Manage Process Handles (handle.exe)


To check what handle’s are in use by certain process I will use handle.exe from sysinternals. You can download and read more about here http://technet.microsoft.com/en-us/sysinternals/bb896655

Type handle.exe /? in command prompt to check witch options you have available.

H:\SysinternalsSuite>handle.exe /?
Handle v3.42
Copyright (C) 1997-2008 Mark Russinovich
Sysinternals - www.sysinternals.com
usage: handle [[-a [-l]] [-u] | [-c <handle> [-y]] | [-s]] [-p <process>|<pid>] [name]
  -a      Dump all handle information.
  -l      Just show pagefile-backed section handles.
  -c      Closes the specified handle (interpreted as a hexadecimal number).
          You must specify the process by its PID.
          WARNING: Closing handles can cause application or system instability.
  -y      Don't prompt for close handle confirmation.
  -s      Print count of each type of handle open.
  -u      Show the owning user name when searching for handles.
  -p      Dump handles belonging to process (partial name accepted).
  name    Search for handles to objects with <name> (fragment accepted).

In this case I will only select the process notepad and see what is handling.

Tpe in command prompt handle.exe -p notepad

H:\SysinternalsSuite>handle.exe -p notepad
Handle v3.42
Copyright (C) 1997-2008 Mark Russinovich
Sysinternals - www.sysinternals.com

First notepad process:

------------------------------------------------------------------------------
notepad.exe pid: 6828 %computer%\username
    8: File  (---)   C:\Users\Rva\Desktop
    C: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2
   D0: File  (---)   C:\Windows\Fonts\StaticCache.dat
   D8: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2
   E8: Section       \BaseNamedObjects\__ComCatalogCache__
   F0: Section       \BaseNamedObjects\__ComCatalogCache__
   F4: Section       \Sessions\1\BaseNamedObjects\windows_shell_global_counters
   FC: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2
------------------------------------------------------------------------------

Second notepad process:

notepad.exe pid: 2296 %computer%\username
    8: File  (---)   C:\Windows\System32
    C: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2
   D0: File  (---)   C:\Windows\Fonts\StaticCache.dat
   D8: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2
   E8: Section       \BaseNamedObjects\__ComCatalogCache__
   F0: Section       \BaseNamedObjects\__ComCatalogCache__
   F4: Section       \Sessions\1\BaseNamedObjects\windows_shell_global_counters
   FC: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2
------------------------------------------------------------------------------

Third notepad process:

notepad.exe pid: 7536 %computer%\username
    8: File  (---)   C:\Users\%profile%
    C: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2
   D0: File  (---)   C:\Windows\Fonts\StaticCache.dat
   D8: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2
   E8: Section       \BaseNamedObjects\__ComCatalogCache__
   F0: Section       \BaseNamedObjects\__ComCatalogCache__
   F8: Section       \Sessions\1\BaseNamedObjects\windows_shell_global_counters

Do close an handle in use by a process use -c, in this case i will work on first process

notepad.exe pid: 6828
and the handle
D0: File  (---)   C:\Windows\Fonts\StaticCache.dat

Type in command prompt handle.exe -c D0 -p 6828

H:\SysinternalsSuite>handle.exe -c D0 -p 6828
Handle v3.42
Copyright (C) 1997-2008 Mark Russinovich
Sysinternals - www.sysinternals.com
   D0: File  (---)   C:\Windows\Fonts\StaticCache.dat
Close handle D0 in notepad.exe (PID 6828)? (y/n) y
Handle closed.

To check if the handle is closed retype handle.exe -p notepad

H:\SOFTWARE\TOOLS\microsoft\SysinternalsSuite>handle.exe -p notepad
Handle v3.42
Copyright (C) 1997-2008 Mark Russinovich
Sysinternals - www.sysinternals.com
------------------------------------------------------------------------------
notepad.exe pid: 6828 RVAPC\Rva
    8: File  (---)   C:\Users\Rva\Desktop
    C: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2
   D8: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2
   E8: Section       \BaseNamedObjects\__ComCatalogCache__
   F0: Section       \BaseNamedObjects\__ComCatalogCache__
   F4: Section       \Sessions\1\BaseNamedObjects\windows_shell_global_counters
   FC: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2
------------------------------------------------------------------------------

To list a detail information about all handles that a process is using type from command prompt

H:\SysinternalsSuite>handle.exe -a -p notepad
Handle v3.42
Copyright (C) 1997-2008 Mark Russinovich
Sysinternals - www.sysinternals.com
------------------------------------------------------------------------------
notepad.exe pid: 6828 %computer%\username
    4: Directory     \KnownDlls
    8: File  (---)   C:\Users\%profile%\Desktop
    C: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2
   10: Key           HKLM\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions
   14: ALPC Port     
   18: Mutant        
   1C: Key           HKLM
   20: Event         
   24: Key           HKLM\SYSTEM\ControlSet001\Control\Session Manager
   28: Process       
   2C: Event         
   30: WindowStation \Sessions\1\Windows\WindowStations\WinSta0
   34: Desktop       \Default
   38: WindowStation \Sessions\1\Windows\WindowStations\WinSta0
   3C: Process       
   40: Process       
   44: Process       
   48: Process       
   4C: Process       
   50: Process       
   54: Process       
   58: Process       
   5C: Process       
   60: Process       
   64: Process       
   68: Process       
   6C: Process       
   70: Process       
   74: Process       
   78: Process       
   7C: Process       
   80: Event         
   84: Event         
   88: Event         
   8C: Event         
   90: Event         
   94: Event         
   98: Directory     \Sessions\1\BaseNamedObjects
   9C: Event         
   A0: Event         
   A4: File  (---)   \Device\KsecDD
   A8: Process       
   AC: Process       
   B0: ALPC Port     
   B4: Section       
   B8: Key           HKCU
   BC: Process       
   C0: Process       
   C4: Key           HKLM\SYSTEM\ControlSet001\Control\Nls\Locale
   C8: Key           HKLM\SYSTEM\ControlSet001\Control\Nls\Locale\Alternate Sorts
   CC: Key           HKLM\SYSTEM\ControlSet001\Control\Nls\Language Groups
   D4: Section       
   D8: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2
   DC: ALPC Port     
   E0: Mutant        \Sessions\1\BaseNamedObjects\MSCTF.Asm.MutexDefault1
   E4: Key           HKCU
   E8: Section       \BaseNamedObjects\__ComCatalogCache__
   EC: Event         \KernelObjects\MaximumCommitCondition
   F0: Section       \BaseNamedObjects\__ComCatalogCache__
   F4: Section       \Sessions\1\BaseNamedObjects\windows_shell_global_counters
   FC: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2
  100: Key           HKCU
  104: Key           HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer
  10C: Key           HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts

You also can use Process Explorer from sysinternals to see and manage process handles, download and read more here http://technet.microsoft.com/en-us/sysinternals/bb896653

Hope that this information can be useful.

About these ads

About rodvars
Been working in IT Services/Consulting for the past 15 years. My main areas of work are planning, development, managing and administration System infrastructures focusing on optimizing user processes, enforcing business security, performance enhancements, high availabilty and infrastucture scalability.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: