Files being used
- [#usedfile]: Seeing what is using a specific file
This can be a step taken to try to hunt down a troublesome program. Note, however, that malware, intentionally created to cause problems, may often take steps to hide which files are opened.
Also, note that many programs may release the file handles while working on a temporary copy of the file (either just stored in memory, or perhaps as a temporary file). Examples of programs that do this include the following text editors:
One possible way may be to view the list of running processes. If a program had the filename specified on the command line, that may be one of the fastest ways to locate the filename. In the case of the text editors just mentioned, that may even be more likely to provide useful information than trying to look at the list of file handles.
- Determining what files are being used, by using file handles
Another approach may be to check for any file handles that are still open. See
. Either might be installed with the operating system (e.g.
is installed in OpenBSD) or available as an add-on package (e.g.
is an add-on package downloadable for OpenBSD, but may be included in some other operating systems).
In operating systems using the Linux kernel, the answer may be quickly seen by running:
- Figuring out the owner of an inode when using BSD
This process can be rather extensive: See files used in BSD.
- Other Unix systems
Wikipedia's article for
(Unix) says “The equivalent command on BSD operating systems is
(An implication, therefore, is that a command called
may exist on computers using some other operating systems.)
- Microsoft Windows
- Files being shared to remote
This may not be the first, most obvious possibility of what may be using a file, although it is a great thing to check first. It's pretty fast to check, and some of the other techniques might not clearly pinpoint the actual cause nearly as quickly if this is what is happening. For details, see CIFS.
- See what is using other files
- Using built-in software
- Win7 Resource Monitor
With Windows 7's Resource Monitor, the CPU tab may provide an interface. (Although Windows Vista may have introduced the “Resource Monitor” program, the interface for checking handles does not exist in the “CPU” section of Windows Vista's Resource Monitor.)
For prior versions of Windows, or for those looking to automate this a bit more, see some of the other options.
Windows XP and newer may have an option using a command called
. Although “
” is related to CIFS, “
” may be related to files currently opened on the local system.
However, this built-in software doesn't help much the first time someone wants to use it to deal with an already-existing situation: most likely the software won't show information about local files until someone runs “
”, and then reboots, as shown by TechNet: Windows Server 2008 (R2): Command-line Reference:
says this option:
Allows an administrator to enable or disable the system global flag
'maintain objects list' which tracks local file handles. Changes
made by this switch will take effect only after restarting the
Note: Enabling this flag reduces system performance.
- Options using software that has source code publicly available
Third party options
Process Hacker may have options similar to Process Explorer by Sysinternals.
Listing Used Files is a GUI application with source code available. However, a Social MSDN page about listing files indicates that this may use structures that are fairly specific, and so this may need to be updated when new operating systems are released.
- Other software distributed by Microsoft
Perhaps realizing that Windows did not come with a real good solution for certain useful tasks such as seeing what software is using a file, Microsoft acquired (bought?) Sysinternals. The license agreement allows for free download from Microsoft and free usage, but not redistribution. Still, despite that restrictive nature, they are being mentioned here as working solutions.
(by Sysinsternals) may show the desired information. At least in theory, perhaps use
which is obtainable from ListDLLs (by Sysinsternals). Microsoft KB Q927229: Win2KRK Tools for Administrative Tasks mentions Open Handles (
) which also appears to do the same thing (but perhaps only for open windows).
The FileMon download page says “FileMon works on NT 4.0, Windows 2000, Windows XP, Windows XP and Windows Server 2003 64-bit Edition, Windows 2003 Server, Windows 95, Windows 98 and Windows ME.” Also, “Filemon and Regmon have been replaced by Process Monitor on versions of Windows starting with Windows 2000 SP4, Windows XP SP2, Windows Server 2003 SP1, and Windows Vista.” (In contrast, Process Explorer's web page lists the Windows 2000 requirements as SP4 Rollup 1 or newer.) This makes FileMon the recommended option for versions of 2K, XP, and Server 2003 that are without the sufficient service packs, and Win9x and NT4. Sysinternals Suite contains both FileMon and Process Monitor.
See also Process Explorer. (Microsoft KB 232830: How To Determine File Handle Ownership refers to Process Explorer. See also: information about Process Explorer.) Process Explorer's page says “Process Explorer works on Windows 2000 SP4 Rollup 1 or above.” (This does not include Windows ME, which is slightly newer than Windows 2000.) This differs a bit from FileMon's page which doesn't mention “Rollup 1” as being needed. In Process Explorer, one may press Ctrl-F or go to the Find menu and choose “Find Handle or DLL...” Type in any portion/substring of the Handle or DLL. This may take a while (10 seconds?) to complete the search. Once the PIDs are found, feel free to bring focus to the original Process Explorer window, select/highlight a process, access the Shortcut/Context/“Right-Click” menu for that process, choose Window, and then “Bring to front”. Another option is a two part process: First set the lower pane to view Handles. This may be done by pressing Ctrl-D or going to View, Lower Pane View, Handles. Then, choose a process in the upper pane.
Another option, which probably won't work to provide correct answers quickly, but which may, is to use Process Monitor, use a filter (by using the “Filter” menu if needed) where the Path contains the filename in question. Then try to access the file. However, this is more likely to show the process that tried to access the file and then couldn't because of the handle. If the process with an open handle is dormant (waiting for user input), the process may not trigger anything that will be visible in Process Monitor. For instance, if a folder cannot be moved because of a program was started from a command prompt that had the folder active that folder, that program might need to be stopped even though the program is not actively using the folder. If the program never actually really uses the folder, then the program will not show up by the Process Monitor.
It seems possible that the “
” command and the more verbose “
WMICprocess get Handle,HandleCount,processID
” command may have some use related to finding what handles exist. However, at the time of this writing, it is not yet clear whether this is actually relating to standard file handles, or some other type of handle. (More details about WMI are readily available.) However, it appears this might not be useful, and Social MSDN page about listing files suggests that there might not be a compatible, readily available method to do this automatically, except to (download, and then) utilize software that may not be re-distributed.
WMICprocess list FULL
- Misc (closed source) third party option(s)
NirSoft's OpenFilesView can show the current file position. (This feature probably does not take into account the fact that software may be using read-ahead buffers.) The program supports both command line and GUI interfaces. However, the general release did not seem to work on an X64 system. There is an x64 version provided, although OpenFilesView for x64 requires that driver signing test mode is turned on and setting that may require a reboot. (The reboot, of course, will close any currently opened handles.)
- Additional guide
Here was some additional information written up; this should probably be reviewed and merged with the above text.
- Using software by Sysinternals to determine how a file is used
- Using “Process Monitor” to determine how a file is used
Using Process Montior (part of the Process Monitor zip file offered from the Process monitor page), capturing events starts automatically. Stop capturing events (from the File menu) after the desired file is accessed.
If only files are of interest, click on the relevant buttons on the toolbar to disable Registry accesses, network activity, and processes/threads, leaving only files as a button which is still enabled.
To narrow things down further, to a specific file, use the Filter menu's “Filter...” option (via Ctrl-L) and make a filter for Path. Make the second drop-down box say “contains” (so that the folders don't need to be typed) and type in the partial path, such as the filename. Leave the final drop down box set to Include, and Add the filter to the filterset. Make sure that filter is checked (which it will be by default), and Apply.
The results of these instructions do not show the username, but it shows the PID which can be used to identify the username that runs that program. That may be done graphically using Task Manager's Processes tab (after making the PID column visible), or, depending on the operating system?, one might be able to use the command line by using the TaskList command. If the PID is 12345, use:
The seventh field (which may be on the 94th column of text, though perhaps that may vary frequently depending on what is running?) shows the username.
- Using Process Explorer
- sProcess Explorer Web Page, information on Process Explorer
- Using FileMon
- FileMon (Filemon's web page discussing it being unsupported)
- Using Handle
- Use Sysinternals Handle
- Other options
- For DLL files specifically, Sysinternals ListDLL, or (according to Process Explorer's page's “Related Links” section, PsList and PsKill.
- Perhaps less likely, but check for shares
- View the Computer Management program
- Checking command lines
- Scan the command lines of all processes to see if any of them reference the file in question. In Windows Vista, that may be done with Task Manager. With Windows XP, Task Manager will not show the full command line (unless that happens to be the same thing as the value of one of the other fields, like the image name), although using Process Monitor may work.
Your best clues may be to see what programs
are running. This is generally not an issue since DOS typically runs only one
program. If multitasking is happening, then use an interface that is related to
the software that allows for multitasking. Note that the \CONFIG.SYS command
FILES” can affect a limit of how many file handles are available.
- Seeing what files a specific program has open
- Microsoft Windows
For Windows 2000, XP, and newer, a graphical interface option is to use Nirsoft's ProcessActivityView. (Be sure to get the X64 version for Windows X64.) The first thing the program does is shows a list of running programs (with PID, process name and path, and icon). Then it shows details about that process. The program can also start a process and start monitoring it. Unlike many of Nirsoft's tools, command line parameters seem fairly limited (although they do exist).
- [#stopfhnd]: Working around a file that is in use
Most of the time, the best way to handle this is to cleanly close the program that is locking the file. Another way, of course, is to close that program less cleanly. This may not be a good idea. The prevention of a file being accessed may be intentional. However, here are some options that may be available.
One option may be to see what permissions are needed, and to work around the issue. For example, Microsoft Wordpad may be unable to open a file, even though other programs can. This is probably because Wordpad is trying to claim some sort of exclusive and/or write permissions. Some file viewing software, such as the
command available in JP Software products, may also have such an exclusive access. A workaround that may work is to use another technique that can access the file and then release access to the file. Copying the file may be one option: then the copy may be read (or written to) as desired. Running Microsoft's
may also work to open a file when other software (like Microsoft Wordpad) cannot accomplish the same task.
Of course, another workaround is to see what is using a specific file, and having that software stop using the file (by having the software close the file, or by closing the software).
- Microsoft Windows
file is available, described at Microsoft KB Q927229: Win2KRK Tools for Administrative Tasks.
- [#unlocker]: Unlocker
Cedrick 'Nitch' Collomb's Unlocker (Cedrick 'Nitch' Collomb's Unlocker (Mirror site)) has a tool which can be effective. Freeware called Unlocker may help. (Previous homes on the web (previously at http://ccollomb.free.fr/unlocker/ but that site has been known to go down, and the official mirror for Unlocker has started redirecting users to the new location at the EmptyLoop site.)
Be wary when installing this software to avoid installing unwanted adware. A more recent version will enter a delay if choosing to install this software without installing the Bing toolbar, although those who cringe at the thought of toolbar installations may declare the payoff to be well worth a brief wait.
However, as long as such care is done during the installation, this software can sometimes perform tasks that don't seem to be available using other methods. Examples include copying or removing a file that is in use.