Process Handles and Identifiers

When a new process is created by the CreateProcess function, handles of the new process and its primary thread are returned. These handles are created with full access rights, and — subject to security access checking — can be used in any of the functions that accept thread or process handles. These handles can be inherited by child processes, depending on the inheritance flag specified when they are created. The handles are valid until closed, even after the process or thread they represent has been terminated.

The CreateProcess function also returns an identifier that uniquely identifies the process throughout the system. A process can use the GetCurrentProcessId function to get its own process identifier (also known as the process ID or PID). The identifier is valid from the time the process is created until the process has been terminated. A process can use the Process32First function to obtain the process identifier of its parent process.

If you have a process identifier, you can get the process handle by calling the OpenProcess function. OpenProcess enables you to specify the handle’s access rights and whether it can be inherited.

A process can use the GetCurrentProcess function to retrieve a pseudo handle to its own process object. This pseudo handle is valid only for the calling process; it cannot be inherited or duplicated for use by other processes. To get the real handle to the process, call the DuplicateHandle function.

Windows open file handles process

This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Answered by:

Question

I need to discover what file handles a process has open. The best example is what system internals ProcessExplorer does.
However they use NtQuerySystemInformation which it a C++ call.

While I’m not against wrapping the call I figure there must be a direct C# call.

The closest c# option I can find is WMI calls.
Win32_Process will tell me what processes I’m running but it won’t tell me what file handles I have open.

Question:
1) Is there a WMI call that can tell me what File Handles are open? Either for a given process or at least what PID is holding the file handle?
2) Is there any other call I can do to copmlete this task?

Answers

All replies

Ya, I’ve actually already started using this particular project. It covers what I need but it’s not in C# and as you point out, its never going to be forwards compatible.

NtQuerySystemInformation is not recommended to use in applications, so I do not suggest it even though you may be able to P/Invoke the API from C#.

I’m not aware of a WMI class that can tell what file handles are open. May I know the business requirement behind the request of enumerating open file handles for a process? If you want to find out who has a file open, you may propably try the restart manager API which is available in Windows Vista and later operating systems.

http://msdn.microsoft.com/en-us/library/aa373524(VS.85).aspx
The primary reason software installation and updates require a system restart is that some of the files that are being updated are currently being used by a running application or service. Restart Manager enables all but the critical applications and services to be shut down and restarted . This frees the files that are in use and allows installation operations to complete. It can also eliminate or reduce the number of system restarts that are required to complete an installation or update.

Another idea is to redirect stdIO of handle.exe utility
http://technet.microsoft.com/en-us/sysinternals/bb896655.aspx
and parse its output to get the opened files of a process. However, third party applications are not allowed to distribute the tool:

http://technet.microsoft.com/en-us/sysinternals/bb847944.aspx
Q: May I distribute Sysinternals utilities in my software, on my website, or with my magazine?
A: No. We are not offering any distribution licenses, even if the 3rd party is distributing them for free. We encourage people to download the utilities from our download center where they can be assured to get the most recent version of the utility.

Regards,
Jialiang Ge Please remember to mark the replies as answers if they help and unmark them if they provide no help.
Welcome to the All-In-One Code Framework! If you have any feedback, please tell us.

How do you find what process is holding a file open in Windows?

One thing that annoys me no end about Windows is the old sharing violation error. Often you can’t identify what’s holding it open. Usually it’s just an editor or explorer just pointing to a relevant directory but sometimes I’ve had to resort to rebooting my machine.

Any suggestions on how to find the culprit?

16 Answers 16

I’ve had success with Sysinternals Process Explorer. With this, you can search to find what process(es) have a file open, and you can use it to close the handle(s) if you want. Of course, it is safer to close the whole process. Exercise caution and judgement.

To find a specific file, use the menu option Find->Find Handle or DLL. Type in part of the path to the file. The list of processes will appear below.

If you prefer command line, Sysinternals suite includes command line tool Handle, that lists open handles.

Examples

• c:\Program Files\SysinternalsSuite>handle.exe |findstr /i «e:\» (finds all files opened from drive e:\ «
• c:\Program Files\SysinternalsSuite>handle.exe |findstr /i «file-or-path-in-question»

You can use the Resource Monitor for this which comes built-in with Windows 7, 8, and 10.

1. Open Resource Monitor, which can be found
   • By searching for Resource Monitor or resmon.exe in the start menu, or
   • As a button on the Performance tab in your Task Manager
2. Go to the CPU tab
3. Use the search field in the Associated Handles section
   • See blue arrow in screen shot below

When you’ve found the handle, you can identify the process by looking at the Image and/or PID column.

You can then try to close the application as you normally would, or, if that’s not possible, just right-click the handle and kill the process directly from there. Easy peasy!

Just be very careful with closing handles; it’s even more dangerous than you’d think, because of handle recycling — if you close the file handle, and the program opens something else, that original file handle you closed may be reused for that «something else.» And now guess what happens if the program continues, thinking it is working on the file (whose handle you closed), when in fact that file handle is now pointing to something else.

Suppose a search index service has a file open for indexing but has gotten stuck temporarily and you want to delete the file, so you (unwisely) force the handle closed. The search index service opens its log file in order to record some information, and the handle to the deleted file is recycled as the handle to the log file. The stuck operation finally completes, and the search index service finally gets around to closing that handle it had open, but it ends up unwittingly closing the log file handle.

The search index service opens another file, say a configuration file for writing so it can update some persistent state. The handle for the log file gets recycled as the handle for the configuration file. The search index service wants to log some information, so it writes to its log file. Unfortunately, the log file handle was closed and the handle reused for its configuration file. The logged information goes into the configuration file, corrupting it.

Meanwhile, another handle you forced closed was reused as a mutex handle, which is used to help prevent data from being corrupted. When the original file handle is closed, the mutex handle is closed and the protections against data corruption are lost. The longer the service runs, the more corrupted its indexes become. Eventually, somebody notices the index is returning incorrect results. And when you try to restart the service, it fails because its configuration files have been corrupted.

You report the problem to the company that makes the search index service and they determine that the index has been corrupted, the log file has mysteriously stopped logging, and the configuration file was overwritten with garbage. Some poor technician is assigned the hopeless task of figuring out why the service corrupts its indexes and configuration files, unaware that the source of the corruption is that you forced a handle closed.

Process Explorer v16.32

By Mark Russinovich

Published: April 28, 2020

Download Process Explorer (2.5 MB)
Run now from Sysinternals Live.

Introduction

Ever wondered which program has a particular file or directory open? Now you can find out. Process Explorer shows you information about which handles and DLLs processes have opened or loaded.

The Process Explorer display consists of two sub-windows. The top window always shows a list of the currently active processes, including the names of their owning accounts, whereas the information displayed in the bottom window depends on the mode that Process Explorer is in: if it is in handle mode you’ll see the handles that the process selected in the top window has opened; if Process Explorer is in DLL mode you’ll see the DLLs and memory-mapped files that the process has loaded. Process Explorer also has a powerful search capability that will quickly show you which processes have particular handles opened or DLLs loaded.

The unique capabilities of Process Explorer make it useful for tracking down DLL-version problems or handle leaks, and provide insight into the way Windows and applications work.

Related Links

• Windows Internals Book The official updates and errata page for the definitive book on Windows internals, by Mark Russinovich and David Solomon.
• Windows Sysinternals Administrator’s Reference The official guide to the Sysinternals utilities by Mark Russinovich and Aaron Margosis, including descriptions of all the tools, their features, how to use them for troubleshooting, and example real-world cases of their use.

Download

Download Process Explorer (2.5 MB)
Run now from Sysinternals Live.

Runs on:

• Client: Windows Vista and higher (Including IA64).
• Server: Windows Server 2008 and higher (Including IA64).

Installation

Simply run Process Explorer (procexp.exe).

The help file describes Process Explorer operation and usage. If you have problems or questions please visit the Process Explorer forum on Technet.

Note on use of symbols

When you configure the path to DBGHELP.DLL and the symbol path uses the symbol server, the location of DBGHELP.DLL also has to contain the SYMSRV.DLL supporting the server paths used. See SymSrv documentation or more information on how to use symbol servers.

Learn More

Here are some other handle and DLL viewing tools and information available at Sysinternals:

• The case of the Unexplained. In this video, Mark describes how he has solved seemingly unsolvable system and application problems on Windows.
• Handle — a command-line handle viewer
• ListDLLs — a command-line DLL viewer
• PsList — local/remote command-line process lister
• PsKill — local/remote command-line process killer
• Defrag Tools: #2 — Process Explorer In this episode of Defrag Tools, Andrew Richards and Larry Larsen show how to use Process Explorer to view the details of processes, both at a point in time and historically.
• Windows Sysinternals Primer: Process Explorer, Process Monitor and More Process Explorer gets a lot of attention in the first Sysinternals Primer delivered by Aaron Margosis and Tim Reckmeyer at TechEd 2010.

—>

How To Know Which Process is Using a File or Folder in Windows

Ever wondered which program has a particular file or directory open? Quite often, when trying to delete a folder, Windows reports this:

This error also happens with a file, when we tried to move a file, or delete those file. How we can find out which program or application is currently using it and preventing us to delete/move it? To get the process holding those folder or file, we can use these two utilities:

Resource Monitor

For Windows 7 and above, you can use the built-in Resource Monitor.

Open Resource Monitor, which can be found

• By searching for resmon.exe in the start menu, or
• As a button on the Performance tab in your Task Manager

Resource Monitor from Task Manager’s Performance Tab

From CPU tab, use the search field in the Associated Handles section

When you’ve found the handle, you can identify the process by looking at the Image and/or PID column. You can then close the application if you are able to do that, or just right-click the row and you’ll get the option of killing the process (End Process) right there.

Process Explorer

Process Explorer shows you information about which handles and DLLs processes have opened or loaded.

• Open Process Explorer (running as «administrator») by running procexp.exe or procexp64.exe.
• Enter the keyboard shortcut Ctrl+F. Alternatively, click the “Find” menu and select “Find a Handle or DLL”.

Process Explorer — Find Handle or DLL

• Type in the name of the locked file or other file of interest in the Search dialog box, then click «Search». Partial names are usually sufficient.
• A list will be generated. There may be a number of entries. Click one of the entry, it’ll «Refreshing handles».

Process Explorer — Search

Same as Resource Monitor, an individual handle in the list can be killed by selecting it and pressing the delete key (or Close Handle). However, please be careful when deleting handles, as system instabilities may occur. Rebooting your system maybe will free the locked file/folder.

Process Explorer — Close Handle

Handle is a command line version of Process Explorer.

My Take

I prefer to use Resource Monitor compare to Process Explorer since Process Explorer is slower (especially during «Refreshing handles» process). If I can’t find the handle in Resource Monitor, then I use Process Explorer.

Liked this Tutorial? Share it on Social media!