching those conditions» fields to, for example:

Process (drop down) > contains (drop down) notepad++ (edit box)

Operation (drop down) > contains (drop down) fastio (edit box)

File > Capture Events

Here is an example showing Notepad++ opening the file test.cmd

Change the fastio filter to be more explicit if you want to reduce the number ofevent shown.

It is easy to do, you already know the program you need to use, it is «Process Monitor»( procmon.exe ), you just need to use different filters.

First you need to set the filter to include the program you want to monitor by either set:

PID is $pid then Include

• $pid is a placeholder for the actual pid, i.e. 7552

or: Process Name is $name then Include

• $name is a placeholder for the actual process name, i.e. explorer.exe

You can get process name and pid through Task Manager( taskmgr.exe ), by left clicking «More details» then right click on resource values bar and check «PID» and «Process Name».

Either of the about two options will work and they have the exact same effect, they will make procmon display only activities of the process, the difference is PID is variable and may change every time the process launches, but it may be easier to type. The process name may be harder to type but is invariable (unless you rename the executable).

Then you need to set the filter Operation is WriteFile then Include to display the file changes made by the process. WriteFile is the operation recorded when a file is modified.

Then click Apply and then OK to make the filter take its effect.

Gizmo’s Freeware

Login / Register

Main menu

How to Find Out Which Windows Process is Using a File

Last updated by v.laurie on 03. February 2021 — 14:53

Ever try to delete, move, or rename a file only to get a Windows system warning with something like one of these messages?

• «Cannot delete file: Access is denied»
• «There has been a sharing violation»
• «The source or destination file may be in use»
• «The file is in use by another program or user».
• «Make sure the disk is not full or write-protected and that the file is not currently in use»

One of the best ways to handle locked files or folders is to use the free Microsoft program Process Explorer. The program has been described in another article and here is how to use it to find out what program, DLL, or handle is using a file or folder. You will need to run as administrator.

How to find out what program is using a file

In Windows 7 or 8, the system message may tell you what program is using the file. If it doesn’t or if you are using Windows XP, there is a simple way to find the program:

1. Open Process Explorer, running as administrator.
2. On the toolbar, find the gunsight icon on the right (shown highlighted in the figure shown below).
3. Drag the icon and drop it on the open file or folder that is locked.
4. The executable that is using the file will be highlighted in the Process Explorer main display list.

How to find out which handle or DLL is using a file

1. Open Process Explorer, running as administrator.
2. Enter the keyboard shortcut Ctrl+F. Altenatively, click the “Find” menu and select “Find a Handle or DLL”.
3. A search dialog box will open.
4. Type in the name of the locked file or other file of interest. Partial names are usually sufficient.
5. Click the button “Search”,
6. A list will be generated. There may be a number of entries.
7. An individual handle in the list can be killed by selecting it and pressing the delete key. However, care is necessary when deleting handles, as instabilities may occur. Often, just rebooting will free a locked file.

Process Explorer can be downloaded here.

Get your own favorite tip published! Know a neat tech tip or trick? Then why not have it published here and receive full credit? Click here to tell us your tip.

This tips section is maintained by Vic Laurie. Vic runs several websites with Windows how-to’s, guides, and tutorials, including a site for learning about Windows and the Internet and another with Windows 7 tips.

Click here for more items like this. Better still, get Tech Tips delivered via your RSS feeder or alternatively, have the RSS feed sent as email direct to your in-box.

How do you find what process is holding a file open in Windows?

One thing that annoys me no end about Windows is the old sharing violation error. Often you can’t identify what’s holding it open. Usually it’s just an editor or explorer just pointing to a relevant directory but sometimes I’ve had to resort to rebooting my machine.

Any suggestions on how to find the culprit?

16 Answers 16

I’ve had success with Sysinternals Process Explorer. With this, you can search to find what process(es) have a file open, and you can use it to close the handle(s) if you want. Of course, it is safer to close the whole process. Exercise caution and judgement.

To find a specific file, use the menu option Find->Find Handle or DLL. Type in part of the path to the file. The list of processes will appear below.

If you prefer command line, Sysinternals suite includes command line tool Handle, that lists open handles.

Examples

• c:\Program Files\SysinternalsSuite>handle.exe |findstr /i «e:\» (finds all files opened from drive e:\ «
• c:\Program Files\SysinternalsSuite>handle.exe |findstr /i «file-or-path-in-question»

You can use the Resource Monitor for this which comes built-in with Windows 7, 8, and 10.

1. Open Resource Monitor, which can be found
   • By searching for Resource Monitor or resmon.exe in the start menu, or
   • As a button on the Performance tab in your Task Manager
2. Go to the CPU tab
3. Use the search field in the Associated Handles section
   • See blue arrow in screen shot below

When you’ve found the handle, you can identify the process by looking at the Image and/or PID column.

You can then try to close the application as you normally would, or, if that’s not possible, just right-click the handle and kill the process directly from there. Easy peasy!

Just be very careful with closing handles; it’s even more dangerous than you’d think, because of handle recycling — if you close the file handle, and the program opens something else, that original file handle you closed may be reused for that «something else.» And now guess what happens if the program continues, thinking it is working on the file (whose handle you closed), when in fact that file handle is now pointing to something else.

Suppose a search index service has a file open for indexing but has gotten stuck temporarily and you want to delete the file, so you (unwisely) force the handle closed. The search index service opens its log file in order to record some information, and the handle to the deleted file is recycled as the handle to the log file. The stuck operation finally completes, and the search index service finally gets around to closing that handle it had open, but it ends up unwittingly closing the log file handle.

The search index service opens another file, say a configuration file for writing so it can update some persistent state. The handle for the log file gets recycled as the handle for the configuration file. The search index service wants to log some information, so it writes to its log file. Unfortunately, the log file handle was closed and the handle reused for its configuration file. The logged information goes into the configuration file, corrupting it.

Meanwhile, another handle you forced closed was reused as a mutex handle, which is used to help prevent data from being corrupted. When the original file handle is closed, the mutex handle is closed and the protections against data corruption are lost. The longer the service runs, the more corrupted its indexes become. Eventually, somebody notices the index is returning incorrect results. And when you try to restart the service, it fails because its configuration files have been corrupted.

You report the problem to the company that makes the search index service and they determine that the index has been corrupted, the log file has mysteriously stopped logging, and the configuration file was overwritten with garbage. Some poor technician is assigned the hopeless task of figuring out why the service corrupts its indexes and configuration files, unaware that the source of the corruption is that you forced a handle closed.