Find open handles of a program

[stdedos]

I have seen the very helpful feature of PH to help track down open file handles of e.g. a program keeping a lock on a file, and Windows not be that smart about telling who's responsible. However, ... that doesn't always work.

I hate to ask to be spoonfed... but here it goes:

I don't see anything holding an open handle on the D: drive.
Of course, maybe, someone can claim that the open handle is on the device itself (which I don't know how to look for) rather than "a plain file with a plain path".

Any feedback welcome!

[Biswa96]

PH is working correctly. Here is an example screenshot with Microsoft Windows File Explorer.

Maybe that program is not working the way you are thinking it would be.

[stdedos]

Yeah, of course - I am not saying that this program is 100% doing what it's supposed to do correctly verifiably.
With the last build https://www.ltr-data.se/opencode.html/#ImDisk at 2018, all bets could be off.

[dmex]

Finding handles or dlls requires access to the original process to enumerate its handles. So to be able to find all handles you need to:

1. Enable the kernel driver. You'll see a "+" symbol in the window title when the driver is connected.
2. Running as administrator. Required to search handles from the System process and other elevated processes.

If you don't have these enabled then you won't be able to locate/search for handles properly... Also more recently some 'security' products such as Avast/AVG are currently using DKOM (direct kernel object manipulation) exploitation for zeroing the names of handles so you cannot find open handles to disk/usb devices created by their software.

[stdedos]

I think I am at that level

And I have gotten rid of Avast! on my new rig 😀

[diversenok]

Have you tried searching for \Device\ImDisk0 instead of a drive letter? I remember some compatibility issues were preventing Process Hacker from correctly converting native paths to the Win32 format in some cases.

[stdedos]

Yep, that's it:

Awesome, thank you!

[stdedos]

PS: It doesn't solve the problem (still cannot create an image of the drive), but at least I know know, from PH's point of view, there are no ImDisk open handles.

Why does it complain and says it has no access idk (I tried UAC elevation, it does something, but it still complains too much / doesn't work afterwards)

[sskras]

@diversenok commented on Mar 4, 2021:

I remember some compatibility issues were preventing Process Hacker from correctly converting native paths to the Win32 format in some cases.

I am interested in the issue. Sadly the original site is unreachable to me, and the Internet Archive seems to have no copy of this particular page:

Small bug in the autoupdate code of the beta channel?